From connected grills to connected light bulbs, this year's International Consumer Electronics Show (CES) was all about the Internet of Things (IoT). With more than 900 exhibitors, it's clear that we are no longer approaching the age of connected devices -- we're in it. Naturally, in the age of security breaches, the conversation of securing the IoT is top-of-mind.
When writing about the IoT, it is standard editorial practice to decry the lack of interoperability, citing multiple standards at every level of the stack. Take your pick from the alphabet soup -- Zigbee, Thread, Wifi, BLE, CoAP, MQTT, XMPP, etc. -- and hope for the best when trying to connect to devices from different manufacturers. Even if you are able to find an intersection in the protocol support between two unrelated devices and enable them to talk to each other to share data or control operations, there remains a different type of interoperability that, while seldom discussed, will likely be critical for IoT adoption amongst consumers: 'identity interoperability'.
The current default requires users to create a new identity (username and password) for every IoT provider with whom they interact. As a personal example, I have a Fitbit Flex, a Misfit Flash and a Samsung Gear watch, all of which count my steps. For each device, I have created a unique identity with each corresponding provider. While users go through the effort of creating and managing their individual identities, silos of identity are created, inhibiting any sort of cross-provider integration for big picture analysis -- such as comparing the accuracy of my step counters.
Another example is the 'Works with Nest' developer program from the Google-owned company. The program aims to position the Nest thermostat as the central hub for a variety of other devices that will be in or near the home -- wearables, washing machines, lights, cars, etc. While the program will allow, for instance, August or Kevo smart locks to inform the Nest who is in the house to personalize heating, the presumption remains that the homeowner would have had to create different accounts with Nest and the lock providers. But if I have bought into the premise of basing my home automation around the Nest, why must I create additional identities at each and every device manufacturer I bring into my home? Could not August, when I was first setting up the lock, allow me to use my existing Nest account instead of prompting me to create a new one?
Identity interoperability refers to one IoT provider being able to accept, rely on and trust an identity created and managed by another, whether that be another IoT provider or a social network like Facebook. We've become used to this sort of convenience when using web applications. Employees can access SaaS applications like Concur using their enterprise identities, and consumers can use their Facebook identities to login to social applications.
Standards like OAuth 2.0 & OpenID Connect 1.0 will enable identity interoperability for the IoT. Indeed, Nest already uses OAuth 2.0 to protect the API that Works With Nest relies on. Were Nest to move to OpenID Connect, itself based on OAuth, then the existing requirement that users create an account at the 3rd party providers could be eliminated.
The good news is that, unlike the other layers of the IoT stack where there is no universal consensus on the best way to achieve interoperability, the identity layer has less uncertainty. The only real alternatives to OAuth and OpenID Connect are passwords or X.509 certificates - neither of which has proven scalable on the Internet we have, much less the IoT that is coming.