Who knew that a humble home router could become a cyber weapon? But that’s exactly what’s happening as more devices with IP addresses become connected. Hackers hijack routers, webcams, baby monitors and more to create botnets that can send networks crashing via distributed denial of service (DDoS) attacks.
This is the brave new world of the Internet of Things (IoT). The security vulnerabilities of the IoT are almost as varied as the devices and sensors connected to it. Industry analysts at ZK Research state that security is mandatory: “Users must have the highest level of trust and confidence that their personal information will not be compromised. Individual devices must be secure and their access to other network components must be limited based on role and utility.”
User authentication has always been a component of securing networks and data. It also has been something of an Achilles heel for enterprises, as demonstrated by the plethora of catastrophic data breaches. Existing methods for authentication, such as passwords aided by a second factor, are being rendered moot due to human error as well as the enhanced sophistication of malware and other attacks.
It’s clear that the user authentication approaches of the past are inadequate in the IoT era. A new paradigm is needed because the granting of physical access that the IoT brings will be unforgiving to solutions that are insecure, inconvenient, or both.
In other words, passwords produce inefficiencies that are untenable for the IoT, even when supported by a two-factor solution, be it hardware or software based. We’re accustomed to having instantaneous and seamless access to our analog homes, cars and other devices or appliances. Moving to connected iterations of the same residences, devices and appliances means we won’t have time or patience for slower, clumsier access. In fact, we’ll expect far more from a connected experience than we do from the present unconnected one.
Why Two-Factor Solutions Fail
As security breaches become more prevalent and sophisticated, the use of two-factor authentication (2FA), which typically combines a password with a second layer of protection, has gained prominence. These solutions were a step in the right direction for average computing, but a very small step, and one that will not protect or facilitate IoT use.
Why not? Chalk it up to human nature. People are creatures of habit with increasingly shorter attention spans, and they take the path of least resistance most of the time. Efforts to increase password complexity have failed because most people use the same common characters over and over. Inputting complex passwords is onerous, particularly when it comes to mobile devices. These devices are being used by a sea of humanity that can’t be bothered with complex passwords, which inevitably leads to weakened security.
There is another option: 2FA hardware tokens. However, they are cumbersome to use in the workplace and suffer from poor adoption. As a solution for the IoT, they will perform even more poorly. To use a 2FA token for authentication, a user first has to provide a password and then either plug the hardware token into their computer or punch in a six-digit code that appears on the token's display. This significantly increases the amount of time required to authenticate and also requires users to manage a completely separate device. Additionally, if a token gets stolen, it potentially can be used by the person who stole, or found, it. If a token is lost, it needs to be replaced before a user can access company resources.
So, if the hardware doesn’t work, how about using a 2FA software-based solution? This doesn’t solve the problem, either. There are dozens of these available, but they don’t implement a unified protocol. This creates a fragmented authentication field where each 2FA solution is not interoperable with another. Lack of interoperability for computing is already a problem, and in the IoT it will be even more glaringly inefficient. What’s more, if fragmentation of this kind persists in the IoT, the IoT itself will fail. That is why agreed-upon specifications like the ones set forth by the FIDO Alliance are good for the IoT.
The Benefits of Biometric Authentication
A newer kid on the authentication block is biometric security, which finally answers with certitude the question, “Are you who you say you are?” Biometric authentication is a conclusive, logical way to prove one’s identity—a password can be stolen, for instance, but a fingerprint cannot (at least not easily).
Biometrics have already entered the consumer market. The latest Apple and Samsung mobile phones, as well as many new desktop and laptop computers, contain embedded biometric sensors. These devices also include a Trusted Platform Module, or Trusted Execution Environment, that handles the validation of biometric information separately from the device’s core operating system. This is an important distinction, as those core operating systems are susceptible to malware.
When verifying identity, the IoT has another distinguishing feature. When authenticating to a smart lock, or even a smart car, it is important that authentication take place on the smart device rather than on the user’s end. Malware may be used to spoof the authenticated user identity and unlock a smart node without the proper credentials. By embedding validation capability directly into a smart lock, the authentication is effectively split across both the user’s mobile device and the lock itself. A secure lock becomes a standalone biometric validation server and cannot be remotely authenticated without the presence of a trusted biometric device.
Biometric sensors on these devices are changing the way that users authenticate to services they use every day, including email, social media, banking—and now even for physical access. Research firm Acuity Market Intelligence forecasts that within three years, biometrics will become a standard feature on smartphones as well as other mobile devices. What better use for these devices than to secure access to the connected lives developers and manufacturers are working hard to bring us?
The Future of IoT Security
ZK Research predicts that by 2020, the IoT will consist of 50 billion endpoints. That’s a lot more devices and sensors to potentially be hacked, and when it comes to securing intellectual property and mission-critical applications, enterprises and government agencies cannot take chances.
The security of usernames and passwords is thwarted by the human drive for ease and convenience, and 2FA options—hardware or software—have their own drawbacks that make them untenable for the IoT. Biometric authentication, however, offers the ease and convenience users want and the rock-solid user verification enterprises and manufacturers sorely need.
About the Author: George Avetisov is the CEO of HYPR Corp., a biometrics security platform provider. A former Webmaster, George has been interested in improving the Internet experience since building his first website at the age of 11—a fan page dedicated to his favorite childhood anime. At 19, he co-founded an online store generating more than $6 million in annual revenue at the time of his departure. George can be reached at [email protected].
Edited by Dominick Sorrentino