December 5, 2018
The Continuum of Authentication and Biometrics
Posted April 2, 2018
In this episode Armen is joined by Phil Dunkelberger, President and CEO of Nok Nok Labs. They discuss how authentication and biometrics are changing our world.
Armen: Hello, and welcome to this edition of Digital Identity 360. I’m here today with a very interesting guest, Phil Dunkelberger, President and CEO of Nok Nok Labs. Phil, welcome to the show.
Phil: Great to be here.
Armen: Can I call you Dunk?
Phil: Yes, please do.
Armen: All right, good. Phil is a valley legend and has been involved in many, many transactions and many interesting businesses. Phil has a very interesting perspective from where he’s been and where he is right now at Nok Nok Labs on what I would call a really important discussion on this continuum. If you think about authentication in the broad sense, and on one end of the spectrum you’ve got risk-based authentication, and on the other end of the spectrum you’ve got strong authentication. It’s not a binary world, right? As we talked about sort of leading up to this discussion, not all forms of authentication are created equal depending upon the scenario and the use case and the need. And so I thought it would be a good conversation for us to have, and we can riff on it from there on this show. But let’s just start there. What are your thoughts when you think about that continuum? How do you think about the continuum first of all?
Phil: I think that the continuum really starts with signaling. I think that the internet and the people on the internet, the old question is how do you know who’s at the end? Is it a dog? Who is sitting at the end of the internet? The internet was never really designed to do the commerce and things that we’re trying to do with it today, it was designed to be a research tool. If you go back to its inception in DARPA. When I looked at the signaling capability back to that context we’re using a 50 year old idea still that is the market leader in authentication, which is user names and passwords. Or nothing at all. Today we’ve got so many transactions that fall in, everything from your fantasy football leagues locking in, or at the time we’re doing this interview, March Madness. Or how’s your bracket doing? How important is that data to you versus your finances? Versus your banking data, your medical records? I said probably 10 years ago when I was the CEO of PGP, “Why do people need to protect data? Because data is becoming a currency.” And today there is no doubt it’s a currency. If your data is currency, and what we’re really trying to ultimately do is protect data, the continuum that begins on the back end of any transaction married with the front end is now all about how do we minimize risk and actually increase security? With one other really valuable piece, today it’s got to be easier to use because 13 character uppercase, lowercase, special characters on a phone isn’t going to get it done from a strong auth capability. Changing your password every 30 days isn’t going to get you there.
Armen: There’s a time and place for everything and I think it really comes down use cases, if we can sort of use that dorky word if you will. You know, you’ve got to be very mindful. If you look at the authentication need from the customer or the consumer perspective back. To your point, if I’m sitting in a car and I’ve got a mobile device and I need to check my email at a stop sign I don’t want to have to deal with 13 character uppercase, lowercase, special character password. There’s got to be a better way to manage it, right?
Armen: So how do you think about these sort of use case centric decisions on authentication?
Phil: Well you know you bring up an interesting one that’s going to morph again. You’re sitting in a car and very soon the cars are going to have to authenticate. It’s going to be a really big deal about who’s in the car is going to have to authenticate to the car, the car is going to have to authenticate to the network, etc. As we move to IOT in device authentication, and you still have the human overlay, you’re going to have to think about it even differently again coming that fast. So use cases, back to your point, I think if you keep with the idea of a continuum, the idea that you can use a very, very simple user name or password for something that isn’t very valuable in your head on one side of the ledger. If you move to the other side of the ledger and say, “I need something more secure, more complicated, more heavy duty for other types.” Then you get into the whole idea of, “Well, what if we could do biometrics?” Since the rise of biometrics the last few years. Apple popularizing fingerprints. But now we’ve got selfie pay, pay by voice. You’ve got the whole face ID thing that just come out in the 10 in the Apple line. Samsung’s capability they bring in the nine. But even further afield from that you’ve got the new shiny penny of behavioral biometrics. You know, “When I swipe left to right how much pressure do I use? How do I hold the phone?” If you really talk to end users they don’t care about any of that, they just want it to be secure and they want it to be easy. You go to the back end and the IT guys, you know their constituency is, “We need to be able to put this on any device, any transaction, any application, any operating system.” It’s got to be global in your thoughts. Then you step to a different group of people, the security people who want it to be rock solid, ironclad no matter what the transaction is. Depending on the constituency it’s going to change the use case. I’ll give you a good example of that. Today, a lot of people are kicking the tires around strong authentication. Their idea of strong auth used to be something you know and something you have. We’ve morphed that now with biometrics also something you are. And then you’ve got this whole hacker community who’s figured out, “I can emulate all those things in software. So I can head fake everybody and still think it’s an end user with a device talking to a set of services trying to get capability.” The real cool piece is that when you start doing things like mirroring strong back end algorithmic types of things with things that, for instance, ThreatMetrix has pioneered in the market and is a leader in with device reputation, authentication, a big strong global data view of this device. Where it’s been and what it’s doing.
