Retail networks are prime targets because they typically house a great deal of personal information about cardholders, such as e-mail addresses and phone numbers, he adds. And because most online users reuse common usernames and passwords across numerous e-commerce sites, once those credentials are compromised, attackers have access to an array of accounts, Dunkelberger explains.
"Attackers choose the path of least resistance," he says. "Password reuse is common ... and third parties often hold many credentials in a centralized database, which makes them easy to steal."
To enhance online security, the industry has to retire usernames and passwords, Dunkelberger says. And that is where the FIDO authentication protocol comes in.
FIDO, which stands for Fast IDentity Online, is a global non-profit organization focused on stronger authentication. The FIDO protocol, which is expected to be issued later this year, will support any device, including a wide variety of mobile hardware, Dunkelberger says.
"The FIDO protocol gives you a way to define how you want authenticate a user," with multiple biometrics as well as a public-private key exchange.
"You have to have both the public key and the private key to authenticate," he says. And with the biometric piece, authentication requires three parts, Dunkelberger says. "It's really about making it harder for the attacker," he explains.
Role of Mobile
Mobile is an integral piece of FIDO's initiative, says Marc Briceno, senior director of products for Nok Nok Labs, who also participated in the interview. Through a program called Mobile Connect, banking institutions can literally connect through FIDO's standardized authentication protocol to authenticate users via multiple mobile devices and platforms, he says.
Dunkelberger says Mobile Connect is just another way FIDO is helping organizations move beyond simple-credential-based authentication.
During this interview, Dunkelberger and Briceno discuss:
- FIDO's multiyear vision;
- The alliance's growing membership and key announcements from Samsung and PayPal, which are expected to help accelerate adoption of the FIDO protocol; and
- Why the timing is right for a new authentication protocol that relies on true multifactor authentication beyond usernames and passwords.
Prior to joining Nok Nok Labs, Dunkelberger served as co-founder and CEO of PGP Corp., an enterprise data protection provider that was acquired by Symantec in 2010. Before PGP, Dunkelberger was an Entrepreneur-in-Residence at Doll Capital Management, president and CEO of Embark, and served as chief operating officer of Vantive Corp.