As banks struggle to move past passwords, a Silicon Valley startup is taking a stab at a fingerprint and facial recognition standard backed by some heavy hitters — PayPal and Lenovo among them.
Nok Nok Labs, which was created a year ago by the founder of the data security vendor PGP, says it will eventually sell server software that will make the process of verifying the identity of online and mobile bank customers easier and more effective. The company plans to release its developer tool kit in March.
Nok Nok is using a protocol created by the FIDO Alliance (short for Fast IDentity Online) that lets applications, browsers and servers speak the same language for authentication. According to members of the alliance, Nok Nok is the first company to turn the standard into working code.
"The goal of what we're doing is really an exercise in aligning the incentives of all of the players involved," says Brendon Wilson, Nok Nok's director of product management, adding that the company officially launched Tuesday. "It's not unlike ethernet, back in the day. … Now you just plug your computer into this system and it just works."
The need for new, more accurate methods to authenticate Internet banking customers has increased in recent years as criminals have ramped up their efforts to steal people's online financial identities.
The FIDO standard — which provides a guide for all kinds of authentication, not just biometric — is a boon for technologists who often have to come up with workarounds to handle every aspect of biometric authentication. The roughly six-month-old alliance has been a work in process for more than two years.
The protocol works when a person attempts to use an app or website.
Nok Nok says its software will eventually inventory the user's device and find authentication mechanisms available to the user, such as a fingerprint scanner attached to the keyboard, or a microphone meant to catch a person's voice. It will communicate with the device to allow the automatic use of the best mechanism; the user will simply be prompted to scan his fingerprint or speak a phrase, for example.
The captured piece of biometric identification is then turned into a series of numbers, called a token, which is relayed to the bank's servers. That token works in the same way a username and password would to authenticate the user's identity.
The bank then sends back an encrypted message to the laptop or smartphone, which is recognized by a separate algorithm that runs in the background.
If all those pieces line up, within seconds, the user gets access to his account. All of the authentication data is stored only on the bank's computers.