[Corrected 8/1/14, 12:20 p.m. See below.] There’s a certain irony that in a time when smartphones can tell who we are by scanning our fingerprints or taking a picture of our face, we still rely on usernames and passwords—a strategy developed in the age of the mainframe—to keep everything secure.
But for people like Nok Nok Labs CEO Phil Dunkelberger, it’s more than an irony. Depending on a 50-year-old method to keep important devices and networks safe creates a huge vulnerability, especially as hackers become more sophisticated. It’s a problem that needs to be solved soon, and Dunkelberger thinks Nok Nok Labs has the answer.
So do Samsung and PayPal, which use Nok Nok Labs’ software to enable Samsung Galaxy S5 smartphone owners to connect securely with PayPal’s mobile payments platform by swiping their phone’s fingerprint sensor.
Nok Nok Labs, which is based in Palo Alto, CA, developed the software that authenticates the user’s identity and ensures the transaction is secure. The startup also has developed software that will work with the iPhone’s Touch ID scanner when Apple releases the next iOS update.
With $31.5 million in total funding in the bank—Nok Nok Labs closed a $16.5 million Series B round in February—the three-year old startup seems poised for big things. Turning fingerprints into strong identification tools is only the start of what it hopes to accomplish, Dunkelberger said.
Apple and Samsung are adding fingerprint scanners to mobile devices to make them more secure, while other companies are taking more unusual approaches to provide another layer of security to devices. Nymi, a startup based in Toronto, is developing a bracelet that can identify you by sensing your heartbeat. Google reportedly is experimenting with USB keys and rings that use near field communication to unlock devices.
While those companies focus on hardware, Nok Nok Labs is trying to develop the software that will connect those different devices to networks and servers. The intent is to create software that can be used with any application running on any device using any authentication method.
“We’re building what’s essentially plumbing that allows you to use anything from biometric sensors—think voice, think fingerprints, think even heartbeat—to things like secure PINs and more traditional types of authentication. Anything that gives you a strong multifactor identification capability on devices,” Dunkelberger said.
For users, the new methods are much easier than repeatedly typing a username, password, and other account information on a smartphone’s cramped screen. But according to Dunkelberger, the new methods can also be much more secure.
That’s because with Nok Nok Labs’ software, they’ll rely on encrypted keys to authenticate users.
It works like this: when, for example, a Galaxy S5 user loads the PayPal app for the first time, the software creates two encrypted keys. One, a private key, is linked to a user’s fingerprint and will always stay on the device. It tells the app that the right person is using the device and gives them permission to use the app.
After the user is verified, the app sends the second key, a public key, to PayPal’s servers. That key lets the user onto the network and establishes a secure connection. In subsequent transactions, the app and the servers communicate by sending an encrypted code. [This paragraph originally misstated how the process works.]
By using the two encrypted keys, there aren’t huge databases of usernames and passwords hackers can break into, Dunkelberger said. That was the weakness that hackers used recently to attack Target and LinkedIn, he said.
From Nok Nok’s perspective, it doesn’t matter if the private key is linked to a fingerprint, picture, voice pattern, or even a simple PIN. The company’s software will be able to use whatever methods a device is capable of—and whatever a user finds easiest.
The partnership with PayPal and Samsung is just the first of many that could dramatically change how people log in to networks or websites, pay for products, and secure transactions.
In fact, Nok Nok Labs and nearly 130 other companies including Google, PayPal, Microsoft, Lenovo, and Visa are trying to create a new security standard they believe will be easy to use and strong enough to protect people and businesses now and for years to come. [An earlier version of this story said there were 160 members of the alliance.]
The name of the group is the FIDO Alliance, which is short for “Fast Identity Online.” The nonprofit was founded in 2012 and released its first draft standards to the public last February.
FIDO has pretty ambitious goals, Dunkelberger said. In his words, the alliance wants “to make a stronger, easy-to-use authenticator for the masses” that doesn’t sacrifice security or convenience, he said. It also should help developers and security pros cut development costs and get rid of user ID and password databases.
The standard also will be compatible with new hardware like heartbeat monitors or USB keys as they come online, Dunkelberger said.