Will We Need New Security Thinking To Make IoT A Success?

User authentication is getting harder and harder in our Internet of Things (IoT) world. Existing methods for authentication, such as passwords aided by a second factor, are being rendered moot due to human error as well as the enhanced sophistication of malware and other attacks.

In an online environment crowded with data from billions of sensors, smartphones and other mobile devices, and cloud-based services, threats come from every direction. That’s why reimagining authentication is key in the age of the IoT. A new paradigm is needed because the granting of physical access that the IoT brings will be unforgiving to solutions that are insecure, inconvenient, or both.

The long-cherished password just cannot match the sophistication of today’s attacks, even when supported by a two-factor solution – whether it’s hardware or software. Passwords present insecurities and inefficiencies that are untenable for the IoT. We’re accustomed to having access to our analog homes, cars, and other devices or appliances being instantaneous and seamless. Moving to connected iterations of the same residences, devices, and appliances means we won’t have time or patience for slower, clumsier access. In fact, we’ll expect far more from a connected experience than we do from the present unconnected one.

Problems Inherent in 2FA Solutions

As security breaches rage on seemingly non-stop, more organisations have been turning to the use of two-factor authentication (2FA), which typically combines a password with a second layer of protection. These solutions were a step in the right direction for average computing, but a very small step, and one that will not protect or facilitate IoT use.

The reason that 2FA does not offer enough protection is that it relies on the faulty foundation of passwords, which are almost universally misused. Efforts to increase password complexity have failed because of the simple fact that most people use the same common characters over and over. Inputting complex passwords is onerous particularly when it comes to mobile devices, and mobile devices are part of why the IoT is not only possible but also flourishing.

2FA comes in two options, hard or soft. The two-factor hardware version uses physicial tokens which, as it turns out, no one wants to use. They are cumbersome and slow down the authentication process, which will not fly in the IoT. To use a 2FA token for authentication, a user first has to provide a password and then either plug the hardware token into their computer or punch in a six-digit code that appears on the token’s display. This significantly increases the amount of time required to authenticate and also requires users to manage a completely separate device. Additionally, if a token gets stolen, it potentially can be used by the person who stole, or found, it. And a lost token needs to be replaced before a user can access company resources.

Hardware solutions clearly won’t work for the IoT, but what about software-based solutions? They have their own issues. First, they don’t implement a unified protocol. This creates a fragmented authentication field where each 2FA solution is not interoperable with another. Lack of interoperability for computing is already a hassle and in the IoT it will be even more glaringly inefficient. What’s more, if fragmentation of this kind persists in the IoT, the IoT itself would fail.

The Benefits of Biometrics

Passwords are inadequate by themselves, and 2FA solutions are fraught with difficulties. Fortunately, a new player in the security game is on the rise:
biometric security. Biometric authentication is a conclusive, logical way to prove one’s identity – a password can be replicated, for instance, but a fingerprint cannot.

Consumers are becoming more familiar with, and comfortable with, on-device biometrics. The latest Apple and Samsung mobile phones, as well as many new desktop and laptop computers, contain embedded biometric sensors. These devices also include a Trusted Platform Module, or Trusted Execution Environment, that handles the validation of biometric information separately from the device’s core operating system. This is an important distinction, as those core operating systems are susceptible to malware.

When it comes to verifying identity, the IoT has another important distinction.
When authenticating to a smart lock, or even a smart car it is important that authentication take place on the smart device rather than on the user’s end. Malware may be used to spoof the authenticated user identity and unlock a smart node without the proper credentials.

Authentication is essentially split across both the user’s mobile device and the lock itself when validation capability is embedded directly into a smart lock. A secure lock becomes a standalone biometric validation server, and cannot be remotely authenticated without the presence of a trusted biometric device.

Mobile devices with embedded biometric sensors are changing how users authenticate to services they use every day, including email, social media, banking – and now for physical access. Research firm Acuity Market Intelligence forecasts that within three years, biometrics will become a standard feature on smartphones as well as other mobile devices. What better use for these devices than to secure access to the connected lives developers and manufacturers are working hard to bring us?

Full Steam Ahead with Biometrics

The IoT is a revolution in how we communicate and interact with the world around us. It is a growing entity with almost as many security pitfalls as work and life advantages. There are many more devices to potentially be hacked, and when it comes to securing intellectual property and mission-critical applications, enterprises, financial institutions and government agencies cannot take chances.

Older forms of user authentication simply cannot combat today’s advanced and sophisticated security threats. Advances in biometric technology have enabled this method of authentication to be embedded in the mobile devices we use every day. It’s a scalable security solution that can help organisations of all types and sizes stay ahead of the cyber criminals.

George Avetisov is the CEO of HYPR Corp., a biometrics security platform provider. A former Webmaster, George has been interested in improving the Internet experience since building his first website at the age of 11—a fan page dedicated to his favorite childhood anime. At 19, he co-founded an online store generating more than $6 million in annual revenue at the time of his departure.