Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


05:00 PM
Connect Directly

Universal Multi-Factor Authentication Steps Closer To The Mainstream

The FIDO Alliance today finalized two universal authentication standards and one of its founding members, Nok Nok Labs, closed on $8.5 million of financing.

Users don't want to type cumbersome passwords on their mobile device (especially when they keep fumbling along with big thumbs on small keys). They don't want to log in and provide personal data to every site and service. Yet they do want to be secure. Companies would like to support stronger or multi-factor authentication, but they don't want to make it so difficult on users that customers give up and go elsewhere. Unfortunately, implementing some authentication schemes can be difficult and expensive.

Those are the problems that the FIDO Alliance aims to solve. Today, FIDO  (which stands for Fast Identity Online) published its final Universal Authentication Framework (UAF) standard and Universal 2nd-Factor (U2F), version 1.0. This brings them closer to getting UAF and U2F accepted as IETF standards by the Internet Engineering Task Force.

This is the technology behind Google's new Security Key two-factor authentication. It is what makes it possible for Samsung Galaxy users to make PayPal purchases with a fingerprint.  

What UAF does is enable businesses to support strong authentication without getting hung up on the login mechanism. Regardless of whether it's a fingerprint scanner, facial recognition software, or hardware token, the authentication mechanism is simply there to kick off a PKI interaction.

Through a method of their own choosing, a user logs in to a FIDO-Ready authentication application installed on their device. The application generates a private key and a public key. It stores the private key securely on the device, and issues the public key to whatever service is demanding authentication.

Nok Nok Labs is one of the six founding members of the FIDO Alliance, along with PayPal and Lenovo, and today announced the closing of $8.25 million in a Series C financing, which will help expand commercial offerings. Nok Nok Labs offers a FIDO-Ready authentication suite, and describes the example of a consumer using a mobile phone to purchase something online, in this video:

The user maintains more privacy, because they need only provide their personal login data to their device -- not to every site and service under the sun. The user saves herself the effort of typing in long, unique passwords over and over again.

The Web service she logs into doesn't have as much personal data to lose, because all they need is that public key. The browser does most of the work. 

Phillip Dunkelberger, president and CEO of Nok Nok Labs and co-founder and former CEO of the PGP corporation, has been involved in the project from the beginning. He says that this technology could be an important tool for securing the Internet of Things, because it takes some of the pressure off the hardware manufacturers and relies more on the chip makers and software developers. 

It could also help IT departments manage BYOD better, he says, because as long as the user's device supports the app, it doesn't really matter what the device is.

The project has backing from big household names. The FIDO Alliance started with six members (including PayPal and Lenovo), and now has over 150 members, including Microsoft, Samsung, BlackBerry, VISA, Mastercard, and Wells Fargo.

Today, Nok Nok Labs released new versions of its S3 Authentication Suite that supports the final UAF standards. It also released software development kits to help third-party authenticators, and applications make their products FIDO-enabled.

For more about FIDO-Ready products, visit fidoalliance.org.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.