In The Boardroom With...
Mr. Ramesh Kesanupalli
Founder of Nok Nok Labs
Government agencies have particular interests in and requirements for strong authentication to both secure their own applications, and to meet responsibilities in setting policy that improves cybersecurity overall. Governments can influence market acceptance of FIDO authentication, both as a significant user of the technology and as policy maker and regulator.
Along with driving better technology for a society and protecting its Internet citizens, the government agencies participating with the FIDO Alliance are also consumers of technology and provide IT services for government employees and the public infrastructure. Most recently, the German Federal Office for Information Security (BSI) joined as a FIDO Government member. BSI promotes IT security. First and foremost, BSI is the central IT security service provider for the German federal government. BSI directly impacts and influences both private and commercial sectors, as well, because it offers services to IT manufacturers, private and commercial users, along with providers of information technology.
FIDO Government membership is open to all government agencies who can benefit from participation in the development of FIDO standards.
SecuritySolutionsWatch.com: We read news this week about the FIDO Cooperation & Liaison Partner program. What can you tell us about those developments?
Ramesh Kesanupalli: Just this week, the FIDO Alliance launched the FIDO Cooperation & Liaison Program. https://fidoalliance.org/fido-alliance-opens-worldwide-cooperation-and-liaison-program/ Leading industry associations representing mobile, consumer electronics, payments, and cybersecurity joined at the same time, inaugurating an impressive program. Biometrics Institute, Bluetooth SIG,Electronic Transactions Association (ETA), GlobalPlatform, International Biometrics & Identification Association (IBIA), National Cyber Security Alliance, OpenID Foundation, Open Mobile Alliance (OMA), SmartCard Alliance and W3C were first to announce their FIDO liaison relationships. The program, and the relationships and influences it establishes -- like the government membership program-- seeds FIDO adoption for various industries and user platforms and services. By creating awareness of FIDO standards across many industries, and inviting particular use cases for consideration in FIDO developments, FIDO standards truly can deliver on universality and see easy mass adoption. As the FIDO ecosystem continues to broaden, adoption becomes increasingly seamless for users, who continue to update and upgrade their devices and services, which are evolving with FIDO authentication rapidly becoming enabled for every user.
Updated September 2015
As FIDO Visionary and the Founder of Nok Nok Labs, Ramesh Kesanupalli brings to the company more than two decades of public and private sector IT security experience. Mr. Kesanupalli is responsible for the company’s vision and broad industry relationships. As a board member and VP of the FIDO Alliance (http://www.fidoalliance.org/), he provides leadership to an industry consortium where Nok Nok Labs is a founding member. Mr. Kesanupalli previously served as the Chief Technology Officer of Validity Sensors where he was responsible for software direction, strategy, alliances and strategic business development. He has also held senior management roles at Phoenix Technologies, Object Connect, Telsima, Inc. (formerly Kinera) and Network 24, which was acquired by Akamai. Mr. Kesanupalli holds patents in wireless middle tier software systems and is the author of several authentication patents. He has a Bachelor’s Degree in Electronics Engineering from Madras Institute of Technology, India, and a Bachelor’s Degree in Physics from Nagarjuna University, India.
SecuritySolutionsWatch.com: Thank you for joining us again today, Ramesh. Much has changed in the authentication and cybersecurity space since our first interview with you about one year ago. Congratulations on the growth and expansion of the FIDO Alliance during the past year. Please update us regarding FIDO achievements and accomplishments.
Ramesh Kesanupalli: Yes Indeed, lots has changed and the FIDO Alliance has seen significant growth on all fronts. In December 2014, the FIDO Alliance published the first open standards for strong authentication.
Currently there are 225+ members with board representations from global organizations like NTT DOCOMO, Intel, ARM Holdings, Microsoft, Google, Visa, MasterCard, Discover Financial Services, Bank of America, Wells Fargo, Lenovo, and Samsung to name a few, and including my own company Nok Nok Labs. The FIDO Alliance released the first industry standards for strong authentication on December 9, 2014, /news/item/fido-1.0-specifications-published-and-final1 in final FIDO 1.0 specifications. Since releasing the standards for members and others to deploy FIDO technology, solutions, and products, there have been major deployment announcements from Microsoft, regarding Windows 10: /news/item/microsoft-announces-fido-authentication-support-planned-for-windows-10 and from Qualcomm for the mobile industry:http://fidoalliance.org/news/item/2015-03-02-qualcomm-snapdragon3D-FIDO-UAF-authentication. NTT DOCOMO has deployed FIDO authentication for its 65 million subscribers in Japan, becoming the first Mobile Network Operator to deploy FIDO across its network: https://fidoalliance.org/fido-alliance-welcomes-ntt-docomo-to-board/. Dropbox has deployed FIDO U2F for its 400 million users to authenticate with FIDO: https://blogs.dropbox.com/dropbox/2015/08/u2f-security-keys/ There are now many FIDO products in the marketplace to accommodate many types of users:https://fidoalliance.org/fido-alliance-announces-62-authentication-products-now-fido-certified/ . Just recently, the FIDO Alliance published the UAF 1.1 implementation draft that includes support for iOS, which gives FIDO coverage across Android and iOS and Microsoft platforms.
