On the occasion of the recent one year anniversary of the historic OPM breach, which resulted in the compromise of millions of fingerprints, Mobile ID World president Peter O’Neill had a chance to speak with Phillip Dunkelberger, CEO, Nok Nok Labs. The conversation, which was recorded before MWC Shanghai, is an in depth discussion on the role of strong authentication, encryption, and protocols (including FIDO) in an digital world where massive databases of credentials are attractive targets for hackers.
Read the full interview below:
Peter O’Neill, President, Mobile ID World (MIDW): What a year this has been for our industry, so many advances, but it was just one year ago that the massive OPM (US Federal Government Office of Personnel Management) breach occurred. Can you review what has transpired since then to solve future breaches? For example, the creation of the National Investigation and Background Bureau?
Phillip Dunkelberger, CEO, Nok Nok Labs (NNL): The OPM breach and why it was so egregious is in large part because it was a scalable attack on a biometric database. Identity is now the new currency, and being able to sell not only your data, but actually now being able to sell something like a fingerprint can be extremely dangerous. So if I look at what happened at OPM, I don’t look at the anniversary of the OPM breach as a low or high water mark. I look at it as a continuing trend where we don’t take the proper steps to protect the information, that is where the industry is today. Whenever sensitive data, such as usernames/passwords, biometrics, etc., is collected in a centralized repository, that pool of data is a massively attractive target for hackers. I had a number of friends and colleagues who had their credentials stolen during the breach, and this was a totally avoidable event that should never happen again. Just look at April’s Philippine Commission on Elections breach as another example of this failed approach to protecting sensitive data.
Unfortunately, research shows that the OPM and a number of other people in the government had been warned about the security risks that they ran, and I start to wonder if this is this just a force of will issue? Creating another agency to handle the information doesn’t do anything but transfer the burden to other people just like in most companies’ security is somebody else’s problem. It’s not my problem it’s somebody else’s problem, it’s the CISO’s problem, it’s the guy at the security guy desk’s problem, but it isn’t my problem.
MIDW: What role does encryption need to play in this area do you think?
NNL: Well, encryption has always been kind of a last man on the wall. This is my perspective coming from my many years working with PGP Corporation in two different stints and working with governments, large enterprises, SMBs and consumers. People were worried about encryption, but interestingly enough they were usually only worried about one aspect of encryption. They would come and say, “We have a problem with email.” 95 percent of everything that you end up with on your computer are attachments to emails. There are downloads of some information, usually from email and people would have an email problem.
The good news is that systems have gotten faster, there is much more computing power in your hands than you ever have had before and encryption overhead isn’t what it used to be. If I steal your credentials, including your encryption keys, it doesn’t matter that they are encrypted because now I have the keys to the lock. So, if you don’t marry strong encryption with strong authentication, those two steps, you are still very vulnerable.
That is why, after I left PGP, I was essentially retired and saw what became [the Fast IDentity Online Alliance, or FIDO]. You have seen what has happened with the industry with FIDO and yet you now see compliance drivers like PSD2 in Europe where they are saying two factor authentication is going away and you see NIST talking about it in its latest missives that SMS one time passcodes should not be used for security anymore because they are unsafe, they can be intercepted and spoofed. You again have dedicated, smart hackers that figure out ways to be the spy-versus-spy to overcome the obstacles put out by companies and individuals today. Given the advent of FIDO and then these compliance drivers like PSD2 in Europe and NIST telling the industry to move away from SMS passcodes, organizations need to rethink architecturally what they are doing. This primarily involves looking at strong encryption married with multifactor authentication in a variety of forms—i.e. in motion, in use, at rest. While FIDO is about authentication, encryption is in FIDO’s DNA since one of the founders was Taher Elgamal, who invented the most used encryption protocol, which is of course SSL.
MIDW: What do you make of the US Government just announcing that they are moving away from the CAC card? I remember talking about CAC about 15 years ago with the DOD.
NNL: Yes 15 years ago! Okay and why are they going away from it? One, usability issues first and foremost and secondly security issues. Right?
We just published a PwC Legal paper authored by Stuart Room, one of the best solicitors in the world on this topic. I went to him and asked, “What are the privacy implications here?” The four pillars of FIDO are better security, better usability, lower costs, and better privacy. Because the biometric information never leaves your device, you are not handing your keys to somebody in the cloud. On the privacy front, we asked PwC Legal to look into the topic and they came back with a great paper. One of the things you see is that biometrics are becoming increasingly more popular – it’s estimated by 2019 that 92 percent of all cell phones, even the low end ones, will have some sort of biometric capability. If that is the case, and you’re looking at biometrics and doing business globally, what are the privacy implications and the laws you need to consider? One of the things they said is to avoid building these big databases of biometric information, full circle back to OPM, where you have a big attack surface where people can steal your data. Let’s not make the same mistake we have made with username and password databases when it comes to biometric databases.
