IoT is the password killer we've been waiting for

IoT, with its tiny screens & headless devices, will drive an authentication revolution. It's a short leap from the kind of two-factor authentication used on the Apple Watch to proximity-based authentication that does away with any user interaction. Passwords are just the canary in the coalmine.

1 2 Page 2
Page 2 of 2

It’s a short leap from there to proximity-based authentication that does away with any user interaction. That’s already a common feature of automobiles. The Apple Watch or other wearables will greatly expand the possible use cases for such interactions. For example, if the homeowner is at the door and she is wearing the Watch, unlock the door! No need to put down the groceries. Predictions of just this sort were being made long before anyone had an inkling of what the Apple Watch would look like or how it would work.

But what about the universe of connected devices that don’t have any screen at all? So-called “headless” devices are likely to be among the most populous of the hundreds of billions of systems that will make up the Internet of Things. Think: embedded sensors, smart city infrastructure, industrial robots.

“We’re heading into a new world where user IDs and passwords won’t exist,” said , Jason Sabin, Chief Security Officer at the firm DigiCert, a U.S. based certificate authority. “Wearables, headless devices or small screen, small form factor devices – you definitely have to think about what identity means.”

On the question of authentication, Sabin believes that what is lost in graphical interfaces will be more than compensated for by the wealth of data – biometric and otherwise – that will be captured by IoT devices. “Maybe authentication becomes the way you walk as a person, or how you interact with the environment around you,” Sabin said. “My shoes, my phone, my watch, my clothing – those could be another form of identification to prove that I am ‘Jason.’”

Doing IoT security right?

Nobody knows how all of this will work – let alone how to secure it. And once you start talking about identity federation at the scale of the billions of connected endpoints on the Internet of Things, everything gets dicey.

Even today, online identity is splintered. Technologies and identity systems like Security Assertion Markup Language (SAML), Initiative For Open Authentication (OATH) and OpenID provide ways for users to connect to applications and resources. Siloed identity systems like Facebook Connect have also become popular as a way to authenticate individuals to online services. But all of those suppose that the authenticating device is a “smart” and “connected” device, constantly connected to the Internet and capable of handling such processing-intensive exchanges. Those are assumptions that may not hold for the many low-power, single function, intermittently connected IoT endpoints that will soon fill our environment.

Simply connecting devices that were once disconnected is a much easier problem to solve than managing security and identity. The result is often that companies don’t give much consideration to the security and identity pieces, said Jackson Shaw, Dell’s Product Manager for Identity and Access Management.

“Most people think about ‘how do I get updates?’ but not ‘how do I take this IoT device and match it with a person or resource?’”

To do security “right,” IoT device makers need to lock down communications to and from their endpoint using TLS or some equivalent technology. They also need features to push down software and configuration updates and – when appropriate – to secure data at rest on the device. Also, IoT devices may have useful lives measured in decades; companies need a way to future-proof their creations.

That’s a high bar, which is why Sabin argues that it may be better - in many consumer use cases – not to attempt or make assurances about security at all. “Why pretend to inject security into system that you can never update or where you can’t manage the security of the system,” Sabin argues. “You’re just giving consumers and customers a false sense of security – that you’ve sprinkled in some security and think its enough.”

In most cases, however, not offering security for connected devices will not be an option. The risk posed by hundreds or thousands of vulnerable or insecure devices to the security of their corporate IT environment is considerable.

“This is going to be a serious concern,” said Shaw. “You will have devices in your environment that might ‘phone home’ to China and that are using different protocols, like Bluetooth, to connect. Can you even protect against that?”

Shaw looks to emerging standards like OAuth2 and UMA (User Managed Access) as a way to do authentication and granular permissions at the scale of the Internet of Things. But the landscape is still shifting, and Shaw said that there’s still a “long way to go” with regard to both security and identity.   “Part of our advice to our audience is just to stay on top of IoT and pay close attention,” he said.

[ The last word: IoT's dark side: Hundreds of unsecured devices open to attack ]

This story, "IoT is the password killer we've been waiting for" was originally published by ITworld.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)