Armen: A broader digital identity?
Phil: An extremely broader digital identity, and then you extend that one more step to the users themselves. That’s when you get this idea of a strong three-way bind. Person, device, services. In the world today I think we’re past the idea of there being consumers, and departmental guys, and enterprise guys. There’s just people looking for services.
Armen: It’s all homogenized, really.
Phil: It really is.
Armen: Yeah, I think you’re absolutely right. I mean, my behavior as a consumer versus my behavior as an employee of ThreatMetrix, how interact with technology is all very much the same. And my needs are converging, and the day parts are starting to merge, and so yeah I think you’re absolutely right. Going back to something you said, though. I mean you brought up the point of signals, and you think about these different forms of authentication, these different use cases, different applications. But ultimately these are signals. There’s biometric signals, there’s behavioral signals, there’s data signals. Ultimately if you look at these various touchpoints as signals in a continuum, or signals in a graph that can be applied depending upon the situation. If there’s equal levels of trust in all of them, that sort of triangulation of who I am, or who I know, or what I know and what is my identity? Does that provide enough of a menu of options for developers of applications to choose from? To sort of converge upon the right combination of signals to deliver the right authentication experience?
Phil: Well I think if you look at the ability to look at a series of medium level signals combined give you one set of stronger signals because of the multiplier effect of those signals. I think if you define it as implied signals, “This is what I think this person is. This is what I think we know about this person about their device.” With explicit, this is a person making a statement about who they are. You know I can see something more about their claims. Really it’s all about claims at the end of the day, what you can prove. If you have a combination of weak signals, username and password is a very weak signal as an example, a lot of people think that’s a strong signal but in reality it’s one of many kind of weaker signals. To do step-up authentication as an example into something stronger. You know some kind of proof, you know hardware token or software token, all the way up to a biometric. And within those they all have trade offs for usability. I think that what you finally have for development community is not only, “What is it that I’m trying to provide as a service? What by regulatory environment or by fiat do I have to include security-wise? And now I have security trade offs and signals that I didn’t have before as a very, very good option for them.”
Armen: I think that’s well put. When I think about just my experience as a mobile device user for … you know I worked for a large company before coming to ThreatMetrix and they imposed an MDM solution on everyone’s mobile device and it became very onerous to use and were it not for thumbprint recognition it would have been very difficult to do my job efficiently. It would have been very disruptive. To your point though, thumbprints can be mimicked or I could be spoofed, right? In that particular use case, for me to sort of re-unlock my phone, yep, used the thumbprint, that worked fine. I think combining that with other forms of authentication, I would occasionally get stepped up, right? It was a little inconvenient but I guess, you know, put in the wrong hands … I kind of felt good about that. I could deal with the inconvenience. But where do you see this moving? There’s still some inconvenient experience for consumers with good intentions from the developer community. Ultimately where do you see this heading if you were to project forward five years?
