For the better part of nine years, Nok Nok has been curating a safer online identity landscape. Through its role in creating the FIDO protocol that is gaining ubiquity, to its quest to kill the password and provide secure and scalable authentication for users and devices with its S3 Authentication Suite, the company is laying the foundations for a safer internet.
Mobile ID World founder Peter O’Neill interviewed Phil Dunkelberger, CEO of Nok Nok, about the company’s recent partnership with Netcetera and the long term impact of the FIDO protocol. The conversation goes on to detail some of the misconceptions about the protocol, which is closely associated with biometrics but covers authentication under a much broader definition, and Dunkelberger offers insight into the authentication needs in healthcare, before making an interesting and important distinction about the balance between security and convenience as it relates to user interfaces and user experiences.
Read the full Mobile ID World Interview with Phil Dunkelberger, President & CEO, Nok Nok:
Peter O’Neill, Founder, Mobile ID World & FindBiometrics: Please tell us about your most recent announcement and the partnership with Netcetera.
Phil Dunkelberger, President & CEO, Nok Nok: The partnership with Netcetera is really about bringing, first and foremost, stronger, easier-to-use authentication in the partnership to their banks and merchant partners. They were looking for a way to add additional capabilities. Traditionally, to reduce risk on transactions, and really to enable a better user experience , classic to your audience, the ability to easily add biometrics and other forms of authentication to their platform. And ultimately, longer term, to be able to offer new types of capabilities.
We’ve been finding, Peter, there’s all this buzz out there talking about reducing friction in authentication: going passwordless, frictionless. And as you know, Nok Nok brought that idea to the fore when we built the protocol – the FIDO protocol. As you know, so many people have now started using the protocol and embedding the protocol. I know FindBiometrics has covered Apple and Google joining the Alliance, et cetera.
What we found is: that’s just the first step. Reducing friction for authentication lets you do new and inventive things beyond the authentication step for users. And we found that it is the first step in a lot of digital transformation work that people are doing around the world. So, platform suppliers like Netcetera are really helping with broader platform plays with banks and merchants in their space. So, it’s really using the protocol and, for lack of a better term, the innovation that we’ve stacked on top of the protocol all these years that our platform provides to them.
Peter O’Neill: Now, that’s great news. And is it ever needed in our current COVID pandemic world. What larger impact will this have on the whole banking payment industry?
Phil Dunkelberger: Well, fundamentally, I think for many years, we’ve looked at this idea of ‘what are transformative disruptive technologies?’ What the pandemic accelerated was contactless payment’s, card not present, things that are needed from a regulatory environment. Because you can’t physically go someplace, doesn’t manifest itself in lacking the need to do things. So, they need to do things, the imperative to do things now was just greatly accelerated.
I think the overall global impact is going to be, not to be cheeky, but a guy in one of the plenary meetings years ago said, “There’s 5 billion people in the world who don’t know what a username and password is. Let’s not tell them!”
Peter O’Neill: I like that.
Phil Dunkelberger: Our bringing the protocol to the fore and working with the FIDO Alliance – creating the Alliance and working with it, working with a lot of really talented people around the world, building partnerships like we’re doing with Netcetera – it now changes the role of suppliers and they have to be able to adapt to this new world and it’s been accelerated.
Netcetera was a forward-looking company already. They’re a great partner in what they can do. But the exciting thing of this, I think the imperative is if you’re somebody that’s providing services remotely and you’ve got to be able to do step-up authentication or delegated authority, all the things that go on in the payment sphere, you’re going to have to think about that much more rapidly and provide services much more quickly because your end customers and partners customers are already there. And this is, to me, the next big step in changing the face of payments, changing the face of remote banking, changing the face of remote commerce in general.
Peter O’Neill: Well, it’s very interesting, Phil, we just finished our 18th Annual Year in Review and, I can’t believe it’s been 18 years, these big trends are all moving very rapidly…and not just for Financial, HealthCare, Travel, Education… all verticals are experiencing the same needs.
Phil Dunkelberger: One of the key things that gets confused with what we do, is that the protocol itself was only used for biometrics. As you know, that’s not true at all. The protocol is a very rich protocol for the end-point authentication it provides. But I would argue that it’s become the go-to protocol for biometric deployment because you can add so many different types of biometric authenticators to a single device.
Technically, what that has allowed people to do is solve the conundrum of the last mile, which is, we’re going to build a system for somebody to do better access, more secure access, something better is why we architected the protocol this way.
We now don’t have to figure out what that last mile implementation is going to be to the user. We have a multitude of choices now that are standards-based solutions that we can put in. And that is accelerating the ability to deploy more and more capabilities beyond authentication.