It gives me great pleasure and satisfaction as the person who founded FIDO, along with Michael Barrett and Taher Elgamal, to see the global acceptance of the specification and the quality and scale of deployments that we have enjoyed in a short period of time since we launched FIDO publicly in February of 2013 with 6 founding member organizations. https://fidoalliance.org/lenovo-nok-nok-labs-paypal-and-validity-lead-an-open-industry-alliance-to-revolutionize-online-authentication/
SecuritySolutionsWatch.com: Please give us an overview regarding FIDO Board Members and FIDO Membership at this time. What are the benefits of membership ?
Ramesh Kesanupalli: FIDO Alliance has enjoyed significant growth in 2 years from 4 initial board members with 6 total members at inception to 28 board members with 230+ total members and representation from all cross sections of technology players, platform players, device manufactures to financial and other service providers globally. The FIDO Alliance announced three new board appointments this week (https://fidoalliance.org/fido-alliance-appoints-american-express-infineon-and-vasco-to-board/), American Express, Infineon, and VASCO, to bring the board to 28 members, including: Alibaba Holdings (NYSE: BABA); American Express (NYSE: AXP); ARM Holdings plc (LSE: ARM and NASDAQ: ARMH); Bank of America Corporation (NYSE:BAC); CrucialTec (KRX: 114120); Discover Financial Services (NYSE: DFS); Egis; Google (NASDAQ: GOOG); IdentityX; Intel (NASDAQ: INTC); ING (NYSE: ING); Infineon Technologies AG(FSE: IFX / OTCQX: IFNNY); Lenovo (NASDAQ: LNVGY); MasterCard (NYSE: MA); Microsoft (Nasdaq "MSFT"); Nok Nok Labs, Inc.; NTT DOCOMO, INC. (NYSE: DCM); NXP Semiconductors N.V. (NASDAQ:NXPI); Oberthur Technologies OT; PayPal (NASDAQ:EBAY); Qualcomm, Inc. (Nasdaq: QCOM); RSA®; Samsung Electronics, Ltd (KOSCOM: SECL); Synaptics (NASDAQ: SYNA); USAA ; VASCO (NASDAQ: VDSI); Visa Inc. (NYSE: V); Yubico.
I am very proud and will occasionally boast about one of the FIDO board’s newest members, NTT DOCOMO. In May 2015, NTT DOCOMO became the world’s first mobile network operator (MNO) to deploy FIDO authentication. DOCOMO went live with FIDO authentication in partnership with Nok Nok Labs, enabling multiple mobile services, multiple devices, and multi-modal biometrics options, including fingerprints and iris in a country-wide deployment. This was the first FIDO MNO deployment, and it was a very big deployment affecting NTT DOCOMO’s 65 million subscribers throughout the country of Japan and enabling them to use FIDO authentication instead of relying on passwords. The NTT DOCOMO country-wide deployment of FIDO authentication highlights that biometrics, and FIDO UAF offer a natural user experience that is more secure, private, and easier-to-use than passwords. FIDO authentication assures that the biometric information – or any user data or credential—is confined to a user’s local device. This is a hot button for many organizations that want to avoid the privacy issues that come with storing users’ personal information. With FIDO, user credentials are never centrally stored on a server or network, and never shared or sent over the wires or networks. Recently, Bank of America became the world’s first bank to publicly announce deployment of FIDO authentication. Bank of America developed a mobile banking app with FIDO authentication baked-into the app. Bank of America’s millions of users with fingerprint-enabled Android and iOS devices can authenticate with FIDO for a more convenient user experience that is also more secure and private than passwords. Bank of America’s action inherently enlarges the FIDO ecosystem by driving FIDO at scale in the financial services industry. Their FIDO deployment accelerates FIDO adoption in the design and manufacturing of chips, devices, and platforms. It is further testament to FIDO protocols’ ability to organically transform the ever evolving internet landscape through mobile devices already in the hands of millions, as well as through the FIDO public key cryptography model that eliminates mass credential harvesting that can lead to network breaches, scams and fraud – egregious attacks and mass harvests of user PII that is reported all too often.
The FIDO board notably continues to enlarge in the Financial Services sector with ING and USAA recently joining the board, https://fidoalliance.org/fido-authentication-gains-momentum-in-us-and-euro-fs/
SecuritySolutionsWatch.com: We understand that 62 Authentication Products Are Now FIDO® Certified. This speaks volumes about the acceptance and traction of FIDO in the marketplace. Care to elaborate?
