Nok Nok Labs | Interview with its founder & FIDO Visionary – Ramesh Kesanupalli
In Palo Alto (CA), we meet founder and FIDO Visionary of Nok Nok Labs, Ramesh Kesanupalli. Ramesh talks about his story how he came up with the idea and founded Nok Nok Labs, how the current business model works, as well as he provides some advice for young entrepreneurs.
Martin: Hi, today we are in Palo Alto with Ramesh at Nok Nok labs. Hi Ramesh, how are you and what do you do?
Ramesh: Hi Martin, how are you doing?
Martin: Awesome. What do you do?
Ramesh: We are a company which is focusing on fixing the cyber security problem. As you know, strong authentication in cyber security is still focused on user ID’s and passwords. And if you see the latest online attacks that are happening in the industry, most of them are related to doing a cyber site attack and stealing all bunch of passwords from various users and those passwords being used at some other sites to commit fraud in financial markets and in healthcare markets. And these markets are pretty security and privacy centric. If we still are laying on user ID’s and password and we’re all vulnerable and with respect to what’s happening in the industry right now unlike earlier days when we were using internet for information access, now internet is being used for lifestyle management. And if we’re still trying to build our security base off user ID’s and passwords which are vulnerable and also unlike earlier, where we have used one or two accounts. Nowadays, we have fifteen to twenty accounts each, for select works, banks, financial organization, online site. And it is becoming very difficult to keep track passwords and so we normally use two or three passwords to make our lives simple. But when a hacker goes to a server site and harvest a whole bunch of passwords, he will reuse on other financial institution and conduct transaction like you and do the fraud.
So what we focus on is actually how do we do security without actually using user ID’s and passwords, how do we eliminate passwords. And we focus on actually selling servers which we do online security without using passwords. So Nok Nok has two components to it; Nok Nok builds servers on a product called FIDO, faster identity online. Faster Identity online is an alliance, an open standing building committee body that was actually founded by me also. We, Nok Nok labs, have donated IP to the alliance. Alliance, now in 2009, has started to work, but we openly went out with FIDO alliance during Arisi conference in 2013, with six founding members in FIDO alliance. And today, 2015, we are about to 260 close to 250 companies in the alliance who actually endorse the protocols and contribute to the protocol. So that alliance, FIDO alliance is a non-profit organization. The purpose of the alliance is primarily to define the specs, and it wants the spec working with the global industry. Nok Nok is the first implementer of the protocol. There are two protocols in Fido; one is called UAF, the other one is called U2F. Nok Nok focus on UAF, UAF protocol, United Amitigation Framework. So the two entities that I was—FIDO alliance, I was one of three founders were FIDO alliance. But it was initiated by me and a other gentlemen name Michael Ballot, he started Paypal and also another gentlemen by another gentleman named Taho Elgomarto he was the inland professor so we started FIDO alliance and in 2011 I founded Nok Nok Labs.
Martin: Ok, interesting. And what is your background actually?
Ramesh: My background is engineering electronics and then I came to this country working for IBM as an consultant, primarily in the cyber security space. And 1995 I started my first services company and that used to focus on taking the legacy mainframe based information system and migrating them to internet and web technologies.
Martin: What made you become an entrepreneur?
Ramesh: Just like any other middle class family in India I came here after my studies and being entrepreneur and wanting to do something unique, wanting to do something different. We just started off, I found an opportunity of working in the mainframe space primarily and internet technology. So I found an opportunity to actually take some of those mainframe base application and move them to web based technology; found an opportunity took that opportunity and formed by first web based company. And that company which was a resource company actually funded my second company which was a product company. And during those days I also was a founding member of a company which did those video streaming on the web in 1998-1999 when people were doing graphics on the web we went and did the video streaming on the web. Actually we were one of the first two companies which did that and that company was acquired by Akamine. And then I also founded another company which did the messaging on the cell phone like emails and other stuff. So I was one of the first few guys who did the email on the cell phone.
