How Nok Nok Labs’ New Risk Engine Strengthens FIDO Authentication for Mobile Users

As mobile devices become the primary gateway to online services, ensuring secure user authentication has never been more critical. Nok Nok Labs, a key player in the Nok Nok Labs ecosystem, has introduced a risk engine designed to bolster the FIDO authentication framework. This move addresses the growing threat of mobile fraud, a challenge that intensifies as smartphones double as both access points and second-factor authentication tools. By integrating risk-based analysis, the company aims to make FIDO authentication not just convenient but also adaptive to evolving security threats.

What Is the FIDO Authentication Risk Engine?

The FIDO (Fast IDentity Online) standard, backed by the FIDO Alliance, provides a robust method for verifying users to web service providers. Nok Nok Labs’ authentication server already enables FIDO-compliant applications, but the new risk engine adds a layer of intelligence. It evaluates multiple risk signals before granting access, ensuring that authentication decisions are context-aware. This approach is particularly vital for mobile environments, where device sharing, location spoofing, and tampering are common risks.

Building on the FIDO Alliance’s momentum—now with over 250 supporters—Nok Nok Labs’ risk engine calculates a risk score based on real-time data. This score determines whether to proceed with authentication or flag suspicious activity. For example, if a user’s device suddenly appears in a distant location within minutes, the engine can block access, preventing credential theft.

Key Risk Signals in the Engine

The risk engine analyzes several factors to assess authentication requests. These signals work together to create a comprehensive security profile for each transaction.

Geolocation and Travel Speed

One critical check is geolocation: is the device in an expected area? Coupled with a travel speed analysis, the engine verifies that the current request aligns with the user’s last known location. This helps detect device spoofing by attackers operating from remote regions.

Device Sharing and Multiple Device Checks

Another signal examines whether a device is shared among users. If a device is registered as non-shared, only one user should access it. Similarly, the engine monitors the number of devices used for a given service; a sudden spike may indicate unauthorized access.

Furthermore, the engine includes friendly fraud prevention, which requires a user-specific biometric—like a fingerprint or facial scan—to activate a shared device. This ensures that even if multiple people use the same phone, only the authorized user can authenticate.

Device Health Check

Device health is also assessed: is the device configured as expected, and are there signs of tampering? A compromised device, such as one with a jailbroken OS, can be flagged, adding another layer of security to the FIDO authentication risk engine.

Why Mobile Fraud Requires Stronger Authentication

Mobile fraud is on the rise as cybercriminals target smartphones for their dual role as both access tools and authentication factors. The risk engine addresses this by providing a seamless experience similar to single-sign-on (SSO) for consumers. However, the real benefit of FIDO lies in its ease of deployment for web service providers. Pre-built solutions like the Nok Nok Authentication Server simplify implementation, and the risk engine makes authentication stronger than ever.

In August 2016, the European Banking Authority (EBA) released draft regulatory technical standards (RTS) on strong customer authentication. The FIDO Alliance lobbied the European Commission, advocating for flexibility in fraud scenarios and the use of mobile devices as authentication elements. The new risk engine aligns with these requirements, enabling payment service providers to adapt to evolving threats while mitigating risks from compromised devices.

Adoption Challenges and Market Outlook

Despite the technical advances, adoption remains a hurdle. Nok Nok Labs reports that business is strong, but pilot projects are taking longer than anticipated. The company is turning to system integrators to spread awareness and drive FIDO adoption. Web service providers often express a desire for better security, but translating that into action requires tools that are both effective and easy to deploy.

For more insights on authentication trends, explore our guide on multi-factor authentication best practices. Additionally, learn how risk-based authentication strategies can complement FIDO standards. As the digital landscape evolves, solutions like the Nok Nok risk engine represent a critical step toward smarter, more secure user verification.

Biometrics in Security: The Cutting-Edge Promise and the Hurdles We Still Face

The security industry has long hailed biometrics in security as the next great leap forward. Fingerprint scans, iris recognition, and voice authentication promise a world where passwords become relics of a less secure past. Yet, despite the buzz and a wave of early adoption by major banks and retailers, the technology remains far from mainstream. Why is something so promising still struggling to gain universal trust and reliability?