We tend to, I think, look at authentication or biometric implementation in silos. What we found is our customers are back to the customer-to-entity or customer-to-a-relying party. Those relying parties now are growing broad implementations inside and outside of themselves. So, we’re going from one-to-many implementations now where it used to be one-to-one. And I think that’s another factoid to your point of the change that’s accelerating. They’re going to be able to do this faster and more scalable with additional user applications and ultimately use cases inside the offerings they’re making.
Peter O’Neill: Well, Phil, it’s interesting. The silo part of it is not just silos within an industry and organization, it’s also across industries. We’re doing a lot of work in the healthcare environment right now, which again, because of the pandemic, has seen radical changes, much needed changes, occurring very, very quickly. Remote work everywhere. What are you seeing across industries beyond banking and payments?
Phil Dunkelberger: Well, taking it off just the Netcetera focus here or moving from that, we have seen it dramatically pick up. I keynoted CES last year. It was one of the last trips I made before the pandemic hit. I was in Las Vegas and I got a call from the CES people saying, “Phil, we know that you’re working in trying to bring people online.” Really it’s about ease of use, better security, lower costs, and ensuring global data privacy, Nok Nok’s four pillars. When you first interviewed me, I talked about the four pillars of the protocol, and these continue to guide our efforts today.
We put it out there, we had a product in place. And when I was asked by people about the design criteria of the protocol itself and what we’re doing at Nok Nok, it was really about continually providing a better user experience. And really, where I finally see breakthroughs in things like doing business in the healthcare space, was you needed to solve the usability problems.
People deploy, and we partnered with a number of people that we’re working with now, in payments within the medical. How do you pay for your prescriptions remotely? Medical is a business, and so you’ve got to be able to make secure payments. You’ve got to be able to check insurance capability and know who’s there to be able to provide the right insurance capability. You’ve got to be able, when you’re doing payments or healthcare remotely, you’ve got to authenticate both the doctor and the patient in that conference call or that video call. You’ve also got to be able to mimic a hospital set of entry forms if you’re going to bring hospital rooms to people’s homes.
That extended care capability, that distributed hospitals, breaking down disintermediating the whole idea of hospitals during the pandemic, all of those things require strong authentication and knowing who’s there, whether I’m paying for services, acquiring services, receiving services, receiving meetings, scheduling meetings. All of those are going to require strong authentication, very, very conditional, given HIPAA and other things with PII, all of those things are paramount in the healthcare space and distributed health care. Because the days of you showing up to a doctor’s office and the days of you showing up to be admitted to a hospital are going to change dramatically post the pandemic.
Peter O’Neill: I agree 100 percent. And even right now, it’s a mad scramble mode. We actually dedicated the entire month of March at FindBiometrics to healthcare, working with the mighty HIMSS group specifically talking about these exact issues. You mentioned the user experience versus strong security protocols. How do companies deal with striking the right balance there?
Phil Dunkelberger: Traditionally, Peter, having been in this space for quite a number of years, the link between strong authentication, strong data security, strong operational security from the business standpoint, are linked. And the struggle has always been the tension between making something more secure and making it usable. Fundamentally, the key design point, the whole reason that we built the protocol was the first step in anything is, as we’ve talked about, is authentication. The first step in providing any device to any service is authentication. And that’s the way the worldwide web works. That’s the way it’s designed.
For it to be successful, you’ve got to get friction out of that system. The number one thing we’re finding is people have confused for years user interface with user experience. And let me try to opine on that for a second, if I could. The real issue people have is how to make their apps, their web interfaces, more usable, and the real issue you have is, from an IT perspective, there’s a lot of work that goes into which button do I click on? Which field did they see first? How do I get the information I need into the system? So, how do I onboard somebody securely? And then, how do I get the information from them? Unfortunately, the focus has always been on only the friction at that interaction. The real friction comes into the rest of the experience.
One of the points I’ve made in a talk I gave recently is if you’re an Amazon user, you haven’t really seen the UI change very much, have you, in all these years? But the experience of Amazon with Prime and other things, you can order things from millions of places that you could never do before, that can be delivered, in some cases, in two hours to your front door, that user experience has been dramatically changed by them and disintermediated so many industries from shipping to returns to shopping experience, et cetera. And it’s done it to whole industries like digital records, CDs. All of these things that have disintermediated industries over the last 20 years, you think about where we were in 2000 with its capabilities and where we are today, massive sea change.