Phil: Well I think you’re going to see, and we’re already seeing it, where there is the idea of a password-less world is already on us. Almost all the major vendors creates a bad thing, stolen credentials are 91% plus of the beginnings of data breaches and how they all begin. There’s a real reason to solve this problem. There’s another reason coming, most of the people coming up today are very, very comfortable with computers. The Millennial group that are going to be the next big wage earners and spenders in the world, those folks want a seamless transaction capability. If I had to look out five years, and I think it’s going to take at least five years to see the ends of passwords as an inconvenience, not a convenience. I think you’re going to see the rise of biometrics but I think you’re going to see those coupled with things like the ability to do a combinatory piece that we just talked about. The bigger piece I think really you’re going to see is things like silent enrollment, something that we do in our product where you can silently enroll people. You can kind of use what’s on the device that you find there from a different type of tokenization or capability you already find. The idea that users are going to be able to have an experience that makes it really super easy to use, but underneath it’s really, really secure. Something we didn’t worry about in the past, we thought the back end could take care of all of it and the front end was left to algorithmic, and user names and passwords were a little more complicated. That isn’t going to fly. I think that you’re going to see if you go in regions of the world today, Japan who is very, very comfortable with biometrics, is already moving that way in a big way. We have a company in our portfolio that has 180 devices, 700 applications, all of it biometric based, or secure pin based. And the applications run the gamut from moving money and doing payments to scheduling work people, to getting help over the phone through an IVR. All of those are things that are already fully integrated for those 180 devices and 700 apps in their service environment.
Armen: What are some of the interesting developments that you’re seeing? We talked about a password-less world and how there’s some very big tech companies out there sort of beating that drum. What other innovations are you seeing right now? Again, when we think about this continuum of signals along the spectrum, any other techniques that you’re seeing? I think the biometrics examples you gave are interesting.
Phil: Yeah, you see biometrics, you see wearables. There’s a big, big idea of wearables. I think one of the really neat things we saw in a big global environment, it had call centers. Something that everybody never hopes they have to deal with, but you do every day at some point. You know, getting service. What they saw was a win for both their employees and a win for their consumer customers. It was a really neat application where the person walks up with his phone and he or she wants to enter the building and the phone, machine-to-machine, unlocks the front door. The moment that they unlock the front door it sends a signal in the call center to where they’re going to work that day. And they get a text message saying, “Hey, you’re in section three, cubicle one, working with Scotland today.” And all of a sudden you go to your workstation and all of your tools are loaded. You get up and leave it logs you out automatically. You go down to the cafeteria payments are done automatically with your phone in your pocket. This is a place where you’ve literally gone and done your whole day, and when you leave the building at night it locks you out of everything and updates all the files. Think about how cool that is. You never once touched a keyboard to do anything for authentication. It automatically, using both machine-to-machine auth and person-to-machine auth, that combinatory capability where you never had to log into anything and log out, your devices just did it and knew it was you.
Armen: Yeah. Wearables is important. I mean, as a consumer I got an Apple Watch recently and my hope in doing that is I would rely less on having to pull my phone out of my back packet. I think that’s largely played out. I think this has become more than a convenience, it’s actually sort of altered how I interact with technology in a positive way I would suspect. I think that scenario you played out is actually a very, very good example. What about scenarios where, I’ve got young children at home, devices are shared? I’ve got iPads that I use for work, my kids might take it over sometimes and try to launch their games. In that world, given those scenarios, how can the device itself with biometrics, how can you authenticate that it’s actually someone? I guess you gave that example of gestures and patterns, pressures.