The Current State of Biometric Authentication

In recent months, high-street names like Barclays have introduced voice recognition and fingerprint scanning to bolster their security strategies. This shift reflects a growing consensus: passwords alone are no longer enough. Two-factor authentication is now a baseline requirement, and biometrics in security seems like the natural next step. However, public sentiment tells a different story. Research indicates that a significant portion of the population remains skeptical, lacking trust in biometric systems. This hesitation stems from concerns about privacy, accuracy, and the potential for misuse.

Why Biometrics Hasn’t Taken Over Yet

Biometric authentication challenges are more complex than they first appear. According to David Baker, chief security officer at Okta, the technology has been the holy grail of security since 2002. It taps into three core factors: what you know (a password), what you have (a device), and what you are (your unique biological traits). Baker explains that while fingerprints have become common for phone unlocking, more advanced methods like iris scans and gesture recognition remain difficult to implement reliably.

One surprising obstacle is that biometrics can be affected by external factors. Body temperature after a workout, for instance, can cause a fingerprint scanner to fail. Baker notes that such failures occur roughly one in ten times. This unreliability is a critical flaw for systems that demand consistent access. If a user cannot log into a critical system when needed, the technology becomes a liability rather than an asset.

Environmental and Practical Hurdles

Another layer of difficulty involves real-world conditions. Iris scanning requires precise lighting and distance. Voice recognition struggles in noisy public spaces. These biometric authentication challenges mean that, for now, the technology works best in controlled environments. Until these issues are resolved, widespread adoption in busy settings—like airports, offices, or retail stores—remains unlikely.

The Reliability Factor: A Make-or-Break Issue

For any security measure, reliability is non-negotiable. Baker emphasizes that the real challenge is creating a system that works every time, regardless of environment or user condition. A one-in-ten failure rate is simply too high for mission-critical applications. This is why many organizations still rely on traditional passwords as a fallback, even when biometric options are available. The security industry innovation needed to overcome this gap is substantial, but progress is being made. Companies like Okta are investing heavily in improving sensor accuracy and algorithmic resilience.

Interestingly, the same technology that makes biometrics so personal also makes them vulnerable. Unlike a password, you cannot change your fingerprint or iris pattern if it is compromised. This permanence creates a unique security risk that the industry must address. For more on how businesses can prepare for next-generation authentication, check out our guide on multi-factor authentication strategies.

What Needs to Change for Widespread Adoption

So, what will it take for biometrics in security to become the norm? First, the technology must achieve near-perfect reliability. This means better sensors, smarter software, and robust fallback mechanisms. Second, public trust needs to be rebuilt through transparency and strong data protection. Users must feel confident that their biometric data is stored securely and not shared without consent. Third, standardisation across devices and platforms is essential. Currently, a fingerprint scanner on one phone may not work with another, creating fragmentation.

Baker remains optimistic: “But we’re proactively working on it, and yes, [eventually] it will replace username and passwords.” This vision aligns with broader trends in digital identity management, where convenience and security must coexist. The journey may be slower than enthusiasts hoped, but the destination is clear.

Conclusion: A Gradual Shift, Not an Overnight Revolution

Biometrics holds immense potential for reshaping how we authenticate our identities. Yet, the path to mass adoption is paved with technical, environmental, and trust-related hurdles. The security industry must address these biometric authentication challenges head-on, prioritising reliability and user confidence above all else. As technology improves and public awareness grows, we will likely see a gradual shift—not a sudden takeover. For now, the password may still have a few years left, but its days are certainly numbered.

How to Hire and Get Hired in Information Security: Expert Advice from (ISC)2 Congress

Imagine walking into a conference session, only to realize within minutes that you’ve chosen the wrong track. That happened to me at the (ISC)2 Congress in Orlando, Florida, when I attended a session titled ‘Hackers Hacking Hackers.’ Initially disappointed, I quickly discovered that the presentation—led by Tim O’Brien from Xerox Equipment and Megan Wu from Rapid7—offered invaluable insights on how to hire in information security and how to get hired in cybersecurity. Despite a lack of chemistry between the speakers, the content was rich with practical advice for both hiring managers and job seekers.

