Peter O’Neill, President, Mobile ID World (MIDW): Can you please give our readers a bit of a background about Nok Nok Labs?
Phillip Dunkelberger, President and CEO, Nok Nok Labs (NN): Nok Nok Labs was actually created by the founder of what is now known as the FIDO Alliance, Ramesh Kesanupalli. He had been working on this idea for a number of years and got together with a number of former contacts to talk about what it would mean to have a common plug and play protocol for strong authentication. He then had the idea of what would it mean if you had a single solution versus having to write protocols for all different types of multifactor authentications. He started talking with Michael Barrett, who at the time was the CISO for PayPal, and they pulled in other contacts and started an informal working group. It was out of that working group that they realized they probably needed to form a start-up that could create a product that could turn on strong authentication.
MIDW: Was that back in the 2009-10 time frame?
NN: That was in 2009 and it was in the beginning of 2011 timeframe when the group said we should go see if we can go get a company started to go make an attempt to take these ideas and some of the demonstration code that we’d been working on and to really see if we could build it and build it in scale because scale was going to be really important. So that was the synthesis of their thinking that led to the creation of Nok Nok Labs. I liken it in my career to when Bob Metcalfe left Xerox to go and start 3Com Corporation in Santa Clara at the beginning of the Ethernet era. You know you needed somebody to really go out to try and create a standard and actually build things that people could test and deploy. And that was the genesis of the idea of starting a company that is now Nok Nok Labs.
MIDW: FIDO officially became an industry alliance just this year in the February timeframe and has seen rapid growth from a number of different areas, MasterCard, Microsoft, Google and a host of other companies joining. What do you feel is driving this growth?
NN: Well I think the catalyst for this growth is we are trying to solve a major problem. Devices have gotten more powerful and smaller. We are now using the interface of a smartphone to do complicated computing jobs. All of these tools have certain interface characteristics that require a rethinking on how to use them from an ease-of-use standpoint whether it is gesturing or tapping or swiping. But that whole idea of the evolution of the user interface is just one of the driving forces. How do we take friction out of using smartphones for common computing jobs like purchasing on the Internet? Well instead of authenticating two or three times by typing in complicated usernames and passwords, why don’t we use something simple like a biometric or a voice print – something a lot easier to remember and something a lot easier to enter on these types of devices.
MIDW: So that sort of lends into some information that I was reading, that Nok Nok Labs stresses that the old adage of authentication as being either, simple and weak or complex and strong, can no longer apply.
NN: Yes, and it doesn’t really fit a modern architecture of computing with regards to what people want to do with applications on these new devices. It has been a long time coming and biometrics have been out there for a long time and they are a great form of authentication for most people. There are numerous ways to use different types of biometrics; from your heart beat to iris scan to the blood vessels in your eyes to your fingerprint. Fundamentally, it is a combination of things that people want to be able to turn on based on risk. So it is the risk profile that takes you into the security profile. These things are great for ease-of-use but the key is how do we implement them? We have to implement them securely because the businesses providing services out on the Internet are liable in many cases for the services they provide, for things like privacy, for the security of people’s information, for transaction security, so creating this stronger vibrant ecosystem that is easier to use need to fit everybody in the ecosystem. So that was the idea and the genesis behind what we are doing to implement those ideas at Nok Nok Labs.
MIDW: Much of the positive press around FIDO has to do with how authentication standards can make m-commerce and financial transactions easier and more secure. How can FIDO help in other fields that will be adopting strong authentication methods like health care, etc.?