Phil: You can do behavioral capability, you can essentially register the different biometrics where it creates a different underlying key structure that the old parlance and encryption of building a key ring on the device, and only the people with the right keys swiping their finger, or taking a selfie, each one of those keys can be developed for the device or kiosk in the real world of not just home sharing computers. How do you stop friendly fraud? You know, somebody using your device? You do that by the ability to set up who the real users are on a key ring. These are the kind of standards for instance, that both companies that we work for share this idea of fast identity online, or The FIDO Movement, that is supported by over 400 different products in the marketplace today, and over 300 plus companies have been part of building that standard. You see the industry trying to solve the problem for some of these sets. I think one of the really rich opportunities is you’re talking about in the future is the capability that once we have better options, as you said earlier, as developers and providers of tech to provide these creative solutions. I’m always amazed that when customers or consumers of this know what they can do with it. Think about the ability to send targeted, positive ads or services to people that might need it. Think of the fact that in the future you do not want to have to go through what you go through to get your medical records moved today. If you’ve got somebody in a dire situation you want as fast, and quick, and secure as possible to move medical records from point A to point B. Insurance. You want to fill out the 500th form? Or do you want to swipe your finger three times and they’re done automatically for you? These are the ideas of just less keystrokes, more interactivity, better information at the point of need when you need it versus spending a lot of time doing authentication.
Armen: Yeah, and I’m just reflecting back on some of the early conversation I think. You know the biometrics certainly play a role as far as user experience and needs of user interaction. On its own though, it might not be entirely appropriate to do a full authentication but a very good signal. The device itself certainly serves a role. Maybe it’s a little inconvenient at times, but where you’ve got wearables that’s I think taking a lot of that inconvenience and awkwardness out of the equation. Yeah, combining it with that third factor, if you will, or that third data of the amass, the crowdsourced identity from your digital experiences across the consumer web. Somewhere in that triangulation there’s enough positive signals to present a complete picture?
Phil: As we’ve talked about, you and I, on the lead up to this we’ve got to get off of really thinking about risk signals anymore. These are the risk signals we’re trying to interpret. Let’s go look for assurance signals. How do I know these are the people doing the things they say they want to do when they’re doing it? And that’s just talking in a fraud mode. Let’s talk about all the other things because I think we tend to look at, in a positive way, dollars and cents, “How am I not being fraudulently ripped off, increasing costs, etc.?” But at the same time look at all the other things that we’ve talked about you can do when you’re not every time you want to do something having to type characters in or have the device not be mimicked in software, etc.? Where you can go about doing things naturally, interactively versus having to let the machine become an opposition to you getting your work, or getting your personal stuff done.
Armen: Yeah, if you operate under the premise here at ThreatMetrix of the vast amount of transactions we see, at the end of the day 92% or more are trustworthy, right? It’s those edge cases that are either questionable or known to be sort of fraudulent. But for the vast majority of consumers, conducting the vast majority of transactions, you want to minimize any friction possible to make it as ambient as possible. And some of these techniques the we’ve talked about certainly are ambient and not invasive. And flipping it around, how do you provide the best experience possible? Because you want to keep out the fraudsters from doing bad things, but for the known good consumers, the 92% or more, those transactions, how do you want to make it a positive experience so they come back and do more business with you if you’re a merchant? Or interact with you more if you’re a financial institution? Or you get the picture, right?
Phil: Yeah, and it goes full circle back to you providing goods and services. It’s funny, the question that really intrigued me years ago, when we were PGP we’d get asked a lot, “How do we do strong auth before you encrypt? How do we do auth before you encrypt? Is it username and password? What’s the difference between a pass phrase versus a password?” The whole idea of the future that people are looking at with technologies like blockchain that don’t readily have any type of real authentication mechanism to them. They’re going to go build a lot of business structure on top of something that does not have the ability to authenticate strongly to it? I’d worry about that if I was journaling and having partners journal. That’s an interesting challenge. You know I get a lot of questions like, “Why did you name it Nok Nok?” And we went through a lot of naming your background in marketing how you do that. Really what the whole premise of Nok Nok Labs was, was when you say “Knock, knock.” What do you say back?
Armen: Who’s there?