Reevaluating Expectations in Cybersecurity Hiring

The first opportunity for improvement, according to O’Brien and Wu, revolves around expectations. The industry often creates a category of talent it will never hire, overlooking many qualified candidates simply because their resumes lack specific keywords. As O’Brien noted, “We need to readjust our expectations as hiring managers. Start considering what we need versus what we want. Don’t demand skills or qualifications just because—look at the particular role and what it actually needs. Is having a degree or a certification truly important, or is it just what HR is demanding?”

On the flip side, Wu emphasized that candidates must also set realistic expectations. “Even though there’s a skills gap, even though hackers are in short supply, they need to have realistic expectations. Have a list of things you want, and think about what you’d be willing to trade for if it’s not possible. Just because there is an apparent skills gap, we’re not owed anything, so don’t feel entitled.” This balanced approach is crucial for successful information security hiring.

Mastering the Application Process

During the application process, preparation is key for both sides. O’Brien stressed that hiring managers are responsible for nurturing talent for the industry, not just their organization. He advised looking internally and at past applicants, working with marketing to find people interested in your technology, and attending industry events to network. Ensuring your HR department sets the right tone and expectations is also critical.

For candidates, Wu recommended hacking your resume to make it relevant without stretching the truth. “Be careful of buzzword bingo,” she warned. “Use a unique filename for your resume to distinguish yourself. If you use a template, sanitize the metadata.” She also urged applicants to always supply a cover letter explaining why they want the role and why they’d be a good fit. “People that write cover letters will always be the first to get an interview,” she added.

Additionally, candidates can make themselves desirable by getting involved with the community and attending events. “Get your name out there and make yourself more interesting to a hiring manager,” Wu said. She also advised doing due diligence when job hunting: “Research the different types of recruiters and avoid the agencies that just want to fill body quotas. Research the good ones and build relationships.” For more tips on networking, check out our guide on cybersecurity networking strategies.

Acing the Interview: Strategies for Both Sides

Pre-interview, it’s essential for managers to work out relevant questions. O’Brien cautioned against “stump the monkey” questions, which put good candidates off. Instead, he advised focusing on how a candidate tries to mitigate threats, risks, and vulnerabilities. “Avoid closed-ended questions, and use exploratory conversations instead. Quit passing judgment, and stop with the concerns about job-hopping or contract roles—it shouldn’t necessarily be a bad reflection on the individual. Being unemployed doesn’t make a candidate unemployable: don’t discriminate, put aside bias, and listen to the reason.”

O’Brien highlighted key qualities to look for: passion, willingness to learn, and ability to fail well. “Everything else can be learned,” he said. “Use a scoring system to eliminate bias, and remember that diversity in a team is a good thing.” For candidates, Wu recommended observing the company’s dress code and taking it up a notch. “Make sure the stories you tell in the interview are relevant, and have questions ready for the hiring manager. Think of something interesting to ask that will leave a lasting impression.” She also advised going away and researching answers to any questions you didn’t know, then emailing them to the hiring manager post-interview.

Post-Interview Etiquette and Decision-Making

The fourth opportunity is post-interview. For hiring managers, O’Brien recommended being fair with decision-making and using a scoring system. “Don’t leave people hanging either. Have good etiquette, provide feedback and insights for candidates—they may come back for future roles.” This approach fosters a positive reputation and encourages repeat applicants.

For candidates, Wu suggested sending a thank-you card or email to leave a lasting impression. However, she cautioned against sending social media requests. “Respect boundaries, be realistic, and don’t panic—it may take a while to hear back.” This patience and professionalism can set you apart in the competitive field of cybersecurity. For more on building a standout application, see our article on cybersecurity resume best practices.

In conclusion, whether you’re a hiring manager or a job seeker, these insights from the (ISC)2 Congress offer a roadmap to navigate the complex world of information security hiring. By adjusting expectations, preparing thoroughly, and maintaining professionalism throughout the process, both sides can find success. Ultimately, the key to hiring in infosec lies in focusing on potential, passion, and practical skills rather than rigid checklists. For additional resources, explore our comprehensive career guide for infosec professionals.