Ramesh Kesanupalli: Yes indeed. There are now multiple products that are FIDO Certified™ for both FIDO UAF and FIDO U2F protocols, which includes authenticators, devices, clients and servers from many types of organizations worldwide. AliPay, Bank of America, Dropbox, Google, Microsoft, NTT DOCOMO, and PayPal have deployed early versions from the first published standards. Samsung, LG, and Sharp are shipping handsets with FIDO at the core. Qualcomm is embedding support into Snapdragon chip sets. Intel and NXP are part of the effort. Anyone with a microSD slot can adapt their device to use FIDO with GoTrust FIDO microSD, which uses Infineon chips. FIDO authentication is critical to the healthcare industry, which demands both security and patient privacy, and MedImpact was first to deploy FIDO authentication in a physicians’ portal. These products and solutions within the FIDO ecosystem will ultimately result in a consistent, easy-to-use consumer experience, and finally bring the promise and vision of the FIDO Alliance to reality.
SecuritySolutionsWatch.com: The bad guys, whether organized foreign countries, sophisticated hacker groups, lone wolves, or “insiders”, continue to look for the weakest link into the network. The United States Office of Personnel Management (OPM) recently discovered that the personnel data of 5.6 million current and former Federal government employees had been stolen. The White House said in July 2015 that, “cybersecurity is one of the most important challenges we face as a Nation “.
”What is your perspective, Ramesh, regarding the current threat environment?
Ramesh Kesanupalli: Theft of fingerprint data from a server is a serious problem. FIDO authentication does not permit centralized storage of user credentials...EVER! However, consider some different kinds of use cases and other threat models that can be curtailed, even when centralized storage of user credentials may be justified. Law enforcement and Government agencies have applications that understandably require them to capture and store fingerprint data for various and obvious reasons related to tracking criminals and offering public services, like drivers licenses. Even when centralized storage is required, you can improve security of that store by controlling how those servers are accessed. When access is based on the prevailing user id and password model, then the infrastructure is further weakened. Though FIDO authentication in this case would not be able to stop an insider attack without adjusting access management methods and applying data encryptions, FIDO authentication limits non-insider attacks, even if an employee’s credentials are phished or stolen.
The commercial market is an entirely different animal that requires a very different model to deliver authentication that combines security, privacy and ease-of-use. Internet and service providers want to limit their liability, respect their users’ privacy, and offer frictionless user access. Commercial markets cannot withstand attacks on their constituents’ fingerprint data at any scale. Without exception, commercial use of biometric data cannot sustain attacks and breaches. Commercial use of biometrics absolutely demands FIDO authentication to ensure that data are inaccessible on central servers or through providers’ networks. The device-centric security of FIDO authentication ensures that biometric data are never centrally stored. Using biometrics to authenticate as defined by FIDO standards applies only to unlocking the user’s local device so the device can exchange public key cryptography (not biometric data) with a FIDO server to complete the user authentication. The FIDO model protects both the deploying organization or provider and their customers and constituents, by ensuring secure and private transactions, as well as user convenience.
While there are market reports about biometrics being spoofed, it is very important to distinguish these as cases where server side biometrics have been employed, not FIDO. These reported attacks that alarm the public and prejudice them against biometrics have nothing to do with FIDO UAF biometrics authentication. Using biometrics in commercial markets requires providers to employ the FIDO authentication model to both limit their own liability and protect their users’ privacy while offering them unmatched convenience. FIDO’s device-centric model discourages global scaled attacks because there is no personal data – and no biometric data-- stored on the server.
Authentication has become even more of a concern now as we move from a conventional Internet and mobile access to information model to an Internet of things (IoT) and main stream life style management model that must be protected by convenient, secure and private user authentication. Now, we are looking at controlling everything remotely including our home electronics and appliances. In this evolving and connected world of the IoT, if there is failure in the first mile to identify the incoming device and the user who is operating behind that device, we are looking at totally different kinds of attacks that we must consider now, not later.
The White House and politicians are understanding that Cyber Security is indeed one of the most important challenges we face as a nation, and we need to choose the right path to ensure success with security, privacy and user convenience. This is recognized in government circles, and the FIDO Alliance created a government class membership to address the interest; we have already welcomed US and UK Government as members.
SecuritySolutionsWatch.com: What resources are available for the authentication community at the FIDO Alliance.
Ramesh Kesanupalli: Service providers and deploying organizations are anxious to understand how they can get started using FIDO authentication. We have regularly scheduled FIDO seminars featured in cities around the world to help organizations learn about the FIDO Alliance and how they can join and employ FIDO standards for their products, sites and services. Monthly webinars are free to anyone who wants to learn more about FIDO and ask their specific questions. Watch for live and online FIDO events to participate at no charge: https://fidoalliance.org/upcoming-events/
Anyone may contact the FIDO Alliance and ask questions of our members and SMEs by sending questions to firstname.lastname@example.org.
