Modernizing Authentication — What It Takes to Transform Secure Access
Strong authentication today typically involves the use of multiple mechanisms that are often mutually independent and not always interoperable.
This week the Fast IDentity Online Alliance (FIDO) officially launched with a promise to usher in a new era of strong authentication interoperability and usage models. NokNok Labs, a security startup led by the former CEO of PGP that just raised $15 million in a funding round, is among the vendors supporting the effort.
"The idea is to build a strong authentication protocol," said Phillip Dunkelberger, CEO of Nok Nok Labs.
Today usernames and passwords are the foundation of user authentication. The FIDO Alliance plans to build out a way to use strong authentication elements that already exist today, including biometric devices and TPM chips, in order to augment or replace username/password combinations.
Enabling the FIDO approach requires code on the server side of the equation to access and integrate with the existing strong authentication components. That's where Nok Nok Labs comes into the picture. The company was created to validate the trust and security of the underlying strong authentication device components.
New Slant on Online Authentication
The way the system works for a PayPal user, for example, is a merchant system can trigger the transaction if the FIDO protocol is present on a system. PayPal will present a logged-in user with an option to use the system with FIDO. The user can then swipe a fingerprint to activate and access PayPal for future transactions.
The back-end FIDO protocol pings the end-user system, whether that system is a phone, a desktop, tablet or a notebook, Dunkelberger noted. The protocol then reports what is available back to the relaying commerce server. The relaying server makes a decision on whether it wants to use any of the strong authentication components that may be present on a device.
For example, if a consumer uses a biometric fingerprint reader in a FIDO environment, a shared secret that is unique for each user and device that has been used is dropped onto the user device and the back-end system.
"There is then a three-way binding between the user, the device and the back-end, and all three need to be present the next time you use PayPal," Dunkelberger said.
So in the PayPal example, once a user has enrolled using the FIDO approach, he or she can log into PayPal with the fingerprint reader rather than submitting a username and password.
PayPal already has an option available to users for two-factor authentication. In the PayPal two-factor model, users enter their username/password and are then required to enter a unique number that is generated from the two-factor authentication token. The key difference with the FIDO approach is that users don't have to rely on a token that has been provided by PayPal.
"So instead of having to ship a physical token device to a user, the user can use any token they already have that supports the FIDO protocol," Dunkelberger said.