If you are already using biometric databases for border control and those things, you really need to up your game on protecting them and who has access to them. Again, you can encrypt them but if I steal those keys, if I steal your credentials and if in that carry I get your passphrase, not just your username and password, but if I end up getting a passphrase that you use, I can now unlock the encryption. So, it is a multi-part problem. It comes back to– we’ve got to quit playing whack-a-mole. That is back to when you were talking about encryption, are you talking about network encryption, file encryption, hard disk encryption, are you talking about storage encryption, are you talking about database encryption? And the answer is, they should probably try to use some or all of those to get defense in depth for sensitive information.
I can give you story after story of people who I ask, is your intellectual property encrypted and secure? And somebody is going to say absolutely. I saw an incident of one of the biggest companies in the world, where a contractor had taken one of their data stores that had their [intellectual property] on it, their core jewels of the company, the reason the company was in business, and they had inadvertently structured a connection to it. Do you know how many people had been able to connect to that server, when they finally shut it off? Twenty-two thousand connections! And they didn’t even know it because a contractor had misconfigured the setup.
So you go back to Larry Ponemon’s data that is out there today and you connect it with the anniversary of the OPM breach, to me it is more of the same. To me it is force of will, to me it is people begging for governments to come in and not only tell you that they are going to but how to do it. I just saw in the state of Tennessee that they are not going to give you a safe harbor if you encrypt the data because now we are going to start telling you what level of encryption, how to encrypt, how to manage the keys. I ask you, do you really want governments around the world telling everybody how to run their business? No, that is a bad idea.
MIDW: FIDO has been around now for many years and it has tremendous growth, you have something like 200 certified products out there. Maybe you could focus on FIDO for a second, what is happening there now?
Nok Nok: FIDO has had tremendous growth. Every 3-6 months FIDO has performed another round of certifications. In Asia and in Europe where privacy is a big issue for people, not just data security but privacy, they had privacy laws well in advance of the United States. In terms of usability, deploying organizations have realized that the more you stack in front of a user the less commerce you get. The interesting thing is that FIDO’s first premise is ease of use. If you can use a biometric or a selfie snap or secure passphrase because it is using public private keys, that is why we have had such a great number of people flock to the idea of FIDO.
FIDO took more than a year to stand up and get 1.0 spec that people could deploy. They are arriving at the [FIDO UAF] 1.3 version for which people are building new products. The biggest vendors in the world, Google, Microsoft at the end point, the biggest products from Lenovo, to Intel, to Qualcomm all have a FIDO framework built in and are starting to be deployed. We have deployed this thing at scale having millions of users. We are not sticking our foot in a puddle, we are sticking our foot in the deep Pacific Ocean when we are putting these things out there. That is what the people demanded that we support.
We have delivered. We at Nok Nok, and other members at the FIDO Alliance, have delivered on what we said we would do. Hundreds of endpoints, hundreds of different authenticators can plug and play—heartbeats, biometrics, any of the other things you want that you can come up with. I’m sure there will be a DNA authenticator at some point. You can use [FIDO] for physical security and logical security. You can use it for from the cloud you can use it for the internet of things. FIDO provides a very good protocol for the world to have.
MIDW: You know, Phil I think the conversations are starting to escalate. I’m going to Shanghai to chair the cyber security panel at Mobile World Congress with 70,000 of my closest colleagues. For sure I will be raising these issues. As people like you and I get out there in the marketplace and start to talk more about it, I am starting to see a lot of change actually. Over the last two years especially.
Nok Nok: It takes thinking about the problem differently. FIDO thought about solving plug-and-play strong authentication differently. Let’s not have every guy who comes with his new authenticator have to custom code that authenticator into an application or back end systems. You risk creating a tower of Babel for every device to whatever back end system. With a new device you have to start over again or they’ve changed the protocol that they used internally and now I have to redo the new protocol. Why don’t we have a standard protocol like we did for SSL? That was the whole premise when I started to go out and talk to people about FIDO.
That is how we’ve advanced. Why did we do Ethernet? Because it was a standard way for plug and play in offices. Why did we do SSL? A standard way to do e-commerce. Why did we do FIDO as a protocol? Why did I take five patents that we owned at Nok Nok Labs that are based on the protocol preceding FIDO UAF that Ramesh Kesanupalli and his team were developing? Why did I take those and give them to the industry? Because one company wasn’t going to change the world. It was going to take a village and then it was going to take a big village globally to say this is where it is going.
If you look in Europe, PSD2 is going to drive multi factor authentication to FinTech. Financial services, typically highly regulated, telcos and other highly regulated industries tend to be the guys that worry about security the most.
MIDW: It is so interesting talking with you Phil especially around this very important anniversary and congratulations on all the work that the FIDO Alliance is doing. Thank you for taking the time to review what is going on in the industry.
NNL: Thank you for the opportunity and thank you for supporting FIDO. You guys have been great not only supporting the biometric part of FIDO but FIDO period. Too many people today are saying, well FIDO is just a biometric protocol. No, FIDO is an authentication protocol. Let’s be clear that it does biometrics and a whole bunch more. Let’s be clear that it wasn’t built by one company, it was built by a whole bunch of really smart people that care about solving the problem for the industry. The biggest proof of that is the people that compete every day in the marketplace that are supporting FIDO. There is an old adage in industry that architecture wins—FIDO is the better architecture.