There are many ways to adopt FIDO authentication. Some will join the FIDO Alliance in the interest of contributing to the development of FIDO standards for inclusion of their use cases. They are welcome and invited to engage: https://fidoalliance.org/membership/details/.org . As mentioned, FIDO specifications address two protocols-- FIDO U2F which is a 2nd factor protocol for either desktop or wireless use that relies on some form of PIN or password combined with a touch of a USB dongle, or NFC/BLE equipped wireless device for mobile use; and FIDO UAF which uses biometrics or other embedded security environments to effect authentication, completely eliminating the need for passwords on either client or server. There are multiple companies offering U2F servers and U2F dongles. Some companies, including my own, Nok Nok Labs, offer UAF servers; Nok Nok Labs has deployed servers in major production environments like NTT DOCOMO, PayPal and AliPay. Clients also implement FIDO infrastructure and this avoids server side complexity and desperation that can come in dealing with client slide authenticators and methods and native or custom API integration from device to device. The many FIDO Certified offerings can be found at the FIDO Alliance site: https://fidoalliance.org/certification/fido-certified/ and FIDO Ready products which preceded publication of FIDO Standards: https://fidoalliance.org/certification/fido-ready/
Authentication and authenticator companies, too, look to FIDO Alliance membership to better understand and embrace FIDO standards, and as a means of working with member partners to provide the necessary end-to-end infrastructure they need to advance and promote products while they focus on their core products and take advantage of the platform that FIDO provides. Depending on where a company’s core competency and focus is, FIDO provides the platform and necessary resources and right partners to help organizations get to market quickly with a complete solution. Depending on an organization’s size, intent, stage and direction, there are appropriate membership levels for any organization to take advantage of the platform: https://fidoalliance.org/membership/details/ FIDO Alliance members participate in working groups that welcome their participation and contributions: https://fidoalliance.org/working-groups/
The community at large—not just FIDO Alliance members—is now very actively working with FIDO certification (https://fidoalliance.org/fido-alliance-unveils-certification-testing-program-and-introduces-fido-certified-products/ ) to bring new FIDO products into the marketplace and assure that their authentication products and services meet FIDO standards and are branded FIDO Certified™. Any organization is welcome to participate with their products in regularly scheduled FIDO certifications test events: https://fidoalliance.org/certification/interoperability-testing-events/
SecuritySolutionsWatch.com: Thank you for joining us today, Ramesh. It’s an honor to speak with the founder of Nok Nok Labs and the visionary behind the creation of the FIDO Alliance. Before we discuss FIDO Alliance and Nok Nok Labs in greater detail, please tell us about your background.
Ramesh Kesanupalli: Sure. Before founding Nok Nok Labs, and as the FIDO Alliance was forming, I was the CTO of Validity Sensors, which is now part of Synaptics. Prior to that, I was the Senior Vice President at Phoenix Technologies, running Engineering, Marketing and Business Development. I was part of the team that founded Network24 Communications, a video Streaming company acquired by Akamai. I founded and served as CEO at both a Services company and a Middle tier carrier software company, which went through various incarnations before ultimately merging with Harris; and early in my career, I worked as a consultant with IBM Labs on the East Coast.
SecuritySolutionsWatch.com: We enjoyed “The FIDO Alliance Video: How It All Began” a great deal. Please share with us a brief history of the FIDO Alliance.
Ramesh Kesanupalli: Some of the thinking at the core of the Fido Alliance dates
back to 2004, but the prime move occurred in 2009 when as CTO of Validity Sensors (now Synaptics), I met with Michael Barrett, who is currently the FIDO Alliance president and was then PayPal CISO. I was looking for ways to bring fingerprint technology into main stream consumer authentication, and Barrett was trying to fix consumer authentication for PayPal. That first conversation between me, Taher Elgamal, Inventor of SSL and now CTO of Salesforce.com security, and Michael Barrett established a working group to address the authentication problem. What started out as an exploration of how to engage PayPal in using Validity fingerprint sensors, expanded when Barrett said that PayPal would want to consider the whole field of authentication options to passwords, and the range of competitors to Validity, including more than fingerprint sensors alone. That stated interest was, and is, a driver in the development of FIDO authentication. Basically, PayPal was first to ask for what everyone wants: unlimited choice, limited liability, complete interoperability, low cost, and lots of flexibility to accommodate unpredictable change. The FIDO authentication model today embraces the full range of local authentication and authenticators, makes all methods interoperable and enables them to communicate with the network to authenticate users without ever sharing passwords or credentials – NEVER! That first meeting, and the working group that emerged from it, are the basis of the FIDO Alliance, which we launched publicly in February 2013 with six founding members. So compelling is the FIDO authentication model and so urgent is the need, that today— only 16 months later—we have 135+ FIDO Alliance members, and our ranks increase weekly. Global leaders in Technology, Financial Services, Healthcare, and Enterprise have joined the FIDO Alliance in our mission to move beyond passwords with universal strong authentication that is more secure, private, and easier-to-use.
