How FIDO-based biometric technology clears up the IoT authentication mess
IoT devices can be a security nightmare for businesses and consumers, and now that they have become part of daily operations and enterprise-grade networks, they could at any minute jeopardize our data and personal information, unless we say goodbye to traditional authentication methods such as the username and password.
Nok Nok Labs may have found part of the answer to IoT security, by releasing the industry’s first IoT SDK, an authentication solution for both standalone IoT devices and IoT devices connected to a cloud service. Nok Nok Labs has already set up an innovative infrastructure for passwordless authentication and FIDO-based biometric authentication for mobile and web applications, so IoT was the next logical step.
About four years ago, the industry saw chaos unleashed after more than 145,000 cameras, routers and other connected devices were hacked in a large-scale DDoS attack known as Mirai, that reached a peak of 1.1 terabits per second. The crippling attack confirmed the damage an IoT botnet can trigger and it was an eye-opening experience that confirmed how vulnerable connected devices really are. As Dr. Rolf Lindemann, vice president of Products at Nok Nok Labs told Biometric Update, there could not have been a better time for the IoT SDK to be released on the market, because it is a solution that can prevent threat actors from obtaining administrative rights to devices to manipulate them.
Since the Mirai attack, regulators have gradually started paying more attention. California, for example, just recently signed a bill into law to regulate IoT device security, which went into effect on January 1. With similar initiatives taken by ENISA in Europe, it is pretty obvious that there is a wide concern for default password-generated vulnerabilities and a strong desire to make connected device security more robust, Dr. Lindemann says.
He further explains that IoT user-to-device authentication is the weakest link and it needs to be improved immediately, if the industry is really interested in having more secure IoT solutions. With the high number of IoT devices reaching the market, the introduction of the technology is very timely, he says.
The starting point for the IoT SDK concept
Many consumers have equipped their homes with smart devices ranging from smart door bells and security cameras to thermostats, connected to the same Wi-Fi router that supports remote log in through username and passwords. However, according to Dr. Lindemann, nobody ever goes back to check the log files for password stuffing or brute force attacks, and, even worse, there is not even proper security to fend off these attacks. This is why there is a high need to introduce advanced technology that does not require high maintenance or extra effort to run, and which does not need any compensating technologies, he explains.
The greatest challenge was to bring the authentication technology to small devices, yet FIDO authentication has proven flexible and effective for both web and mobile apps. In fact, Dr. Lindeman says, case studies where FIDO solutions were deployed saw “a substantial reduction in account takeover attacks, phishing, credential stealing attacks and password stuffing attacks, which were not effective against FIDO solutions.”
It took a long time to get to this point, though. When companies were in the past presented with the concept of FIDO standards and authentication, most found it appealing and could have seen it as addressing a need, but they still had doubts about how practical it really was. For Dr. Lindemann, this was a starting point to seriously think about the concept of developing an IoT SDK that can be integrated with IoT devices to allow users to roll out highly secure authentication based on the biometric modalities supported by the device.
Future deployment opportunities for IoT SDK, FIDO authentication
The IoT SDK leverages the flexibility and security of FIDO authentication and can be implemented into any small device, like a router or a video camera. It offers countless deployment opportunities, but probably the most pertinent are connected cars and smart cities, Dr. Lindemann argues. The IoT SDK could easily be used to open the door or to unlock the device and activate it, and it could just as easily be deployed in a chemical storage facility to ensure the information collected by the sensors is genuine, and not injected by a threat actor.
Another interesting deployment scenario would be to authenticate robots or machines for maintenance purposes in industrial spaces that require human interaction. In the past, passwords were excessively used as a security mechanism but they are in fact a very weak authentication method for a landscape where we need more user convenience and enhanced security, points out Dr. Lindemann.
The financial industry could also greatly benefit from Nok Nok Labs’ most recent innovation, as it has already predicted a digital future where smart machines will take over the payment process from the average user. Dr. Lindemann says we might be closer than ever to witnessing autonomous cards pay for parking, so it is critical to deploy strong authentication to ensure the data is authentic, instead of simply entrusting network layers with protection.
Increasing attacks on data at the edge, national security at risk
When asked about a potential spike in the number of attacks targeting data at the edge, Dr. Lindemann believes “we’re seeing only the tip of the iceberg.”
“An attack trend is definitely coming,” he says. “Regulators are stepping in to say this has potential to affect national security, so, at a national level, we have to make sure that our economy is protected against those type of attacks. Our solution is a very important piece of the puzzle and helps the industry protect the IoT much better.”
Credentials are being stolen from servers after the routers are compromised, but a user authentication solution like the Nok Nok IoT SDK protects the device from credential stealing attacks. Many companies wrongly assume that they have a secure network perimeter, but “this secure network perimeter notion is just not correct.” Dr. Lindemann warns about a common practice where companies argue security is not necessary for each individual device because they can provide network layer protection.
“Those things typically don’t work because there is some way for an attack to break into a single device if it’s not well protected, and then make a lateral movement to other devices,” he says. “This is where our authentication solution comes in to make sure that the devices’ front door is really closed, meaning it’s harder for an attacker to break into a device in the first place.”
What to expect from security regulations
In terms of future expectations, more payment solutions will likely be released on the European market, so they will have to be compliant with local regulation such as PSD2 and GDPR. Because there is a strong need for robust, convenient customer authentication, Dr. Lindemann believes FIDO authentication will be adopted by more companies in the future to boost payment authorization security.
The industry has already been greatly impacted by privacy regulations GDPR and CCPA, and similar guidelines will probably make their way in other regions. One side effect, Dr. Lindemann says, is that because users can now require access to the data companies have collected on them, there is an even higher need for strong authentication to ensure the information is sent to the legitimate user, the actual owner of the information. “In some way, we are helping to implement compliance and provide compliance to data privacy regulations by making it easy to authenticate users,” he says.
Biometric technology adoption brings more standard-based testing
The FIDO Alliance has been very productive with biometric certifications, as a good number of devices have already been biometrically certified. While in the past the focus was on telling the difference between fingers belonging to two different people, the technology has evolved to consistently perform accurate identification. Presentation attack detection (PAD), however, is more challenging as an attacker can create a rubber finger to mimic a genuine finger. The Alliance is currently partnering with the International Standards Organization (ISO) to establish security certifications and testing for these types of attacks.
Consumers growing comfortable with biometric authentication solutions
Judging by what has been happening in the last six years, consumers are obviously growing comfortable with biometric authentication. When the FIDO journey first started, Dr. Lindemann explains, there were many concerns regarding biometric data, how it was stored and where it was sent, but consumers learned fast that for FIDO “fingerprint and even facial recognition do not mean your biometric data is sent off to the server, it is kept locally in the device.” Privacy remains an important aspect, but consumers have also learned that it is more convenient to leverage biometric technology than it is to remember usernames and passwords.
February was a landmark month as Nok Nok Labs welcomed Apple to FIDO Alliance. Now that Apple has embraced FIDO standards, it is clearly “a signal to the market” and “the last missing piece of the puzzle.”