Any article on the Internet of Things (IoT) will point out that the IoT must be secure in order for its value to be realized. Generally the point is made by describing a scary scenario where an attacker is able to access data or perform an operation — reset an insulin pump is a favorite — by impersonating a valid user, highlighting the importance of authentication to the IoT.
If you can’t be sure, or at least reasonably confident, of what IoT entity you are messaging with, then you can’t protect the potentially sensitive sensor data being shared or the transactions being conducted. It is fundamentally the same requirement of today’s human-centric Internet — we must be able to know whom we are dealing with when buying holiday gifts or tweeting pics of kittens.
On today’s Internet, Websites authenticate users by requiring a password and browsers authenticate web sites through the Secure Sockets Layer protocol. So we’re good, right? Unfortunately, as bad as passwords have been for Internet-scale authentication, they are even worse for IoT-scale authentication. Is there an equivalent to the browser lock icon for a device that has no screen? Must we enter a 10-character password onto our step-counting wristband?
Consider the connected health care devices architecture represented below:
The different medical devices on the left must authenticate to the local gateway when sending the health data. Then the gateway must authenticate to the cloud endpoint when forwarding this data. The applications on the right that will analyze and render this health data must also authenticate to the cloud when requesting the data. The only scalable model for all the above authentications is through security tokens — one actor authenticates to another by including a previously obtained token on its messages. The token serves to identify the first actor, enabling the second actor to make an appropriate authorization decision.
For health data and other personally identifiable information, it is critical that the relevant users be in control of how their health data is collected, shared and analyzed. A powerful mechanism to enable this sort of control is to require that the user be actively involved in the process, where the different actors above are issued the security tokens used for subsequent interactions. Without the user’s consent, no tokens are issued and no authenticated interactions occur. Thus, no health data can flow.
OAuth 2.0 and OpenID Connect 1.0 are two standardized frameworks for authentication and authorization that explicitly support the above model. Both enable the user to explicitly participate in the issuance of tokens to applications seeking user data — health or otherwise — and can thereby enable meaningful privacy control. Additionally, Connect provides built-in discovery and registration mechanisms that are extremely relevant in scaling any architecture to the numbers of actors that IoT will create.
One challenge is that OAuth and Connect have only been bound to HTTP thus far. Security experts believe that HTTP is insufficient for many of the interactions in the IoT, particularly those between things/devices and other actors. A new class of protocols has emerged that promise to be better suited than HTTP to such interactions, including MQ Telemetry Transport and Constrained Application Protocol. There have been early explorations of binding OAuth and Connect to this new category of IoT-optimized protocols, but work remains.
The challenge of coming up with new mechanisms and standards to authenticate IoT actors isn’t the whole story. The opportunity for authentication in the IoT is to recognize the potential for enabling new ways of authenticating users via the devices and things that will surround us. Using the smartphone for two-factor authentication is an early manifestation of this trend. The features that make the smartphone a powerful authentication factor are the same that will enable our watches, wristbands and thermostats to have an opinion on our identity — and an ability to assert that opinion.
The phone makes a powerful authentication factor because, for most users, it is always with them — a “what you have” factor is of little value if you can’t assume users have it in their possession. But this quality of being tightly bound to a user is even more true of the emerging class of wearables used to monitor an individual’s fitness, sleep and other personal metrics.
Consider a Fitbit wristband, which gives users feedback on their daily activity. A Fitbit is a tiny connected computer, r tightly bound to a particular user. As such, a Fitbit, and other similar devices, could facilitate authentication of the user as they access applications, devices or cloud services. The Nymi device takes the idea one step further by adding a biometric authentication of the user; it won’t make the keys it stores available for authentication until validating the wearer’s electrocardiogram against the stored template.
Beyond wearables, there lies a category of passive authentication that can be enabled by other devices that will soon surround us. Current fraud detection systems use the IP address of the computer to identify attacks initiated from a locale other than expected. Consider the potential for capturing such context through IoT devices, such as a home automation motion detector could report that the house was empty, thus preventing an attack of a WiFi network?
So is the Internet of Things a challenge, or is it an opportunity for authentication and security? Yes, yes it is.
About the AVISIAN Publishing Expert Panel
At the close of each year, AVISIAN Publishing’s editorial team selects a group of key leaders from various sectors of the market to serve as Expert Panelists. Individuals are asked to share their unique insight into different aspects of the campus card market. During the months of December and January, these panelist’s predictions are published at SecureIDNews.