The importance of delivering secure SCA in mobile apps and browsers – interview with Nok Nok

Thursday 10 December 2020 08:51 CET | Editor: Simona Negru | Interview

Walter Beisheim, Chief Business Development Officer for Nok Nok Labs, discusses the importance to deliver consistent and secure SCA in both mobile apps and browsers

On your website, you say that ‘Nok Nok has solved the consumer authentication (a.k.a. SCA) problem’. Can you describe what that problem is, and give some examples of the companies for whom you have solved that problem? 

Three basic categories create vulnerabilities, and increase cart abandonment with legacy authentication techniques: 

  1. Shared secrets like passwords, PINs, and KYC answers are stolen by fraudsters, and forgotten by purchasers. 

  2. Attempts to overlay passwords with step-up, primarily SMS OTP are also vulnerable to man-in-the-middle, and SIM Swap, as well as often resulting in cart abandonment. 

  3. The lack of security in the communication channel between the merchant and the purchaser’s device to prevent fraudsters from ‘intruding’ is the third major exposure of legacy authentication.

Nok Nok’s FIDO-based solution solves these problems by replacing passwords with secure and simple authentication measures such as fingerprint and device ID. Our solution is convenient for users and complies with regulations like PSD2 SCA. This solution to the consumer authentication problem is backed by Apple, Google, Microsoft, Mastercard, and Visa, as well as other major industry participants. 

How is your solution different from the ‘legacy risk scoring solutions’? Also, what has Nok Nok done to ensure that your solution works together with 3DS and other standards (e.g. W3C)? 

Risk scoring solutions employ different forms of inference algorithms that attempt to identify the probability that an online transaction is fraudulent. For example, the system may ‘infer’ that the purchaser is who they claim to be based on their IP address, and because they hold their device, or type on their device consistent with the last transaction from that purchaser. This is a simplification, and many modern risk scoring systems are very sophisticated, but they all are still basically inference engines that generate probability. 

Nok Nok’s authentication solution generates a ‘yes/no’ indication that the purchaser has passed a strong, multi-factor authentication challenge. This indicator is returned based on a single, frictionless ‘gesture’ from the user such as touching their fingerprint sensor. If the indication returns ‘no’, the customer is asked to authenticate on one of their trusted devices. This binary approach takes much of the ‘guesswork’ out of identifying fraud. Additionally, FIDO authentication does not store any of the user’s PII on a server.

Nok Nok not only supports W3C web authentication and EMVCo 3DS standards, but we have also been a key contributor to the creation of these standards. As a result, FIDO integration with 3DS to provide Secure Customer Authentication, and to facilitate Delegated Authentication by merchants is supported by EMVCo, and the W3C standard adds support for web browsers as well as mobile apps for this purpose. 

Can you give some examples of how your customers are applying your solution to more than one use case, and more than one channel? 

Many of our long-term, early adopter customers were Mobile Network Operators (MNOs). They all started using Nok Nok for login auth to reduce password resets and to reduce account takeovers. From there, they have added various additional use cases such as purchase approval as a service for merchants, and access to the MNO’s customer service without requiring the subscriber to answer a dozen questions before receiving assistance. More recently, Nok Nok authentication is being used by tier one US operators in their ZenKey third-party cross-carrier identity service. 

With the introduction of the W3C standard supporting FIDO authentication in all major browsers, all of our customers have plans to add web browser authentication for phones, tablets, and PC devices to their existing mobile app delivered solutions. We have added this support without any requirement to modify the mobile app-based solution they are already using. Today, with the way that Apple, Google, and Microsoft have implemented FIDO, a user only needs to be registered once to use multiple channels on the same device.

How can banks, merchants, and PSPs evaluate and compare 3DS authentication options? 

Nok Nok has direct relationships with banks globally to deliver their comprehensive authentication solution, including payments authentication. For merchants in Europe, Mastercard has identified Netcetera as their 3DS testing partner for PSD2 compliance. Netcetera and Nok Nok have partnered to deliver a ‘3DSCA’ solution through the integration of Nok Nok’s solution with Netcetera’s 3DS services. 

What is the future for password-less SCA and how can a PSD2 SCA solution that is implemented today benefit a merchant in other areas tomorrow? 

While the ability to deliver consistent and secure SCA in both mobile apps and browsers is a game changing capability for online merchants, the benefits do not end there. Nok Nok’s auth solution can enable a merchant to provide more customer convenience and trust in every service they deliver online. A FIDO registration can also be used as a secure and convenient method for POS transactions, ATM transactions, kiosk delivered services, and IoT based services. Nok Nok already delivers support for wearables possession auth on both Apple Watch and Wear OS. We also have the capability to ‘re-use’ the authentication registration created for an online service within an IoT device; for example an entry control turn-style, or even a car share service. The future of new and innovative identity authentication applications is as close to us today as the realisation of self-driving vehicles. 

As with the other authentication innovations, Nok Nok will continue to be at the forefront in delivering the benefits of real industry solutions.

This editorial was published in the Fraud Prevention in Ecommerce Report 2020/2021, the go-to source in securing transactions while offering a frictionless customer journey.

About Walter Beisheim

Mr Beisheim has over 30 years of experience as a senior executive in leading public and private companies in the Information Technology industry that provide products and services in the AI, NLP, online security, mobile technology, and fraud prevention solutions sectors. In his role as Chief Business Development Officer for Nok Nok Labs, he is responsible for business development strategy and identifies, and executes on opportunities to expand Nok Nok’s global relationships with customers and partners. 

About Nok Nok

Nok Nok provides secure, scalable, and frictionless experiences for passwordless authentication, preventing fraud and security risks. By reducing the reliance on weak, phishable passwords, Nok Nok empowers organisations to improve the authentication experience, while meeting the most advanced security and regulatory requirements. Customers include cloud, mobile, and IoT businesses. For more information, visit

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: Walter Beisheim, Nok Nok, SCA, authentication, KYC, risk scoring, 3DS, IDs, regulations, PSD2, fraud, FIDO, PSPs, merchants, banks, online transactions, security
Countries: World

Industry Events