This year marks the fifth anniversary of the FIDO standard, and this week, one of its key partners Nok Nok Labs announced the new version of its S3 Authentication Suite, which includes support for the FIDO2 standard and the W3C Web Authentication Standard – WebAuthn.
Nok Nok Labs president and CEO Phil Dunkelberger said that when the initial group met five years ago and the name FIDO was an initial placeholder - standing for ‘Fast Identity Online’ - there was little sight that in 2018, there would be over 400 companies with FIDO-certified products, “and now W3C is saying this should be in every browser and endpoint.”
“Nok Nok Labs was born from six months of due diligence, and after our initial funding we were determined that we could build it and make it a scalable product,” he said. “From there we stood up an industry working group, and that became the FIDO Alliance,” he added.
“So what is new? Well breaches are still happening, and are worse than ever and the main cause of the breach is credentials that allow you to go in and infiltrate and actors who introduce malware and take information.”
Last week saw more discussion on authentication, with the announcement of the WebAuthn standard. Dunkelberger explained that it is led by the W3C group and the FIDO Alliance, and described it as “what happens when standards bodies work together as they can support each other’s work.”
WebAuthn is designed to handle web authentication on the internet, allowing passwords to be replaced with token-based credentials, or through mobile devices. Speaking on the Risky Business podcast, Duo Security’s James Barclay and Nick Steele explained that WebAuthn works when a user signs up for an account with a website and creates a new key, and the next time you log in they can use an existing authentication protocol instead to log into that service – such as FaceID or a one-time password from a token.
Steele said: “WebAuthn is the emerging standard pushing us towards a password-free world. One of the core components to the WebAuthn spec is the support of biometric authenticators, like smart phones with fingerprint readers, for registering and logging into sites on the web.
“As biometrics become more widely used and normalized by the general public, WebAuthn will allow vendors to provide a safer and more secure method for login than passwords. This could help lead to a reduction in password-associated phishing, the effectiveness of password database breaches, and make users safer online.”
This standard was developed in coordination with the FIDO Alliance, and is a core component of the FIDO2 Project.
Dunkelberger said: “You put FIDO in the mix and you’ve got the ability to do plug and play, to distribute endpoints for hardware and software tokens – now they are just in the browser which opens us up from business-to-partner to business-to-whoever. Now you really open it up to the enterprises who were either doing it as an app, or in the browser.”
Dunkelberger claimed that the WebAuthn standard was demanded as people wanted authentication for the browser, and for more FIDO products. “Our reason for change is because things have gotten worse, and the complexity has gotten worse as far as implementation of devices and the number of authenticators,” he said.
As for the new version of the S3 Authentication Suite, Dunkelberger explained that this tells you how to take your client software and make it FIDO enabled and this includes support for various types of authenticators and interfaces with back-end support to vendors who do identity, device authentication and endpoint authentication.
“We’ve added a bunch of nice-to-haves to feed your existing systems, but from a scale, management and distribution of keys operational policy, this is the fifth version of our server,” he said. “Nok Nok Labs has done all of the work to allow you to deploy this at scale, we built server, client code, policy management and deep security knowledge to be able to deploy FIDO and integrate it into your existing systems.”
So where does FIDO go next? Dunkelberger said he saw it going to embedded wearable authentication, but mainly with the ability to do more as you know who your endpoint customer is.
The next release of the Nok Nok S3 Authentication Suite, due in Q2 2018, will deliver secure, phishing-resistant, privacy-conscious authentication and a password-less user experience that works across any application, any platform and any authenticator – biometric, token or wearable.
As for WebAuthn, the significance of the launch cannot be underestimated if adoption is seen.