In February 2014, Quocirca reviewed the FIDO (Fast IDentity Online) standard for authenticating consumers to web service providers (I am not a dog, FIDO a new standard for user authentication). In 2014, the FIDO Alliance had attracted over 100 supporters; the site now lists around 250. Quocirca compared FIDO with the SSL/TLS standard for authenticating online resources to users, noting that FIDO provided assurance in the other direction, that users were who they said they were.
The standard is championed by Nok Nok Labs, which sells an Authentication Server to enable web service providers to implement FIDO-enabled web applications. In Sept 2016 Nok Nok announced it was taking its authentication to a new level with the introduction of a risk engine. The aim is to mitigate mobile fraud, which is required as users increasingly use mobile devices to access online services and also because mobile devices are often used as a second factor of authentication for accessing these services.
The risk engine takes a number of risk signals into account, enabling a risk score to be calculated and evaluated before a user is authenticated. These include:
- Geolocation: is the device, and therefore the user in an expected location?
- Travel speed check: is the location of the current access request consistent with location of the last one? This helps to identity device spoofing by criminals in locations remote from that of the legitimate user.
- Shared device check: make sure there is not an excessive number of users on a device, only one will be acceptable if a device is registered as not shared
- Multiple device check: has the number of devices used to access a given online service increased and is there a known reason for this?
- Friendly fraud prevention: authentication is only accepted if a user-specific biometric is used to activate a device when it is shared by multiple users.
- Device health check: is the device is configured as expected and is there any indication it has been tampered with?
Strong authentication on mobile devices provides consumers with an experience similar to that business users get from single-sign-on (SSO). However, this would be the case if FIDO was used or not. The real benefit of FIDO is the ease of deployment of strong authentication for consumers by web service providers. Pre-built products such as the Nok Nok Authentication Server make deployment even easier and the addition of the risk engine makes the authentication stronger than ever.
The FIDO Alliance is attempting to drive demand and influence the regulatory approach to authentication. In August 2016, the European Banking Authority (EBA), an independent EU authority, released a draft regulatory technical standards (RTS) on strong authentication. In the run up to this release, the alliance lobbied the European Commission, putting forward suggestions that have been taken into account. For example, that “Payment services providers be able continuously to adapt to evolving fraud scenarios” and with regard to “the use of a mobile devices as an authentication element as well as for the reading or storage of another authentication element” it was said that “the majority were of the view that this should be possible as long as the strong customer authentication procedure mitigates the inherent risks of the mobile device being compromised”. Both of these points are only really achievable with the sort of capabilities provided through the new risk engine.
As for Nok Nok itself, it says business is good although pilots are taking longer than hoped. It is looking to system integrators to help get the message out there to drive FIDO adoption and Nok Nok’s own software sales. Web service providers often say they want to deliver security and standards help enable this. Saying it is one thing, actually getting it done is another.