Read any article about the Internet of Things (IoT) and you'll see a recurring theme that it won't reach its full potential if it's not secure. The point is usually made by describing a scary scenario where an attacker is able to access data or perform an operation by impersonating a valid user (resetting an insulin pump is a favorite). This highlights the importance of IoT authentication--if you're not sure which entity you're messaging with, then you can't protect the potentially sensitive data being shared, nor the transactions being conducted.
It's fundamentally the same requirement of today's human-centric Internet--we must be able to know who we're dealing with when buying holiday gifts or tweeting pics of kittens. Websites authenticate users by requiring a password, and browsers authenticate websites through the Secure Sockets Layer (SSL) protocol. So we're good, right? Unfortunately, as bad as passwords have been for Internet-scale authentication, they're even worse for IoT-scale authentication (enter a 10-character password on a step-counting wristband...really?)
To paint a picture, let's consider this connected healthcare devices architecture:
The medical devices on the left authenticate to the local gateway when sending health data.
The gateway then authenticates to the cloud endpoint when forwarding this data.
Then the applications on the right that will analyze and render this data must also authenticate to the cloud when requesting the data.
The only scaleable model for this authentication scenario is through security tokens, where one actor authenticates to another by including a previously obtained token on its messages. The token serves to identify the first actor, allowing the second actor to make an appropriate authorization decision.
For health data and other personally identifiable information (PII), it's critical that the relevant users be in control of how their health data is collected, shared and analyzed. A powerful mechanism to enable this sort of control is to require that the user be actively involved in the process, where the different actors are issued the security tokens used for subsequent interactions. Without the user's consent, no tokens are issued and no authenticated interactions occur. In other words, no health data can flow.
OAuth 2.0 and OpenID Connect 1.0 are two standardized frameworks for authentication and authorization that support the above model. Both allow for the user to participate in the issuance of tokens to applications seeking user data (health or otherwise), which enables meaningful privacy control. Additionally, Connect provides built-in discovery and registration mechanisms that are extremely relevant in scaling any architecture to the numbers of actors that the IoT will create.
One challenge is that OAuth and Connect have only been bound to HTTP so far. Security experts believe that HTTP is insufficient for many of the interactions in the IoT, particularly those between things/devices and other actors. A new class of protocols has emerged that promises to be better suited than HTTP to such interactions, including MQ Telemetry Transport (MQTT) and Constrained Application Protocol (COAP). There have been early explorations of binding OAuth and Connect to this new category of IoT-optimized protocols, but there's plenty work yet to be done.
The challenge of coming up with new mechanisms and standards to authenticate IoT actors isn't the whole story. The opportunity for authentication in the IoT is to recognize the potential for enabling new ways of authenticating users via the devices and things that will surround us. Using the smartphone for two-factor authentication is an early manifestation of this trend. The features that make the smartphone a powerful authentication factor are the same that will allow our watches, wristbands and thermostats to have an opinion on our identity (and an ability to assert that opinion).
The smartphone makes a powerful authentication factor because, for most users, it's always with them (a 'what you have' factor is of little value if you can't assume users have it in their possession). But this quality of being tightly bound to a user is even more true of the emerging class of wearables used to monitor people's fitness, sleep and other personal metrics.
Think of a Fitbit wristband, for example. A tiny connected computer, the Fitbit is tightly bound to a particular user and gives feedback on that user's daily activity. Like other similar devices, it could use this activity data to facilitate authentication of the user as they access applications, devices or cloud services. The Nymi device takes the idea one step further by adding a biometric authentication of the user. It won't make the keys it stores available for authentication until validating the wearer's electrocardiogram against the stored template.
Beyond wearables, a category of passive authentication could be enabled by the other devices that'll soon surround us. Current fraud detection systems use the IP address of the computer to identify attacks initiated from a locale that's not expected. And consider the potential for capturing such context through IoT devices. Could home automation motion detectors report that the house was empty, initiating an attack on somebody trying to access the WiFi network?
We're going to be tackling all of these topics and more in an upcoming webinar on December 12th at 11:00 am EST. During the webinar, I'll argue that the IoT will only deliver on its potential when devices deliver more value than the associated cost (this a combination of burden on the user and the associated risks). Currently, this isn't always the case--because many of today's devices deliver questionable value, are hard to set up and have iffy security and privacy controls. I believe that proper identity management, particularly the authentication and authorization of users and devices, is critical for lowering the burden and risk associated with devices, which would make the IoT more meaningful and valuable.
If you'd like to be part of this presentation and discussion, register today. Until then I leave you with this one question:
Is the IoT a challenge, or is it an opportunity for authentication and security? Yes, yes it is.