SecuritySolutionsWatch.com: We read with great interest regarding the mission of the FIDO Alliance which is to change the nature of online authentication and your interview with Bloomberg Businessweek where you discussed that “passwords had to go”. Care to elaborate?
Ramesh Kesanupalli: Yes. Happy to. Prevailing password authentication has proven to be insecure and risky amidst a world of escalating security threats, cyber crime and targeted attacks, not to mention increasing vulnerability associated with so many more vectors of attack coming through the Internet of Things (IoT). Right now, we are moving from informational access to a major life style change where we can access everything digitally. We’re at the threshold of using authentication to pay at retail stores with our phones, to open and start our cars, to manage home networks, appliances, and security systems all through connected devices. Authentication is the FIRST step we must perform to begin to effectively use IoT. Even basic usability of passwords is challenged when typing/entering credentials on various devices or using touch screens is neither simple nor fast. As we make this lifestyle change, authentication must be based on universal FIDO standards, not the prevailing password infrastructure. Otherwise, there will be chaos and a scale of cyber disruption we have not yet experienced. Our FIDO Alliance members understand the full scope of the authentication problem and are determined to change the world with authentication that is more secure, private and much easier to use. FIDO standards promise to open new spheres of services with accommodations that potentially change the personal experience in ways we haven’t even imagined yet. The impediments of prevailing password systems and the importance of solving the authentication problem cannot be overstated; once FIDO authentication predominates, the ensuing years of digital development will prove the importance of what the FIDO Alliance has accomplished.
Let me layout the scope of the password problem, so you can clearly recognize the urgency at hand, and the elegant solution that FIDO authentication presents. We are in an interesting and fast evolving world that requires access everywhere -- from PC-centric computations to mobile phones with buttons, to touch screens, tablets and various forms of computing − taken altogether, we dub this the Internet of Things (IoT). Our digital and online identity is only as strong as the weakest service that we use; as we extend to an evolving world of IoT, the authentication issues become virtually unmanageable without a disruptive change−that disruption is FIDO authentication.
The public is acutely aware of online and point of sale (POS) attacks and rampant identity theft. Headlines about breaches and scaled attacks on Evernote, EBay, LinkedIn, Yahoo, Target and many other major consumer destinations, point to a dire need to move authentication beyond passwords. The rapid growth of the FIDO Alliance is incomparable and illustrates a consolidated determination across industry, technology, and the world to fix the password problem. The marketplace has been trying to address the password problem for some years, and there are some very strong scaleable solutions, but until now these have been proprietary, too expensive, difficult to deploy, or add complexity and friction to the user experience. Moreover, ALL options have been based on password infrastructure, which we know must go.
Even a decade ago, passwords worked adequately on the Internet. The average Internet user in 2004 probably had only 5-6 passwords to try to remember. Now, those same users must cope with 30 or more of them. As such, a coping mechanism for the average user is to use the same password repeatedly everywhere. Basically, that means that the security of their most secure account is now the security of the least secure place where they’ve used that same password. Criminals understand this very well, which is why we see so many data breaches these days. Adding to the insidious password problem, we now have huge amounts of data about which passwords users use; as well as GPU-based cracking arrays. Even well salted & hashed password databases wither under this assault, as criminals are able to retrieve the passwords used by millions of users.
Though users are at risk personally, the Relying Parties, RPs (Internet services, if you like) who serve them bear inappropriate liabilities for lost or stolen credentials and face huge risk and losses– in the range of hundreds of millions of dollars per year, maybe more.
The largest and most sophisticated of these RPs – typically large financial institutions and online service providers – have developed complex risk based authentication systems. These systems staunch the bleeding somewhat, for those organizations, but don’t begin to solve the problem for all of the other companies who provide Internet based services.
Enterprises have roughly the same issues as they look inside their perimeters. Typically, 30 percent of helpdesk costs derive from requests for password help and resets. Meanwhile, the poor CISO is generally complaining to the CIO that stronger authentication is needed in order to manage the risk from APTs (advanced persistent threats).
Password authentication dates back more than 50 years, to the first client/server models when dumb terminals authenticated to mainframes to access data. Though password-based authentication has had a good run, it’s clearly not up to authentication as needed now, and Internet providers and businesses know it all too well.
