What MFA do we need for the IoT?

What MFA for the IoT

As we should all know by now, 1/ everything is getting connected, the Internet is no longer about computers and servers only but also about billions of objects that once belonged to distinct categories, such as consumer electronics, automotive, medical devices, industrial and infrastructure systems etc. And 2/, security issues are going to be even larger and scarier in the era of the Internet of Things.

This raises a few questions for the cybersecurity industry, such as: Are we ready to address this challenge? Have we developed the right tools yet? The short answer is no.

What’s different with IoT security

To judge whether or not current cybersecurity approaches are valid for the IoT, one must ask the question of what’s different in the IoT compared to the “traditional” Internet. Let’s list some aspects: the scale of the IoT; the very limited computing power of some objects and as a direct(?) consequence, their limited protection; the heterogeneity of the IoT making it difficult to design a unified security approach; etc.

There’s one more aspect: connectivity. It has a direct impact on identification and authorization.

Authorization and access control in the IoT

With web applications, users are identified thanks to an authentication system (a password, an MFA solution) and subsequently authorized to use the application based on the rights associated with their profile. Is this still relevant in the IoT?

When you use your smartphone to remotely access a surveillance camera or a connected appliance in your home, you are authenticated by the service provider through an App (hopefully not just with a basic password…) so you access and control your home – not your neighbor’s – based on this verified identity. Connected in-car services such as payment, assistance, or entertainment work the same way. These services are provided from the Cloud after you have been authenticated through an interface such as the infotainment system of your car or an App on your smartphone. The authorization mechanisms used here are similar to the ones used for web applications.

However, connected services are not the only use cases in the IoT requiring access control and authorization. Think for instance of a car rental service. The resource – here, a car – might not be connected to the online reservation and authorization system when you want to access it. That car might even not have been connected since you rented it. Obviously, the service provider is not going to provision a password or a credential for you in each and every car in case you would rent it some day. Also, that would give you an unlimited access…

The current authentication model doesn’t work

What does it mean? Put simply: traditional authentication solutions can’t be used here. Unfortunately for authentication and IAM vendors, similar use cases – i.e., authorizing a user to a local, not-always connected resource – are going to be much more frequent in the IoT than the web-like use cases – i.e., authorizing a user to a cloud-based service.

Should we fix the connectivity or the model used for authentication?

Enhancing connectivity with WAN technologies such as LoRa is an interesting approach for localization purposes (to know where vehicles in a pool are, to locate your bike if it’s been stolen, etc.) but we won’t never get the universal and ubiquitous kind of connectivity that authorization and access control in the IoT require. Opening a door or proofing that one’s rights – a ticket for a performance or for a trip – are valid cannot rely on the coverage and availability of carrier networks (even without considering the costs of building and maintaining that connectivity into billions of objects).

As we’ve seen, the current authentication model doesn’t work, so let’s build a secure one that does.

What authentication do we need for the IoT?

As we’ve seen it, there are different access control use cases in the IoT.

When the need is to access a cloud-based service, the current authorization and authentication model works. What might be needed, however, is to adapt the technology used “at the edge” to the circumstances. What works when sitting in front of a computer – i.e., entering a PIN – might be inadequate or even dangerous when driving, for instance. inWebo in-App MFA framework has been built precisely for that purpose. The second authentication factor – by default a PIN – can be replaced by any biometric authentication technology such as speaker voice recognition, face or fingerprint recognition, etc.

Alternatively, when the need is to access a local resource or object, the authorization process needs to work without wide-area network connectivity. This is to say that the authorization decision must be taken locally by the object or resource. One of the implications is that the authorization cannot be made based on the identity of the user, because there’s no rationale or possibility to maintain identities with local objects. Instead of verifying the user identity, the object should verify that the user holds a valid right (the right to use that object), but also limitations to that right since, for instance, a car rental is only for specific days and times.

What security objectives for MFA in the IoT

Let’s finish by some comments on security. For a web application, the role of MFA is to prevent account takeover or impersonation, that is, that someone else than the legitimate user gets access to his or her account. This is achieved by protecting the authentication factors (if you’re interested in the topic, you can read this page about MFA security).

With a local resource, the role of MFA is not about the user but about the rights. A first objective is to prevent the copy of the rights – the same way complex locks have been designed to prevent local locksmiths from copying keys, or at least, to have a control on who could copy them. A second objective is to prevent the user from changing the rights. Indeed, with the same example, once you’ve rented a car and obtained a valid key, you would be able to access it at any time later on just by changing locally – i.e., in your smartphone – the parameters of your booking.

MFA for IoT is an exciting new field, the same way MFA for web applications was open for innovation 10 years ago. We can expect to see new, innovative players emerge to address the challenge and the opportunity. inWebo is definitely one of them, and we’ve just released our secure framework for local authorization, called IWLA.

Written by Didier PERROT

Didier is the CEO & Founder at inWebo. He’s looking at innovation, business models, and technologies in the online identity and authentication areas

If you liked reading this post, please share it on your favorite social networks using the buttons next to the title. Thank you!