A lot of that has to do with the tension between how I easy do I make it for a user to get in, get out and get on with their lives. And yet, how do I still have all the security protocols I need to be made working in the backend. More and more and more of what we’re being called in to do with the protocol and all the inventions that we’ve stacked on top of it… we’ve been building on top of the protocol for the better part of nine years now. Not only did we introduce it in building the FIDO Alliance, we also have been continuing to innovate around that. That’s the core of what we’ve done and are expanding on.
Most of that innovation goes right to your point, which is how do we make the implementation of something like biometrics, something that they know how to use…snap a selfie, voice recognition, fingerprint scanning, facial scanning, all these things that people have built into the end point, how do we make that extremely usable and unobtrusive also for the backend systems. How do we make those backend systems easily consumable of that front end assertion? Where it makes the user experience much easier and the user interface much easier, but also how do we take that thread and run it through all the backend systems without disrupting them?
And that’s really what I’ve been saying to people for years now, “You’re looking at authentication, biometric implementation, the wrong way. It is not an end-user, end-device only issue for usability. Your whole system could take advantage of not having to deal with traditional passwords and other forms, SMS OTP, all of these things that are brittle. They go away in that new sea change.”
We actually could have people that can authenticate without having to login anymore, at the end point. So, we’ve deployed this capability to millions of users for over three years now.
I find it interesting that a number of our friends in the industry are claiming they’re the first to do things with FIDO. Lately, there’s people out in the industry, “Ah, we’re the first guys that can host FIDO.” Ah, not really. We’ve been hosting FIDO on a service for the better part of six years, as an example. We were the first guys to do it, through different methodologies. And I’m going, “Well, what are you going to hook them up on the back end with?” They hook it up with a FIDO key and I kind of laugh and go, “Yeah, we’ve been doing it with literally no login.” And the backup theater is: swipe your finger, take of selfie. But after you’ve done that the first time, you don’t have to do it anymore because of how we use a key within the broader system’s context, because FIDO is a key-based protocol, where most of the other authentication protocols out there are not. They’re on/off and you don’t see them again. SMS is a time-based, one-time password, right? You’ve got enough time to use it and then you log in.
You make an excellent point in the medical field. Most of the time, medical services area, you want to know that that’s the same user throughout the lifecycle. Think about what you do at a hospital. You come into a hospital, you present your credentials. Those credentials are then used to kick off the billing, kick off your insurance, kick off the room you’re staying in, kickoff your dietary information. All of that is tied to you presenting credentials. You are going to have to mimic that remotely to get those same credentials, to be working in all those different systems. And your hospital system isn’t the insurer, your hospital system isn’t providing your payments. That’s all done through third-party partnerships. So you’ve got to be able to federate those credentials through all of those different systems. And what you don’t want to do is build a system that those were all one-offs. You want to be able to use, Phillip Dunkelberger’s credentials from his house, the same way you use his credentials if he was standing in front of you presenting them at the hospital.
That is the real secret sauce of system-level authentication. The authentication step leads to entitlements, traditionally known as authorizations, throughout a variety of systems, and then they need to be accounted and reported on. Classic AAA that’s been around since the beginning of computing. And what we’re finding is that’s the real secret sauce going forward.
Peter O’Neill: Well, Phil, I couldn’t help but think back to nine years ago, as you referenced, when FIDO was just starting. I remember doing a webinar with FIDO. It was called, “The Password is Dead.” And here we are, really feeling and living that. It’s been quite remarkable this past year.
Phil Dunkelberger: We’ve been talking for the better part of nine years as you pointed out. We tend not to be the hype guys, I don’t want to be the hype vendor of this. You know I’ve been in open conversation with you that Kill the Passwords is just step one of a multi-year, multimodal capability. Bringing biometrics on was a big opportunity for the world to change the way people interface with their devices. We’ve always known that, but we knew the catalysts had to be tied to business capability and new business opportunity. It’s been great to see the FIDO Alliance move and people to adopt the protocol. But the real point of this is, if we got rid of all the passwords …so what? So what? You need to link getting rid of the password to enable better business opportunities, better customer experience, better security from being able to do reporting and accounting to all of the regulatory environments, especially, as you point out, in medical, banking, FinTech, insurance – all of those are highly regulated – Telco, highly regulated industries that need reporting of what happened in transactions. The step function of getting rid of some of the 50-year-old conveniences people have been using… passwords is an example, really unlocks new productivity and better user experience. And that’s what we’re working on with Netcetera as the partnership, is not just the first step, but what does this really mean longer term and benefits to both the customer and benefits to the business? Win-win.
Peter O’Neill: Well, Phil, thank you. Always a pleasure to speak with you and thanks again for your time today.
Phil Dunkelberger: Thank you, Peter.
–
(Originally posted on Mobile ID World)
Follow Us