How Nok Nok Labs’ New Risk Engine Strengthens FIDO Authentication for Mobile Users

As mobile devices become the primary gateway to online services, ensuring secure user authentication has never been more critical. Nok Nok Labs, a key player in the Nok Nok Labs ecosystem, has introduced a risk engine designed to bolster the FIDO authentication framework. This move addresses the growing threat of mobile fraud, a challenge that intensifies as smartphones double as both access points and second-factor authentication tools. By integrating risk-based analysis, the company aims to make FIDO authentication not just convenient but also adaptive to evolving security threats.

What Is the FIDO Authentication Risk Engine?

The FIDO (Fast IDentity Online) standard, backed by the FIDO Alliance, provides a robust method for verifying users to web service providers. Nok Nok Labs’ authentication server already enables FIDO-compliant applications, but the new risk engine adds a layer of intelligence. It evaluates multiple risk signals before granting access, ensuring that authentication decisions are context-aware. This approach is particularly vital for mobile environments, where device sharing, location spoofing, and tampering are common risks.

Building on the FIDO Alliance’s momentum—now with over 250 supporters—Nok Nok Labs’ risk engine calculates a risk score based on real-time data. This score determines whether to proceed with authentication or flag suspicious activity. For example, if a user’s device suddenly appears in a distant location within minutes, the engine can block access, preventing credential theft.

Key Risk Signals in the Engine

The risk engine analyzes several factors to assess authentication requests. These signals work together to create a comprehensive security profile for each transaction.

Geolocation and Travel Speed

One critical check is geolocation: is the device in an expected area? Coupled with a travel speed analysis, the engine verifies that the current request aligns with the user’s last known location. This helps detect device spoofing by attackers operating from remote regions.

Device Sharing and Multiple Device Checks

Another signal examines whether a device is shared among users. If a device is registered as non-shared, only one user should access it. Similarly, the engine monitors the number of devices used for a given service; a sudden spike may indicate unauthorized access.

Furthermore, the engine includes friendly fraud prevention, which requires a user-specific biometric—like a fingerprint or facial scan—to activate a shared device. This ensures that even if multiple people use the same phone, only the authorized user can authenticate.

Device Health Check

Device health is also assessed: is the device configured as expected, and are there signs of tampering? A compromised device, such as one with a jailbroken OS, can be flagged, adding another layer of security to the FIDO authentication risk engine.

Why Mobile Fraud Requires Stronger Authentication

Mobile fraud is on the rise as cybercriminals target smartphones for their dual role as both access tools and authentication factors. The risk engine addresses this by providing a seamless experience similar to single-sign-on (SSO) for consumers. However, the real benefit of FIDO lies in its ease of deployment for web service providers. Pre-built solutions like the Nok Nok Authentication Server simplify implementation, and the risk engine makes authentication stronger than ever.

In August 2016, the European Banking Authority (EBA) released draft regulatory technical standards (RTS) on strong customer authentication. The FIDO Alliance lobbied the European Commission, advocating for flexibility in fraud scenarios and the use of mobile devices as authentication elements. The new risk engine aligns with these requirements, enabling payment service providers to adapt to evolving threats while mitigating risks from compromised devices.

Adoption Challenges and Market Outlook

Despite the technical advances, adoption remains a hurdle. Nok Nok Labs reports that business is strong, but pilot projects are taking longer than anticipated. The company is turning to system integrators to spread awareness and drive FIDO adoption. Web service providers often express a desire for better security, but translating that into action requires tools that are both effective and easy to deploy.

For more insights on authentication trends, explore our guide on multi-factor authentication best practices. Additionally, learn how risk-based authentication strategies can complement FIDO standards. As the digital landscape evolves, solutions like the Nok Nok risk engine represent a critical step toward smarter, more secure user verification.