NN: Well I think you have hit on a big one. I think things that people hold most personal such as financial information, medical records, other types of personal transactions, government transactions, IRS information etc., — stronger authentication is needed in those ecosystems. For example, medical records have payers, payees, suppliers, distributers and that ecosystem would benefit greatly if it had a stronger, call it the “first mile of capability,” a consistent way of securely communicating to end users using standards-based authentication across different ecosystems so they didn’t have the problem of different passwords, different ways to authenticate etc. We are talking to a number of those providers. MedImpact, as you saw, joined the FIDO Alliance, they are joining because they look at the whole payment system — where you are getting drugs from the pharmacies and how a lot of those drugs are moving sideways in that distribution system which is creating a lot of problems. So from the pharmacy people who are entering information it would be better if they had stronger first signal like a fingerprint reader. A recent study showed that about 90% of pharmacies at their end points have computer systems that have biometrics on them. So that is a natural way to upgrade automatically by using FIDO on all of these systems that beforehand were just using usernames and passwords.
MIDW: It’s very interesting because as you are describing this health care area, Michael Barrett, the FIDO chairman was at a gathering of biometric folks in Tampa recently where we held an executive summit with him, but also speaking at that event was Dr. John Halamka from the Harvard Medical School and he was describing the BYOD nightmare he lives with and he has 15,000 units that he is responsible for and he hasn’t bought a single one of them and how do you secure all of that. He was very pro biometrics and how it might help, but it ties in nicely with what FIDO is doing as well.
NN: You hit on something that is really interesting about the BYOD phenomenon and biometrics and other strong authentication methods. You are basically saying to people, we are doing that from a cost standpoint. For years and years people weren’t called to log into the corporate network off of devices at all. Of course that created security issues especially in the area of malware and viruses because you didn’t have any control over those end points. Your kid was on it in the earlier afternoon playing hangman with a malware or virus infected code that they had downloaded from the internet. So the evolution of bringing your own device is not new but interestingly enough to me the real opportunity to reduce costs is if you put a FIDO protocol in that common ‘plug and play’ you can make that first BYOD authenticator a much stronger and have more fidelity from a risk standpoint. So you know who is on it at the keyboard, it’s not somebody that shouldn’t be on it at home or being used elsewhere and that certainly mitigates a lot of what I’ll call the role-based overhead of users bringing their devices onto the network. It’s always been out there, but with FIDO for the first time you can do ‘plug and play’ with things that are on your network. It’s not much different than when you let consumers touch parts of your network for CRM and other things. It is a very similar analogy to what enterprises and service providers have been doing for the past ten to fifteen years on the Internet when they implement people being able to touch edges of their network.
MIDW: Philip I could talk to you all day about this … it is just so fascinating the direction that you are heading in and how quickly it is all moving is very important. Could I ask you to look down the road a little bit and give us a view on what you see two years down the road and how fast all of this will start to have an impact?
NN: In some ways, not to be cheeky, but that’s like asking me how fast can the wind will blow. I guess it depends on where you are and the implementation. I think it goes to constituencies.
MIDW: Well you know there are other drivers in play here; Apple with their fingerprint sensor has certainly raised the awareness of ease of use and having some security on your phone. But also there will be more announcements coming soon talking about these. There are so many drivers pushing rapid change.
NN: Let’s talk about the drivers firsthand. The first drivers I think you are going to see are the popularity of something like the Apple announcement, something easier to use. People are very frustrated with usernames and passwords; we know that, all the studies show that. I think that people are very concerned about their privacy. The whole Apple debate wasn’t about the ease of use or security, it was really about privacy.
Then I think you get to a big driver which is cost. Right now one of the big things that has held up the distribution of lots of multifactor authentication devices, especially biometrics, is the cost of deployment. It’s not dissimilar to when we started doing WIFI and the first big cost in WIFI was that you had to get some sort of WIFI dongle and plug it into your PC. Phones and that stuff didn’t even exist with WIFI at that point because it wasn’t built in – there wasn’t enough technology to do that yet. But over a period of years, those dongles became essentially enveloped by the end point devices. This is exactly where we see FIDO heading. So I think you have a chicken and egg issue to begin with but that is starting to break down. You have all these drivers in the marketplace and the ultimate driver for the Relying Parties is cost.
MIDW: Thanks for spending some time with us today.
NN: My pleasure Peter