And then I joined Phoenix technologies as a senior Vice President during the tenure I was also a part of the city council of the federal government, advising on cyber security and stuff. And then I joined a company which was kind of struggling called Validity Sensor which is a finger printing company. I was drove the company’s product strategy and market strategy and tried to turn the company around and that company became profitable in four years. That company also got acquired Synoptic.
It was during those days what I found was the number of online attacks that were happening, the financial fraud that happening. And also we have interestingly moved from PC based community to a cell phone based community where screens are much smaller and then you want to access stuff from cell phone, such as touch screen user ID’s and passport is not always good, its not convenient, its not easy. And incidentally I was also CTO of a fingerprint sensor company which actually identifies you without you actually entering a user ID and password. I was actually trying to see how we increase the utility of fingerprint and that’s when I ran into Michael Ballot, he started Paypal. We started discussing, here is a big fraud that’s happening in the industry, which is a business pain and here is human pain where people are struggling to enter user ID and passwords, entering multiple passwords, a number of accounts is increasing. As long as you try to do security on the internet with the primary infrastructure still base on user ID and password, you’re actually not treating the disease, you’re treating the symptom.You really need to fix the problem, fix the disease. And we actually took a step back and if we were to do cyber security online litigation and on a clean slate, how do you do that. So that’s when I actually, with my team wrote the protocol which were the concepts of protocols based on which FIDO was formed. And then we donated that IP to FIDO alliance and then how my fifth company Nok Nok Labs got started and until now we raised about fifty million dollars with the company, Nok Nok Labs.
The very work we do, FIDO alliance of integration, eliminates the passwords; the user doesn’t have to remember the passwords user name, the user doesn’t have to type the password. Sever doesn’t know their password, and the more user authenticates himself to device, the device then authenticate back to me, servers.
BUSINESS MODEL OF NOK NOK LABS
Martin: But how does it authenticate? Just walk me through. Imagine, I am a normal customer an individual, and I want to authenticize, how does that work for example with a bank?
Ramesh: So today, if you want to try to log on to the bank you use your user ID and password and that package gets send to the server. And as you are typing and sending you are vulnerable to many different attacks, it could be fishing attack, it could be manageable attacks or it could be dictionary attack or somebody can simply attack servers and get your credentials. In the new model, if you see Apple’s iPhone, iPhone 5 & iPhone 6, Samsung Galaxy X 5 and S6, the fingerprints facial recognition technologies is highly scaling, it’s becoming mainstream right now. I mean earlier we had cost issues and quality issues. Now those things are coming together where now fingerprinting, iris technology, and facial technology is mature and it is deployable in mass scale and the cost have also comes down dramatically and thanks to iPhone embracing fingerprinting and that made fingerprinting mainstream technology now.
Martin: But does that mean you’re mainly focusing on mobile security or is it also that you’re doing this for desktop?
Ramesh: Same infrastructure can be also be used by both PC, cell phone and tablet. So the way it works, you authenticate yourself to device using your fingerprint and facial recognition technology and something. And then there is a process if you are a user of the bank currently using user ID and password, next time that you have a FIDO enabled phone or FIDO enabled PC you go log on using your password, servers then can recognize that you have a FIDO component infrastructure device and then it walks you through a registration process.That registration process is simple: you look into the camera, you speak a phrase, touch the sensor, a single touch, a single phrase, or a single blink; any of these things, just this. You do that, and during that period there will be some typographic exchange that happening between the client and the servers. And the typographic signatures are generated on the client and sent to the server. I don’t want to get into too much detail, but there is a public and private key kind of security infrastructure. The private key is generated on the client and the public key is sent to the servers for that user for that device. From that moment onward, any authentication that happen between the servers and the client is based on that cryptographic signature on a challenge response basis. So next time when you want a authentication to be used, a service or a bank you simply go to the bank site and then you touch the finger, look into the camera for that single phase, then the response for the challenge that servers process for the device gets generated and that’s how you get authenticated.
Martin: Is there a way to gain this? For example, imagine I would know that this mobile phone is attached to Ramesh, and by the way I would have a photo of Ramesh which I would put in front of the camera. This might be used for the facial recognition, voice, maybe something else.