Enter FIDO authentication -- It is important to emphasize that FIDO technologies and products are available now to the marketplace. The FIDO Alliance released the first review draft specifications in February 2014 – just one year after our official launch. As soon as the specs became public, four of our members announced the first FIDO technology deployment based on FIDO specifications—Samsung, PayPal, Synaptics and Nok Nok Labs implemented FIDO technology with the Samsung Galaxy S5 in a payments solution that uses the Synaptics fingerprint sensors to authenticate users and confirm transactions in a PayPal point-of-sale payments application, while Nok Nok Labs servers manage FIDO authentication on the back-end for both smartphone users and the RPs to effect very fast, reliable, secure and private mobile payments (https://fidoalliance.org/news/item/the-fido-alliance-announces-first-authentication-deployment-paypal-samsung). Since last February, more FIDO Alliance members are announcing FIDO Ready™ products, marketplace deployments, and implementation trials across industry – Enterprise, Financial Services, Healthcare, and for a range of Internet and mobility authentication. FIDO authentication is happening now, and let me use this forum to broadcast the good news and encourage more participation in the FIDO Alliance. As more join us, adopt FIDO technologies and deploy FIDO authentication solutions, FIDO specifications become better, and refined to include every potential use case.
When we decided to release FIDO draft specifications and ask for public comment, we struck an enduring model of how FIDO authentication will naturally respond to an evolving landscape that has just begun its expansion into a future that demands secure, private, easy-to-use authentication. By putting FIDO specs to work in products and solutions now, the first implementation draft of the spec will be enlightened by actual deployments and usage that is occurring now. We will never be finished specifying what’s best in universal strong authentication, but FIDO standards are already moving the world beyond passwords to universal strong authentication.
SecuritySolutionsWatch.com: What is your perspective regarding the achievements thus far for the FIDO Alliance and your vision of future goals?
Ramesh Kesanupalli: Astonishing progress and incomparable growth! We launched the FIDO Alliance publicly with 6 members in February 2013; in only 16 months we have 135+ members – comprising leaders in Tech, Financial Services and Industry. We have published draft specifications for two FIDO protocols --one which addresses requirements for using multiple authentication factors with existing devices, and one which addresses use of an external dongle or plug-in – both are easy to use, interoperable (or universal) and move us beyond password dependencies. The two protocols provide more user options, and more options for RPs to specify choice to granularly manage security levels and control their own risk without adding friction to the user experience.
As I’ve already said, we are very pleased by all the FIDO Ready products, and real deployments and implementation trials underway as we proceed toward the implementation draft of the FIDO specifications. The FIDO Alliance is among only a few industry alliances able to evolve open industry specifications through a working industry ecosystem that is developing new products in parallel with products already working in the field. While our progress has been great, there is still much to do. Ultimately decisions are made and direction taken based on FIDO Alliance governance, and working groups. Though, personally, I anticipate that FIDO authentication will develop and expand from the original model of authenticating from user-to-device and then device-to-service, by eventually extending the model to include device-to-device and service-to-service authentication. This extended model would squarely address the IoT market. We have prepared for FIDO authentication to work with the current marketplace and evolve to accommodate what’s next – no longer will authentication be a persistent vulnerability and an impediment to true market expansion. Prepare to be amazed by the possibilities, as FIDO authentication expands in the marketplace.
SecuritySolutionsWatch.com: The Board of the FIDO Alliance reads like a Who’s Who of online authentication with eBay, Google, Microsoft, and RSA, just to name a few. Please tell us about the FIDO Alliance Board Member Representatives.
Ramesh Kesanupalli: Yes. The FIDO Alliance can claim some of the world’s most significant and highly material companies among our board members, including ARM Holdings, Bank of America, BlackBerry, CrucialTec, Discover Financial Services, Google, IdentityX, Lenovo, MasterCard, Microsoft, Nok Nok Labs, NXP Semiconductors, Oberthur Technologies, PayPal, RSA; Samsung, Synaptics, Visa, and Yubico. With Google and Microsoft, major OS providers are represented; and between Samsung and Lenovo, we have the top device OEMs among us; ARM significantly expands market diversity and reach; and with Mastercard, Paypal, Discover, Visa, and Bank of America we have important financial sector representation; various authenticator technology vendors in our ecosystem add to a well balanced, capable, and very influential mix of organizations equipped to effect a new authentication model. More enterprises, network operators and carriers are approaching the FIDO Alliance now for trials and membership, and we are actively pursuing these sectors to enlarge the scope of FIDO Alliance membership. Our goal is to meet the need for secure, private, easy-to-use authentication wherever it’s needed.
SecuritySolutionsWatch.com: Ramesh, can we discuss the Internet of Things for a moment? The benefits of IoT are clear…in seconds with our mobile devices we can all pay a bill, send a gift, make a dinner reservation, check the stock market, and in growing numbers, control the HVAC and security systems in our homes. But, we all know that there are bad guys out there. The Target breach is still causing repercussions. Are we also more vulnerable now? Is my iPhone a target? What are your thoughts?
