Aviva Zacks of Safety Detective had a chance to sit down with Walter Beisheim, chief business development officer at Nok Nok (pronounced “knock knock”). She found out about how Nok Nok and the FIDO Alliance are changing the cybersecurity landscape for the better.
Safety Detective: How did you get into cybersecurity, and what do you love about it?
Walter Beisheim: I’ve been in information technology for a number of decades, and for the past 20 years, I have been in telecommunications, infrastructure, and online security. What I really like about it is that, like many other information technology areas, it’s constantly changing. The good news is that we are always getting better and the bad news is that the bad guys are also always getting better… and the bad guys are also very well-funded, but I love working in this space.
SD: What are some of the industries that use Nok Nok’s technology and why specifically those industries?
WB: The two major industries are online financial services and mobile network operators. The reason that people utilize our technology is that while there are a number of cyberthreats out there, the most recent significant cyberthreat is the ability to acquire and use millions of usernames and passwords to perform fraudulent acts. Nok Nok got together with PayPal and Lenovo initially six years ago to form the “FIDO Alliance.” FIDO stands for “fast identity online.” Our objective was to come up with a new way of providing online security by authenticating users in a manner that was not susceptible to the vulnerability of having your username and password stolen by phishing or man-in-the-middle attacks. FIDO addresses all these things that we’ve been trying to put band-aids on for the last 10 years. It deals with them in a very new way and addresses the frustration of users being required to remember and maintain the security of our dozens of usernames and passwords.
SD: How does Nok Nok Labs protect customers from the threat?
WB: The FIDO standard, which is an industry standard and is adopted by major players in the market and including Microsoft, Google, MasterCard, and Visa, has certain principles—for example, the use of a cryptographic key pair exchange between a relying party server and your device. So there’s always a secure device binding, and on top of that, there is a use of something called an authenticator. A common authenticator is a fingerprint reader on your mobile device and that provides something referred to as MFA, multi-factor authentication. Our solution allows a relying party— for example, the merchant, bank, or mobile network operator—to implement those capabilities in a very convenient and scalable fashion, and provide that security to their customers in an industry-standard way.
SD: What do you feel is the number one threat in cybersecurity today?
WB: The number one threat in cybersecurity today is the malicious acquisition of usernames and passwords by criminals. When we’re talking about consumers and private individuals, our biggest exposure is having our identity compromised and our financial assets stolen. The primary method criminals use to accomplish those privacy invasions and the associated fraud is utilizing weak authentication capabilities or stealing authentication credentials like usernames and passwords. And that’s what Nok Nok and the FIDO Alliance are all about solving.
SD: Can you touch a little bit on IoT?
WB: I’m glad you brought that up because the FIDO standard, approach, and methodology that is used for making sure that when you are communicating with your bank that it is indeed you, and your phone that you registered can also be used to secure IoT device communications. When you connect to that IoT device, that same technology can be used to authenticate a user to a cloud service, a device to a cloud service, or a device to another device. So, in other words, this FIDO architecture is excellent when it comes to a human communicating with the service. It’s also excellent when it comes to a human authenticating that device in order to configure it. Furthermore, it is also extremely effective in securing device-to-device, or device-to-cloud service communications.
Beyond the device to device capabilities, 18 months ago, we put a demo together with Cap Gemini to secure smart speaker transaction requests. The basis of the demo was how to ensure that when someone wants to utilize a service on a smart speaker, that they are the individual that has the right to utilize that service. In that demonstration, the user was trying to book a room, and before the booking could be completed, there was a push notification sent to the user’s cell phone. The user then rendered his or her fingerprint to authorize the booking of the room.
We know that Amazon wants you to order things using your Alexa. Then the question is, “How do you verify that the person who places the order owns the account or has the right to process the payment?” FIDO capabilities can be used to authorize those payments today.
All of those use cases and all of those categories can benefit from authentication between stakeholders, devices, services, and people. And ultimately a person is responsible for authorizing a service, accessing, or changing sensitive information. If that person is authenticated to that service or device, that creates additional security in terms of how that device or that service is controlled.
SD: How do you feel that the cyber threat landscape is going to change in the next five years or so?
WB: I think it’s going to continue the way that it has already been developing over the last 10 years. The combination of a number of tactics used by fraudsters, some of which are technical, and some of which are socially engineered will continue to become more formidable. Just like you and I do our job to make money and provide for our well-being, fraudsters and cybercriminals do their job to provide for their well-being as well. So, it really is an ongoing tug of war between the good guys and the bad guys. Make no mistake about it—the bad guys are well-financed and they’re well-organized. And we as an industry continue to become smarter, more focused, and more capable to divert these threats. The introduction of password-less authentication utilizing FIDO is going to become a part of our lives going forward.
In my opinion, the next five years are going to be the most significant in terms of threat aversion technology that’s introduced to the market, and most of it is going to happen without the user changing their behavior. Apple did a study in the United States, and they found that Apple users in the US on average use either their face ID or touch ID 90 times per day on average. We know that what people use for security varies from geography to geography, but in general, there is a tendency towards the use of biometrics globally. If you’re already using your fingerprint or faceprint to log into your mobile app you may not necessarily be using technology as secure as FIDO. The good news is that when your service provider switches to a FIDO-compliant solution, the user’s experience will not change at all. Only the security of their information and their assets will change for the better.