Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


05:00 PM
Connect Directly

Universal Multi-Factor Authentication Steps Closer To The Mainstream

The FIDO Alliance today finalized two universal authentication standards and one of its founding members, Nok Nok Labs, closed on $8.5 million of financing.

Users don't want to type cumbersome passwords on their mobile device (especially when they keep fumbling along with big thumbs on small keys). They don't want to log in and provide personal data to every site and service. Yet they do want to be secure. Companies would like to support stronger or multi-factor authentication, but they don't want to make it so difficult on users that customers give up and go elsewhere. Unfortunately, implementing some authentication schemes can be difficult and expensive.

Those are the problems that the FIDO Alliance aims to solve. Today, FIDO  (which stands for Fast Identity Online) published its final Universal Authentication Framework (UAF) standard and Universal 2nd-Factor (U2F), version 1.0. This brings them closer to getting UAF and U2F accepted as IETF standards by the Internet Engineering Task Force.

This is the technology behind Google's new Security Key two-factor authentication. It is what makes it possible for Samsung Galaxy users to make PayPal purchases with a fingerprint.  

What UAF does is enable businesses to support strong authentication without getting hung up on the login mechanism. Regardless of whether it's a fingerprint scanner, facial recognition software, or hardware token, the authentication mechanism is simply there to kick off a PKI interaction.

Through a method of their own choosing, a user logs in to a FIDO-Ready authentication application installed on their device. The application generates a private key and a public key. It stores the private key securely on the device, and issues the public key to whatever service is demanding authentication.

Nok Nok Labs is one of the six founding members of the FIDO Alliance, along with PayPal and Lenovo, and today announced the closing of $8.25 million in a Series C financing, which will help expand commercial offerings. Nok Nok Labs offers a FIDO-Ready authentication suite, and describes the example of a consumer using a mobile phone to purchase something online, in this video:

The user maintains more privacy, because they need only provide their personal login data to their device -- not to every site and service under the sun. The user saves herself the effort of typing in long, unique passwords over and over again.

The Web service she logs into doesn't have as much personal data to lose, because all they need is that public key. The browser does most of the work. 

Phillip Dunkelberger, president and CEO of Nok Nok Labs and co-founder and former CEO of the PGP corporation, has been involved in the project from the beginning. He says that this technology could be an important tool for securing the Internet of Things, because it takes some of the pressure off the hardware manufacturers and relies more on the chip makers and software developers. 

It could also help IT departments manage BYOD better, he says, because as long as the user's device supports the app, it doesn't really matter what the device is.

The project has backing from big household names. The FIDO Alliance started with six members (including PayPal and Lenovo), and now has over 150 members, including Microsoft, Samsung, BlackBerry, VISA, Mastercard, and Wells Fargo.

Today, Nok Nok Labs released new versions of its S3 Authentication Suite that supports the final UAF standards. It also released software development kits to help third-party authenticators, and applications make their products FIDO-enabled.

For more about FIDO-Ready products, visit fidoalliance.org.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.