Ramesh Kesanupalli: Very good question, and worth emphasizing, as getting IoT authentication right is critical. As I said, we are entering an interesting time of a very inter-connected world. Until now, we’ve used the Internet to access information, emails, pictures, music and financial information, and sites that offer us things we want to know about, use or buy. We are about to start using the internet for lifestyle management. Our homes are wired; our security monitoring systems are connected; our electricity, gas and thermostats are remotely accessible, along with our home appliances. We can even open doors and access buildings, as well as open and start our cars through digital connections. We manage our health and fitness with connected devices and services. You might say, we are becoming the connected person, and our critical infrastructure is undergoing the transformation now. Typically, we use our Internet-connected mobile devices and PCs as remote controllers. So far, our experience of threats and digital attacks is confined to disruptions of service or the inability to access information or sites. The next generation of bad actors – those who target IoT-- could potentially cause disruptions in our lives and create problems that extend well beyond inconvenience and nuisance. For example, what if your neighbor was turning your thermostat off in the middle of the night on a cold winter day, thinking they were affecting their own home? Or imagine that your medical records or your fitness records stored in the cloud suddenly appeared with someone else’s data, not yours. While IoT promises an improving lifestyle with new personalization replete with conveniently delivered content and services that find us where we are, we must be vigilant in protecting this highly personalized infrastructure. We must begin with FIDO authentication. We know that password systems cannot withstand hackers and malevolent actors, so FIDO authentication must be engaged before IoT can deliver all we can imagine, unimpeded by threats to our life style and well-being.
SecuritySolutionsWatch.com: We also read with great interest, Ramesh, the recent Nok Nok Press Release regarding Samsung and PayPal which have “…selected the company’s NNLTM S3 Authentication Suite”. Please give us an overview of Nok Nok solutions and please tell us more about this significant “win” with Samsung and PayPal.
Ramesh Kesanupalli: Yes. That is a significant win for us and we are working on a few more. PayPal has been working with us right from the beginning, and we are very happy that PayPal has deployed our FIDO Ready MFAS server which truly moves PayPal beyond passwords as the leader in the online payments space. We are also quite pleased that Samsung has deployed our Authentication kernel which provides strong authentication working at the hardware core of Samsung S5 with Synaptics's fingerprint sensor.
Nok Nok Labs is the first and, at this time, the only implementer of the UAF protocol, because the implementation draft is not yet published. Nok Nok Labs's MFAS server is a Multi-Factor Authentication server which we deploy within the service provider’s infrastructure, and we have clients that work with multiple authentication technologies like Fingerprints, Facial Recognition, Speaker recognition, TPMs, and Secure Elements that can be deployed on Android platforms, Windows platforms. We support multiple browsers on the client. Also, we recently tested our client software with Apple iOS and Touch ID services, and we intend to support them once the Touch ID service from Apple is available publicly.
SecuritySolutionsWatch.com: Thanks again for joining us today, Ramesh. Are there any other subjects you would like to discuss?
Ramesh Kesanupalli: As a synopsis, it is basic but important to state exactly what the FIDO Alliance does and does not do, for your audience’s reference.
The FIDO Alliance is an organization that provides a forum for its members to work together to develop and publish open industry standards. FIDO Authentication represents innovation that could only be realized by an ecosystem comprising the titans of technology and industry, and it is a huge step forward in authentication derived from the sum of many parts. FIDO members can each claim unique and patented innovations, but each has contributed their own technologies, experiences and leadership to create FIDO authentication in an open unencumbered standards framework.
FIDO authentication renders all strong authentication methods and solutions interoperable, more secure, private, and easy-to-use. These specifications allow interoperability among strong authentication technologies, and help remedy the problems users face with creating and remembering multiple usernames and passwords. Prior to the emergence of the FIDO specifications, the authentication market was highly fragmented with more than one hundred vendors offering entirely un-interoperable products.
FIDO authentication reverses a prevailing and long-standing inversely correlated model of security and ease-of-use. Until FIDO authentication, more security meant more trouble for users, who were expected to remember more passwords, more PINs, more secret phrases, more security questions, etc. Under FIDO authentication, security improves while the user experience becomes faster and easier. For the first time, users take control over their own authentication credentials; service providers no longer have responsibility for storing constituents’ passwords and personal identifying information (PII), and they don’t even have access to it.
For users, the FIDO experience allows them to choose device-centric authentication mechanisms such as fingerprint, voiceprint, or even securely managed/stored PINs, which are much easier for them to use than today's passwords. The FIDO architecture ensures that users' credentials are only stored securely on their local devices. As such, FIDO authentication removes the large centralized credential databases that today's password infrastructure creates. Additionally, FIDO's decentralized architecture means that it is not vulnerable to even systemic vulnerabilities, such as the OpenSSL "heartbleed" bug, which ravaged the Internet in Q2 2014.
