As the race toward a passwordless future gains speed and superior security alternatives gain traction, it has become clear that the connected economy will reach its full potential only after the lowly string of alpha-numeric digits are laid to rest once and for all.
Not only are these friction-filled identifiers often stolen or forgotten, but the requirement that they also be input, time and again, across scores of login pages we frequent daily only increases the odds of a mishap.
Nok Nok CEO Phil Dunkelberger told Karen Webster in an interview we’re moving ever closer toward truly secure logins, done with biometrics and even voice.
Standardization is key, and the interoperability of strong authentication technologies must be in place to ensure a seamless experience. It’s not enough for red flags to be raised when someone is trying to transact or interact with a site. Just injecting friction in the process doesn’t solve anything.
On The Lookout For Good
As he said of banks and merchants pivoting to the digital age, and even the telcos and other big firms that want to introduce financial services into the mix: “If they don’t get ‘on it’ quicker with digital transformation, there is going to be a problem.”
Yet simply improving the user experience as we wield devices to do our banking across mobile channels is only part of the process. The enterprises need to know that they can trust the person on the other end of the transaction — the one they can’t see.
Dunkelberger told Webster that risk signals are out, and assurance signals are in. And assurance signals (not to mention standardization) are an integral part of the FIDO protocol that can reduce friction when authenticating users. (Nok Nok was a founding member of the FIDO Alliance in which FIDO stands for Fast IDentity Online.)
Simply put, the whole idea of modern, strong authentication rests with figuring out — in a play on the Nok Nok company name — who’s there.
“When we started working on what ultimately became of the FIDO protocols, the people we [at Nok Nok] were talking to said, ‘We understand risk signals. We understand geolocation moves — if you’re not where you are supposed to be, or a device is different from the one used previously.’”
What people ultimately want is a signal that definitively states in real time, no matter the endpoint or device, that you are who you say you are.
The overall vision has been to craft an authentication protocol that would work with everything “that was already there,” said Dunkelberger, on any device, any application, any user and any user expectation.
As to the journey itself toward ubiquitous authentication that includes biometrics and more, many of the regulatory hurdles have been overcome. A broad swath of tech giants is on board, including Apple, Google and others. PSD2 may have had, and still is experiencing, a stutter-step in becoming reality. (In the U.K., the Financial Conduct Authority or FCA has pushed compliance deadlines for merchants out another six months.)
In the decade behind us, it’s been easy to overestimate the willingness of people and companies to fix the problem, to spend the time and money necessary to eradicate the password.
(And, per Dunkelberger: It’s taken five years for the standards bodies to come together and agree. And no one moves in lockstep unless there is a surety that everyone will move and adopt the standard.)
But we’re getting there, hastened by the great digital shift and by the huge costs of data breaches.
Dunkelberger said a number of big banks in Asia have wholeheartedly embraced the protocol that Nok Nok has built. Over the past several years, Samsung and PayPal have tapped Nok Nok for biometric authentication, and Alipay has used payment authentication for its mobile wallet.
No matter the use case, or the user, it’s been critical to making it easy to log in, but at the same time provide better security, he said. It’s a tough balancing act, so tough that a majority of digital transformations fail. (Banking apps, especially, come up short when it comes to usability, he pointed out.)
Dunkelberger told Webster that we’re nearing a tipping point toward strong authentication and assurance signals, as firms’ innovation teams are grappling with the challenges and costs of data breaches. At least some risk and security experts have been chafed that the FIDO protocol has “gored their ox.” Their thinking is changing from the groupthink that no one likes passwords, but they work. (In reality, noted Webster, they don’t).
The Catalysts
Then there’s the catalyst tied to the fact that cable companies and telcos are seeking to embed payments and other functionality in a bid to improve customer count and average revenue per user (ARPU). These firms, and FinTechs and banks, are going to depend on developing economies for their growth as they branch into loans, credit cards and all sorts of adjacencies. Those economies are unburdened by traditional legacy infrastructure or the ways of the internet simply because they don’t have devices. Yet.
In other words, there are billions of consumers who have no idea what a password is, said Dunkelberger, so why tell them?
The FIDO protocol, he said, allows users to “future proof at scale,” expanding to include biometrics, yes, but neural networks and even speakers too.
“You don’t want your dev teams to be continually affected by something new,” he said of authentication. “You want to just to be able to plug it in and say, ‘Yep, we’re ready.’ … If all we’ve done is make a user interface faster and better, but we don’t make the experience of the transaction completely better, that’s not a good thing.”
He said future applications of the FIDO protocol will blossom beyond eCommerce and will expand into healthcare, as well as the transference of sensitive data and payments. Standardization and strong authentication will lead to a federated, strong assurance signal across all manner of ecosystems.
“That’s where I see the future of identity,” said Dunkelberger. “Not only is it a single sign-on to a bunch of systems and we make it faster. If I know ‘who’s there’ I can give you goods and services without having to check and recheck” identities.