Authentication In IoT: Securing the Front Door

Roland Atoui
Illustration: © IoT For All

We may not think about it much, but we truly live in a fascinating era of technology. Our devices are becoming smarter, and we aim to have them all online. The Internet of Things is thriving, boasting more connected devices than there are people on the planet.

And that’s only the beginning.

Although there is always a dark side to progress — in the case of IoT, it’s the race between the cybercriminals and development of cybersecurity, where one party still wants to be a step ahead of the other. The reasons are evident: with so many connected devices that perform such a variety of tasks, the opportunities for taking advantage of them are endless. Among the tools that can stop or slow down hackers, strong authentication is the one that’s been around for a while. Still, it has to change as well. So what is the future of authentication for the Internet of Things?

The Importance of IoT Authentication

In a typical IoT infrastructure, a vast number of interconnected and distributed devices communicate with each other. This principle makes it crucial to have a strong, reliable, and scalable authentication method in place where each IoT device is properly authenticated to ensure it’s genuine and to prevent unauthorized IoT devices from being installed on the network.

When an IoT device communicates with another peer device they need to identify each other and verify their identity to each other to establish Authentication. This is obtained through cryptographic methods that may vary in terms of complexity and level of security.

However, in an IoT infrastructure, the 2FA/MFA system can be more complex, requiring hardware tokens, separate devices or even biometrics (facial recognition, retina scan, fingerprint, etc.) to improve security. It’s essential for IoT as this system has to ensure that it’s approved to perform administrative actions for IoT devices. This is what the security depends on since many IoT devices don’t have physical User Interfaces (UIs) and must rely on administrator actions.

Challenges of IoT Authentication

Technically, there is a real challenge to initiating a secure communication between two IoT devices. This means that in case a public-key cryptographic authentication method is used, there should be a way to ensure that the public key is received by a peer IoT device belongs to the intended communication channel and that the peer IoT device can be trusted. This requires that the public key be stored securely on the device in the sense that its integrity is preserved. It must not be possible for an attacker to modify the key or to use another fake key instead The latter concerns the digital certificates which are commonly used in such a scheme.

When it comes to user experience, the beauty of IoT partially lies in the variety of devices that can be interconnected. However, that’s also the ultimate nightmare of its security, as hardware and software differences between various IoT devices make it much harder to come up with a security solution that would be applicable in every case. Piling on to this issue, manufacturers and developers of IoT devices often don’t develop a security solution for their product to reduce costs.

Secure Authentication

Authentication might be the answer if we can make it simpler and more efficient. Authentication methods implemented should be strong enough to be resilient against different attacks, such as eavesdropping/spying, replay attacks, MiTM attacks, dictionary attacks, or brute-force attacks.

Also, in IoT, it’s vital to use the same strong authentication for multiple devices that are commonly used (considering some devices have no Human Machine Interface (HMI), it could be a gesture, a GPS-location or silent authentication), and be faster and more convenient than our current 2FA/MFA processes.

To improve security, all sensitive data such as keys and biometrics should stay on the device itself. Ideally, you should be able to authenticate yourself to your device locally, and then it would validate the user online using public-key cryptography. This would eliminate the need to have any link-ability between different accounts or services, vastly improving security. FIDO authentication protocol could be the best security option to re-use.

IoT security presents a challenge, but with how IoT has been developing, cybersecurity has to be an absolute priority. Solving security concerns by securing the front door through strong and smart authentication will bring us a step closer to more fascinating technological developments.

Roland Atoui
Roland Atoui
Roland Atoui is an expert in cybersecurity and the Internet of Things (IoT) having recognized achievements working for companies such as Gemalto and Oracle with a background in both research and industry. From smart cards to smartphones to IoT tec...
Roland Atoui is an expert in cybersecurity and the Internet of Things (IoT) having recognized achievements working for companies such as Gemalto and Oracle with a background in both research and industry. From smart cards to smartphones to IoT tec...