Ramesh: So the security is always an arms race. The current problem and security addressing security problem also depends on what kind of security problem you’re interested. Today, if you see majority of the attacks happening on network cyber security. In most of them, the hackers don’t have motivation to attack one person. What they want to do is go back to sites like Yahoo, LinkedIn, Gmail. Go to a site where they can get hundred of millions of user accounts – eBay attack.
Martin: Yeah, right.
Ramesh: So when you have user ID’s and passwords at that scale, then what they want is much bigger. In FIDO, it has to be targeted attack that hacker really wants to attack. You don’t only have to have my picture or my fingerprint but you also have to have steal my device.
Martin: I mean I totally understand that it makes it makes the authentication process safer – totally understood.
Ramesh: Safer, simpler.
Martin: Imagine, I want to really hack a company. Maybe then I wouldn’t try to hack via the authentication, but then I would just would like to hack the database, there are the companies that will still have the personally identifiable information.
Ramesh: In the current scenario, you’re right, hackers are motivated to hack the server site not the device. When you’re attacking the server site in the older model you get user ID and password. So it’s easy. In the new model, when you attack the server, all you only get is a bunch of public keys. You won’t be able to do any thing with that. You got to have private keys.
Martin: Oh, good.
Ramesh: The private key is stored on the client side. So you are actually turning the authentication process upside down. You’re not providing a single point of attack for somebody in remote places like press releases of the last year, where a single hacker group has 1.2 billion account information from United States and all over the globe. 1.2 billion accounts that’s how they harvest the whole thing. In this model, when they go and try to steal secrets from the server, they are no secrets on the servers anymore. All they have are public keys, you won’t be able too much with public keys.
Martin: Ramesh, what are the major customers of Nok Nok Labs.
Ramesh: So like I was mentioning earlier, the FIDO protocol has two components. There needs to be a client component, there needs to be a server. So unless there is a client, you don’t have a business for the server side. Nok Nok makes money selling servers. Our first deployment was with Paypal. Paypal has used Nok Nok servers and we worked with Samsung where we actually put the FIDO clients on the mobile phones of Galaxies S5 and Galaxies S6. Now the next deployment of FIDO of Nok Nok servers is with be in Alipay in China, where again we provide the same servers to them, as Samsung phones and other phones that they chose to use where they deployed FIDO, they can use it. The latest one that we deployed is Docomo entity.
Martin: Who is that?
Ramesh: Docomo in Japan. That is the biggest carrier in Japan. They have close to 65 million subscribers. Docomo has embraced FIDO at one go. The entire Docomo ID infrastructure now does not use password, uses Nok Nok severs; and completely eliminates password. If you are using Docomo services, Docomo phones now they are no password. You simply either look into the camera. They have actually deployed a fingerprint. They have actually deployed an iris scanning. It works seamlessly. We never had an issue- we deployed it in May. These are the first three major customers we started to work with. As you can see its not normal for a start up company to go after companies like Docomo, Paypal and Alipay as their first customers.
Ramesh: And also deploy at a scale at that we deploy; at very high consumer scale.
Martin: And how is the revenue model working?
Ramesh: So like I was mentioning earlier. Client is free, we initially with the first version of FIDO we did the clients ourselves, but Microsoft is part of FIDO alliance now and they’ve actually announced recently that Windows 10 will have FIDO infrastructure in them. SnapDragon and Qualcom have announced that they embrace FIDO. Armies buy FIDO. You can go to FIDO Alliance.org and see the members. You can see how many members there are there.
Now, Nok Nok has also enabled iPhone 5 and iPhone 6 to use FIDO infrastructure and we have support for that. We, basically, as we are going we expect the client side to be embraced by the operating system people, like Microsoft, Google, Apple kind of people. And we basically focus on selling servers. We have a multi-factor authentication server that we sell to the people, we deploy to people. We don’t host servers, we sell servers, it’s an enterprise sale. And if you’re Docomo, you’re a financial institution if you’re bank of Germany, what you simply do is buy the server from us, use our SDK to deploy to your mobile app, internet browser plugin and you’re ready to go.