Phil: Exactly. And I go back to the question that I had to the people that were involved in coming up with the stuff we’ve been working on was, “How will it change the way we do business with people if we did actually know it wasn’t a dog on the internet?” It was actually a person who we knew before, who had these kind of services already, or it was somebody that was a patient in our clinic that needed this kind of information transmitted or federated out to people like the drug group. You know, we’ve got an opioid crisis in this country because of drugs flowing freely in and out, when in reality if you had people and it’s strongly authenticated on both sides of that transaction who were taking the drugs and putting them to the people, and the people were receiving the, you’d probably have a pretty good marker to slow those transactions down. And there is no perfect security. Anybody who says that really hasn’t spent a lot of time in security. You know, the people saying it’s military grade? Military grade, there’s a lot of what that really means in encryption and other things. But I think the fundamentals come back to, we as vendors owe the users and our companies that use our products both the idea that security doesn’t have to be limiting anymore, it can be enriching actually, if we come up and innovate in and around the security solutions we provide. I think that our partnership and other things that we’ve been able to do and look at are evidence of the industry trying to do the right thing. Not just saying, “Hey, let’s not do the right thing anymore and just leave it up to user names and passwords always.”
Armen: Yeah, we talked about ecosystems in the minutes leading up to this episode. I very much believe like most great industries there’s an ecosystem that must be formed, and some great partnerships that must exist in complementary technologies. That’s very much how I see this playing out, this goes back to this continuum discussion that we started with is not all signals are created equal and these cases define that. And there’s certainly best-in-class providers along that spectrum to deliver the insights that are needed to drive the right level of authentication for the right moment in time.
Phil: And to your point on that, not one company can do this. Not today anyway.
Armen: Maybe there shouldn’t be one company that does do it, right?
Phil: Well, the responsibility and risk that goes with that, I don’t think that any one company is going to own the operating system, and the hardware, and all the pieces. What you want is people that can work together and see everything from the silicon that it’s based on, all the way up to now the cloud and beyond. All these devices and people working together. When you’re thinking 20 to 50 billion devices and people interacting soon you’ve got to do it a better way than we’ve been doing it. You know it scaled back when it was departmental computing, or remote computing, or enterprise computing. When we started getting into cloud computing you know, let’s take the data center and multiply it by X, let’s take the applications, multiply them by Y, let’s take the users, multiply them by Z, and we had a hot mess. I think today what we’ve got to do is say, ” Can we provide you guys innovation wise with a better set of solutions?”
Armen: Yeah. I loved when we talked last week your zoo versus jungle metaphor. There’s equally dangerous creatures in both environments, but generally you’re not going to get killed in a zoo. But you could get killed in the jungle, right?
Phil: Yeah, I think it goes back to that metaphor. Really comes back to today, you really don’t know who you’re interacting with many, many times. So much is provided, I think of the challenges facing governments today and the cyber problems we’ve got at the government level. The U.S. government is one when it comes to using technology to securing technology and the challenges they have. Who are all these constituents? And if you’re global it used to be you couldn’t shop online globally. Today, shop anywhere in the world, get stuff shipped anywhere in the world. But you really want to know who you’re doing business with. Is this really the company that I’m buying from? Is it really the shipping company that’s supposed to be shipping me something? Is this package the right package even to me? It says to me, but is it something I ordered? If it’s not, let’s not think of all the bad things that could be in the package, let’s just think it’s somebody else’s product and you’re going to spend an hour and a half of your life trying to send that product back to somebody that you didn’t order it from. There’s only two things people really manage in their lives, time and activities. What I really hope that we can do is lessen the amount of activities and time it takes to get the stuff online that we need and want in the time frames we need it in. If you’re going to have go in the jungle, because it is a jungle it’s really not a zoo, it’s still not well ordered. You know you go into a data center and you see everything labeled in a really good one, and the racks are all set right. That’s not the way the internet works today. You don’t really see all of that infrastructure. You just hope that when you make that transaction it’s okay.
Armen: It just all works.
Phil: Yeah, and that’s what you hope it always will be.
Armen: Yep, very well put. Well, this has been great, Phil. I really appreciate your insights. Great to kind of riff on the current state of authentication and what that might hold for the future. You heard it here on Digital Identity 360. Phil, thanks so much for your time, really appreciate it.
Armen: Good discussion.
Phil: Thank you. Appreciate it.
Armen: All right. Thanks.