At the same time, providers have much more insight and easier management on the backend to assess security requirements and vary and apply new controls as needed. Online, cloud and mobile service providers can implement FIDO specifications just once, and then determine as a matter of policy which types of authenticators they will trust. Simultaneously, users are freed from security concerns and, for the first time, can enjoy privacy!
Free at last to use online, mobile, and point-of-sale applications with ease, confidence and confidentiality, we’re going to wonder how we managed without easy-to-use FIDO authentication.
Ramesh Kesanupalli: Thank you very much for the opportunity and I look forward to more exposure to the FIDO alliance and Nok Nok Labs through this interview.
For more information, please see Ramesh Kesanupalli’s “Future of Authentication” presentation at COMPUTEX Taipei:http://www.slideshare.net/computex/2014-cpx-conferenceiot-forum-fido-alliance, and the related FIDO Press Release here:https://fidoalliance.org/news/item/the-fido-alliance-to-deliver-future-of-authentication-vision-at-computex. Find more about the FIDO Alliance at: www.fidoalliance.org. To join the FIDO Alliance and affect FIDO specifications as they develop, visit https://fidoalliance.org/membership.
FIDO ALLIANCE BOARD MEMBERS TOLD US…
Michael Pak. Vice President of Security R&D, Samsung Mobile Communications, Samsung Electronics, Ltd.
Regarding the mission of the FIDO Alliance and its achievements thus far and vision of the future:
“The FIDO Alliance is the first global and multi-industry effort to set standards for incorporating biometric authentication in consumer electronic devices. For the first time in history, industry leaders from finance, software, hardware and multiple services industries have come together to set the standards that will change how we use ecommerce and the scope of it.”
Regarding the importance of FIDO authentication and the vision of the future of authentication and its potential impact on IoT, network breaches, POS vulnerability.
“Credit card payment standards were originally shaped before the invention of the Internet, modern cryptography, and mobile devices. A standardized authentication method, such as FIDO, has been a key missing factor needed to transform the way we shop. Through the FIDO Alliance’s efforts, we envision a world where consumers from around the world will be able to shop anywhere -- from a small merchant, such as a fisherman in Africa, to advanced/modern department stores in Manhattan.”
Liz Votaw, SVP, Customer Protection Strategy Digital Banking, Bank of America
Regarding mission of the FIDO Alliance and perspective regarding the achievements thus far for the FIDO Alliance and vision of the future.
“At Bank of America we take the security of our customers and the protection of their privacy very seriously. We continue to look for opportunities to work collaboratively within the financial industry and across different industries in an effort to develop valuable solutions for our customers. The mission of the FIDO Alliance aligns with our efforts, and since joining the board in February 2014 we have seen great progress toward establishing a shared framework that will benefit all consumers.”
Regarding the significance of being a FIDO Alliance board member and the ability to influence outcomes and direct the work of the FIDO Alliance.
“As a FIDO Alliance board member, Bank of America has been able to ensure that the final FIDO specifications reflect the needs of the financial industry and its customers. The board represents a diverse cross-section of industries from software development companies, to hardware manufacturers, to giant technology platforms and financial institutions. Each company contributes their perspective and expertise, making for rich and productive dialogue and sound decision making. Bank of America has a voting seat and participates in the board governance subcommittee, allowing for many opportunities to directly influence the work of the alliance.”
Regarding why FIDO authentication is important and the vision of the future of authentication as t can impacts IoT, network breaches, POS vulnerability.
“At Bank of America we are committed to providing secure and convenient banking services, products and account access to our customers.Similar to the goals ofFIDO Authentication, we strive to provide frictionless access to all banking needs while at the same time ensuring the privacy and security of our customers’ financial data.”
Bret McDowell, Head of Ecosystem Security, eBay Inc., and FIDO Alliance Vice-president
“PayPal spearheaded the formation of the FIDO Alliance with Lenovo, Validity (now Synaptics) and Nok Nok Labs because we knew that there was a better and more secure way for consumers to authenticate – beyond passwords. We also knew that only an open industry standard would be able to supplant passwords at scale. To realize this vision we work closely with an ever-increasing number of FIDO Alliance members to create common specifications, where the first public drafts were released in February 2014. We partnered with Samsung and Nok Nok Labs to deploy the world’s first FIDO Ready™ solution that enables PayPal’s privacy-preserving, highly secure fingerprint payments experience available on Samsung’s Galaxy S5 and Galaxy Tab S. This solution is a great example of how FIDO technology is poised to impact our future by empowering us to securely deliver better experiences for our customers, any time, anywhere, from any device.”