Martin: Why did you choose the selling mode only and not as SAP for example doing sales and service model?
Ramesh: We are actually a product company just like SAP company. The only difference is a difference between conventional ERP companies and us it that ERP is full application, and we are an infrastructure business. We don’t sell application, we sell infrastructure.
Our server will have to go and integrate with some of the existing application like for instance SAP can deploy our server. SAP has various kind of application that they sell like digital workflow, process management, supply chain. They are various things that they sell. All of them currently use the various user ID’s and passwords to get in. SAP can choose to embrace FIDO and then buy a Nok Nok sever. And now all servers can be password free.
ADVICE TO ENTREPRENEURS FROM RAMESH
Martin: Ramesh, imagine a child comes to you, a younger one like 15, 16 and wants to start a company but doesn’t know whether he should do it or what he should care for. What is your advice you would share with him?
Ramesh. At anytime any opportunity or any business gets nurtured of pain. If you should able to identify either business pain or human pain and you have a solution for that; there’s the starting point. People, don’t go to CVS and Walgreens to buy vitamins, they go to buy painkillers. When there is a pain, people want to address it immediately. If there is a vitamin they don’t go there, that’s not priority.
So when you want to start a company, first you need to know, you don’t necessarily need to know details, you don’t necessarily need to know how to fix it, but you should be able to know that there is a pain. Coming back to the pain point, it has to be able to fix the human pain or it has to be able to fix the business pain. If it can fix either one of them like for instance security. When security was a pain, people recognized it. You have, people seriously talking scamming, online scamming, money and password scamming, smart cards scamming, all kinds of things. That actually complicates the users experience but it solves the business pain.
Martin: …and then you have trade off.
Ramesh: That’s the trade off. What FIDO does is conventionally. Security means, more security means unusable; unusable in the sense of difficult to use. If you want to make sure that I’m strong, I keep on asking more and more question. What is your dog name in 1972? This is the kind of thing they will ask in a financial institution. They will ask your social security number and they will ask what is your childhood best friend’s name. These are all passwords, you keep up adding the staff.
So what it means by that if I really want to assert that’s who you are then I ask more questions, put you through so much pain. What Nok Nok and FIDO do is we provide more security at the same time make it very very usable. For me on an iPhone, typing a password is much more difficult than just doing this and done. So what we do is actually, we increase security and also make it extremely usable that’s why I keep throwing in the word a single touch, or a single phrase or a single blink. We make it stronger, at the same time extremely usable.
Martin: What is, what would you say to the young person if he says actually I cannot identify a problem worth solving?
Ramesh: Then there is no company to be built. You got to know what you’re solving. If you are trying to do something without solving a problem, then there is no company there. Even if you want to start a nonprofit / charitable organization its still solves some problem which is helping people.
Martin: Thank you so much, Ramesh, for your time.
Ramesh: Sure, no problem.
Martin: And next time when you really want to start a company, don’t just start a company, focus on a problem and really identify that is the big problem that is worth solving and if you don’t find a problem just don’t start a new company, work your way through and maybe over the time you will find a problem that is worth solving.
Ramesh: That’s almost how all other things get started. Unless you go through the pain, you won’t know the problem. I would strongly recommend to people to actually work at some places if they don’t have any idea like probably a big company like Dell was started in Utah Austin by Michael Dell where he saw people needed computer as difficult to go out and get them started online. So it doesn’t have to be that you have to work you don’t have to work. You just have to feel the pain. If you see the pain and that pain is not be unique to you, it should be a general pain, and you’re fixing general pain then you have a company to start with.
Martin: Great! Thanks you so much and good luck with Nok Nok Labs.
Ramesh: No problem. Thank you so much.
Much of the success of any business is riding on its marketing strategy. It may have abundant …
Taobao is one of the biggest consumer-to-consumer platforms on the internet. In this article we …