IoT Security: Why MFA Is Key

With predicted market size in tens of billions, the Internet of Things (IoT) is the new big hype. Given how broken the security of the current Internet is, it’s easy to imagine a scary IoT. Today, if you get hacked, whether you’re an individual or a business, you ‘only’ lose money, reputation, or intellectual property. When ‘things’ such as cars, health sensors, door locks, home appliances, home cameras, etc., will be online, we’ll see a whole range of useful new services, but also tremendous implications on privacy and safety (see e.g. this infographic). Of course, some companies have been hit hard for neglecting IT-security but the rest of us could consider that security was a costly option, start without, and wait and see. (Un)fortunately, we can’t ignore safety obligations. This is not science fiction, security researchers have recently made public how they could break into an aircraft system – only from inside the aircraft though – or into a driving car – this time from outside, so the worst possible scenario has come true. Well, almost, since it was only security researchers this time.

A hot and timely topic

IoT security is the next hot topic, whisper it, you’ll get immediate VC attention. It’s not a blank page though, as the ‘things makers’, unlike fresh new hype startups, have been familiar with safety requirements for a long time and can’t imagine connecting their ‘thing’ without taking appropriate security measures. For example, connected cars embed digital certificates protecting communications – and therefore actions that can be performed remotely. Connected industrial devices embed electronic security modules. Of course there are still a lot of ‘dumb’, unprotected connected devices, but these are mostly objects connected behind a gateway using short-range (e.g. Bluetooth) radio networks. This is clearly a weak point, but the practicalities and usually the consequences of attacks on such devices are limited, as long as the gateway itself is protected. This protection isn’t obvious as we’ve seen it with the examples mentioned above. However, the industry reacts promptly to vulnerabilities exposed in such gateways and ‘patch’ them.

Nothing new: the user is the weak link

So, are we covered, and can we freely enjoy the promises of countless new services? Not quite yet. As we’ve known it for years, the weak point is with users. We’ve seen how poorly passwords (or users setting them) were protecting websites and services. Passwords (and users) won’t do any better with IoT. While disturbing and annoying, we got used to receiving emails from our websites telling us that “unfortunately, some information had been stolen despite all their efforts, and that we should change our password asap, and thank you for your trust it won’t happen again”. Receiving a similar email from our car dealer or health device manufacturer would be frightening, and not just the first time that message was sent.

Where and why MFA greatly helps

How can we prevent that at a large scale? With MFA. Multi-factor authentication. Really? Yes! Beyond the fact that with IoT we can’t no longer look the other way as we used to (“yes, MFA, that’s great but, you know, our risks are quite limited so far” – understand “I fear it’s going to be expensive and complex, so let’s try to avoid it as long as we can”), there are many facilitating factors for implementing MFA with IoT: user-IoT interactions are controlled with a mobile App on a smartphone; IoT Clouds can be architected as applications (“relying parties”) requesting authorizations to a central system (“identity provider”) with commonly used standard protocols such as Oauth; and Identity Providers can seamlessly authenticate users from their mobile Apps using secure and affordable MFA capabilities (inWebo has been a pioneer by launching a certified MFA application toolkit in … 2012).

It’s about time

There’s no longer any missing, unstable, or expensive piece of technology in order to enable you to unlock your car doors with a swipe on your smartphone (and nobody else’s), whatever the make and the model. Can we afford to not implement MFA?