Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


05:00 PM
Connect Directly

Universal Multi-Factor Authentication Steps Closer To The Mainstream

The FIDO Alliance today finalized two universal authentication standards and one of its founding members, Nok Nok Labs, closed on $8.5 million of financing.

Users don't want to type cumbersome passwords on their mobile device (especially when they keep fumbling along with big thumbs on small keys). They don't want to log in and provide personal data to every site and service. Yet they do want to be secure. Companies would like to support stronger or multi-factor authentication, but they don't want to make it so difficult on users that customers give up and go elsewhere. Unfortunately, implementing some authentication schemes can be difficult and expensive.

Those are the problems that the FIDO Alliance aims to solve. Today, FIDO  (which stands for Fast Identity Online) published its final Universal Authentication Framework (UAF) standard and Universal 2nd-Factor (U2F), version 1.0. This brings them closer to getting UAF and U2F accepted as IETF standards by the Internet Engineering Task Force.

This is the technology behind Google's new Security Key two-factor authentication. It is what makes it possible for Samsung Galaxy users to make PayPal purchases with a fingerprint.  

What UAF does is enable businesses to support strong authentication without getting hung up on the login mechanism. Regardless of whether it's a fingerprint scanner, facial recognition software, or hardware token, the authentication mechanism is simply there to kick off a PKI interaction.

Through a method of their own choosing, a user logs in to a FIDO-Ready authentication application installed on their device. The application generates a private key and a public key. It stores the private key securely on the device, and issues the public key to whatever service is demanding authentication.

Nok Nok Labs is one of the six founding members of the FIDO Alliance, along with PayPal and Lenovo, and today announced the closing of $8.25 million in a Series C financing, which will help expand commercial offerings. Nok Nok Labs offers a FIDO-Ready authentication suite, and describes the example of a consumer using a mobile phone to purchase something online, in this video:

The user maintains more privacy, because they need only provide their personal login data to their device -- not to every site and service under the sun. The user saves herself the effort of typing in long, unique passwords over and over again.

The Web service she logs into doesn't have as much personal data to lose, because all they need is that public key. The browser does most of the work. 

Phillip Dunkelberger, president and CEO of Nok Nok Labs and co-founder and former CEO of the PGP corporation, has been involved in the project from the beginning. He says that this technology could be an important tool for securing the Internet of Things, because it takes some of the pressure off the hardware manufacturers and relies more on the chip makers and software developers. 

It could also help IT departments manage BYOD better, he says, because as long as the user's device supports the app, it doesn't really matter what the device is.

The project has backing from big household names. The FIDO Alliance started with six members (including PayPal and Lenovo), and now has over 150 members, including Microsoft, Samsung, BlackBerry, VISA, Mastercard, and Wells Fargo.

Today, Nok Nok Labs released new versions of its S3 Authentication Suite that supports the final UAF standards. It also released software development kits to help third-party authenticators, and applications make their products FIDO-enabled.

For more about FIDO-Ready products, visit fidoalliance.org.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.