As banks struggle to move past passwords, a Silicon Valley startup is taking a stab at a fingerprint and facial recognition standard backed by some heavy hitters — PayPal and Lenovo among them.
Nok Nok Labs, which was created a year ago by the founder of the data security vendor PGP, says it will eventually sell server software that will make the process of verifying the identity of online and mobile bank customers easier and more effective. The company plans to release its developer tool kit in March.
Nok Nok is using a protocol created by the FIDO Alliance (short for Fast IDentity Online) that lets applications, browsers and servers speak the same language for authentication. According to members of the alliance, Nok Nok is the first company to turn the standard into working code.
"The goal of what we're doing is really an exercise in aligning the incentives of all of the players involved," says Brendon Wilson, Nok Nok's director of product management, adding that the company officially launched Tuesday. "It's not unlike ethernet, back in the day. … Now you just plug your computer into this system and it just works."
The need for new, more accurate methods to authenticate Internet banking customers has increased in recent years as criminals have ramped up their efforts to steal people's online financial identities.
The FIDO standard — which provides a guide for all kinds of authentication, not just biometric — is a boon for technologists who often have to come up with workarounds to handle every aspect of biometric authentication. The roughly six-month-old alliance has been a work in process for more than two years.
The protocol works when a person attempts to use an app or website.
Nok Nok says its software will eventually inventory the user's device and find authentication mechanisms available to the user, such as a fingerprint scanner attached to the keyboard, or a microphone meant to catch a person's voice. It will communicate with the device to allow the automatic use of the best mechanism; the user will simply be prompted to scan his fingerprint or speak a phrase, for example.
The captured piece of biometric identification is then turned into a series of numbers, called a token, which is relayed to the bank's servers. That token works in the same way a username and password would to authenticate the user's identity.
The bank then sends back an encrypted message to the laptop or smartphone, which is recognized by a separate algorithm that runs in the background.
If all those pieces line up, within seconds, the user gets access to his account. All of the authentication data is stored only on the bank's computers.
In addition, the strength of those authentications, such as a facial or fingerprint match, is based on the signal coming from the device and scored, says Clain Anderson, a software director at Lenovo who sits on FIDO's four-person advisory board.
"The protocol allows for flexibility to do that, so you can have a gold level, when you have a strong" authentication score, he says.
Perhaps, Anderson adds, banks could give different access to a user based on how certain it is that a person is who she says she is.
The technology may need to be tweaked by financial services companies that use it.
The implementation will be just as important as the higher level of authentication itself, says Shirley Inscoe, a senior analyst at Aite Group.
She describes a scenario where a cybercriminal could register using stolen identity information.
If a thief registers as you, then he is you, "and when you try to access your account, you are the imposter," Inscoe says.
Another hurdle, she says, is that not all computers and devices are outfitted with fingerprint scanners and webcams. There are also open-ended questions about traditional online attacks that could eventually bust the technology.
Specifically, a man-in-the-browser attack could alter parts of a bank's website in order to trick both the bank and the customer into making a bad transaction.
"So from the end-user perspective, everything appears to be authenticated," says Ben Knieff, NICE Actimize's director of financial crime product marketing. "No authentication scheme that we have seen a man-in-the-browser attack [against] has been able to get around that."
NICE sells a suite of Contact Center Fraud Prevention software that screens calls to a bank's call center and recognizes bad guys' voices after they've been flagged.
Wilson says that the nature of Nok Nok's software will allow developers to create multiple methods of authentication.
He explains that when one method becomes compromised by a hacker, a bank can just switch to another without shutting down its customers' ability to make a transaction.
"Nothing is foolproof completely, but because of the flexibility of this open standard it really gives you a lot of room, so you can combine [biometric authentication] with a pass phrase," Anderson says. "I think the power is the open nature of the standard, and that there will be many different implementations."