FIDO Device Onboard (FDO), sometimes called ‘device provisioning,’ is a device onboarding protocol developed by the FIDO Alliance. FIDO device onboarding is an automatic onboarding mechanism for IoT devices, meaning it is invoked autonomously and it performs only limited, specific interactions with its environment to complete.
What is Device Onboarding?
Before discussing FIDO device onboarding and IoT, it might be good to explain what device onboarding is in relationship to IoT. An IoT platform could range from an application on a user’s computer, phone or tablet, to an enterprise server, to a cloud service spanning multiple geographic regions. The device owner uses this IoT platform to manage the device by patching security vulnerabilities, installing or updating software, retrieving sensor data, interacting with actuators, and more. Device onboarding is the process of installing secrets and configuration data into a device. This allows the device to securely connect and interact with an IoT platform.
Here are the top ten things you should know when it comes to FIDO Device Onboarding for IoT and why it works.
A Device Owner Can Choose the IoT Platform at a Later Stage
A unique feature of FIDO Device Onboard is its owner’s ability to select the IoT platform at a late stage in the device life cycle. The configuration data or the secrets can also be created or chosen at a late stage. This feature is called ‘late binding’.
The most common instance of onboarding happens when a device is first installed. The device connects to a prospectivie IoT platform over a communications medium, with the intent to establish mutual trust and enter an onboarding dialog. Because of late binding, the device doesn’t yet know the prospective IoT platform to which it must connect. That’s why the IoT platform shares information about its network address with a ‘Rendezvous Server’. The device connects to one or more rendezvous servers until it determines how to communicate to the prospective IoT platform.
FIDO Device Onboard Establishes the Ownership During Manufacturing
FIDO Device Onboard works by determining the ownership of a device during manufacturing. Then it tracks the device’s ownership transfers until it is provisioned and put into service. This way, the device onboarding problem can be seen as a device ‘transfer of ownership’ or delegation problem. Between its manufacturing and first-time powering up and accessing the Internet, the device may transfer ownership several times. A digital document called ‘Ownership Voucher’ is used to transfer digital ownership credentials from owner to owner without even powering the device.
An Installer Performs Physical Installation of the IoT Device
In onboarding, an installer performs the physical installation of the IoT device. With an untrusted installer model, the device has no guidance on how to onboard. In contrast, with a trusted installer model, the device can take direction from the installer, simplifying onboarding.
FIDO Device Onboard Protocol Doesn’t Limit the Owner’s Credentials During Onboarding
During onboarding, the FIDO Device Onboard protocol does not limit or mandate the device’s specific owner’s credentials. It allows the manager to supply a number of keys, secrets, credentials, and other data to the device to be remotely controlled and enter service efficiently.
Once Under Management, FIDO Device Onboard are Updated for Future Use in Repurposing the Device
Once a device is under management, FIDO Device Onboard enters a dormant state, and the device enters normal IoT operations. The manager can perform subsequent updates outside of FIDO Device Onboard. However, if the device is sold or re-provisioned, the manager may clear all credentials and data and re-enable FIDO Device Onboard.
During Manufacturing, an IoT Device with FDO is Typically Configured With:
- A processor containing a Restricted Operating Environment (ROE); which is a combination of hardware and firmware that provides isolation of the necessary FIDO Device Onboard functions and applications on the device. This is a crucial part of guaranteeing built-in secure functionalities.
- A FIDO Device Onboard application that runs in the processor’s ROE that maintains and operates on device credentials
- A set of device ownership credentials, accessible only within the ROE
FIDO Device Onboard can be Deployed in Different Operating Environments
FIDO Device Onboard may be deployed in multiple operating environments, with different security capabilities such as application isolation and tamper resistance. These include a microcontroller unit (MCU) with a hardware root of trust, or an OS daemon process using keys securely stored in a TPM.
Simplified Multiple Onboardings for Demos
Credential Reuse protocol allows devices to reuse the device credentials across multiple onboardings. The intended application for this protocol is to support demos and testing scenarios. Onboarding can be run repeatedly and quickly without changing the Ownership Voucher or resetting the system after each onboarding. Since credential reuse can permit the previous Owner unlimited access to the device, it is not recommended for use in the normal device supply chain.
Functionality, Interoperability, Privacy and Security by Design
FIDO Device Onboard has many protocol features that make it hard for cybercriminals to track information about a device’s progress from manufacturing to ownership to resale or decommissioning. All keys exposed by protocol entities in FIDO Device Onboard are limited to be used only in FIDO Device Onboard. Future FIDO certification program is expected to guarantee a certain level of security assurance, functional conformance, and interoperability.
Towards IoT Device Secure Deployment at a Scale
FIDO succeeded in transitioning from traditional authentication methods to a passwordless world and this new protocol is expected to bring in this balance between user convenience and security to the IoT industry. It will thus bring a secure deployment of IoT devices on a large scale.