“I wrote open standards to make strong authentication available to everybody”

GET TO KNOW Johan Rydell, Technology Director at identity and security company Nexus Group, and contributor to the authentication standards TOTP and OCRA. “These standards are used by pretty much everybody today, and since they are preventing patents they have led to a dramatic drop in the price of hardware tokens,” says Johan Rydell.

How would your colleagues describe you?

“Most of them do not know me that well. They just know that if they have an issue, I will solve it. If, for example, a sales person sells a customer functionality that we do not have, I usually can fix that by writing some new adapter code. And if some customer in North or Central America needs urgent support, I will travel there to help them or to verify that the problems they are experiencing are not a result of any faults in our products.

“I am currently the only Nexus employee in the US. I moved here from Sweden 10 years ago, and nowadays I work from my home office outside of San Francisco,” says Johan Rydell.

Why are you working at Nexus?

“I was one of the founders of PortWise, a company that was acquired by Nexus in 2010. Our main product was a software-based security gateway, used to enable secure access to digital services – no matter where those services or users might be located. That product is now one of Nexus’s most important products, and goes under the new name Nexus Hybrid Access Gateway.

“When we were acquired, our US office was closed down, but I stayed here. One of the reasons for this is that I work a lot with standards, and if you are to have any influence in the field you have to be present here in the San Francisco Bay Area. I was one of the main contributors to the Time-based One-Time Password algorithm (TOTP) standard, which is the cornerstone of the Initiative for Open Authentication (OATH) and used in a number of two-factor authentication systems. I was also the main contributor to the authentication standard OATH Challenge-Response Algorithm (OCRA).

“But my main task is to make sure that our American customers and partners are happy. My role requires both deep and broad competence within the security and technology fields, and suits me perfectly,” says Johan Rydell.

What are you working on now?

“I educate banks and local governments in North and Central America about security, and offer them our solution for strong authentication and digital signing. I also help them hands-on with the implementation, and make sure they are complying with all regulations. And if they need help later on, I support them.

“I am also certifying companies using the TOTP standard. If you, for example, buy a hardware token from a vendor following the standard, you should be able to use it straight off the shelf with any server following the standard. Presently, about 200 companies, including Nexus, have certified their solutions,” says Johan Rydell.

Read our guide How to choose the right physical identity and access management (PIAM) system                                                  

What is the impact of the standards you have co-written?

“Before TOTP and OCRA, the only way to enable two-factor authentication of a user accessing a network resource was with a system called SecurID. It is owned by the American computer and network security company RSA Security, and they had patents blocking competition. They took advantage of this by selling their hardware and software tokens at a really high price.

“I do not like patents. They are not good for innovation, and I want security to be used. That is why I wrote OCRA. Nobody can get patents on things that are included in a standard, so I made OCRA so broad that nobody would be able to claim any patents in this area.

“Today, pretty much all hardware tokens are using TOTP and OCRA, since these standards cover all use cases. This has led to the price of hardware tokens dropping dramatically. Another impact is that OCRA makes transactions nonrepudable. Nonrepudiation is the assurance that someone cannot deny something; if you, for example, authenticate to sign a transfer of SEK 200, nobody can later claim that you transferred some other amount,” says Johan Rydell.

Describe an ordinary day in the life of Johan!

“I start my work day at 9 AM by turning on all my computers and making sure they are all up to date. I have about 25 of them, to be able to test new software releases and other new code in different environments and for different use cases. Then I read my emails and the IT news. All this creates a foundation for the day.

“What happens next is different day to day, but I will give you an example of what a day can look like. I often work on something having to do with our bank customers, for example, an upgrading project or review of new requirements. I stay in my home office as much as possible, but I also travel to customers and potential customers. When I am at home, I do things like test new code, check logs, or test network protocols to make sure the communication is encrypted – so, mostly deeply technical things.

“But then I might suddenly get a request for proposal (RFP) in my inbox, that is, a document from a potential customer, asking us to submit a business proposal. RFPs have a high priority, so I often start filling them out straight away.

“At around 3–4 PM, I take a break from work to spend time with my family. Then I work again between 10 PM and midnight, when the kids are asleep and I can get ahold of my colleagues in the Swedish time zone,” says Johan Rydell.

Read our guide How to choose the right physical identity and access management (PIAM) system