In 2013, according to IDC, the digital universe contained 4.4 zettabytes of data. By 2020, that figure will surge to 44 zettabytes. This 10x jump in data is the result of the explosion of mobile devices, cloud services and the millions of sensors and communicating devices sending and receiving data over the Internet. Welcome to the “Internet of Things.”
This brave new world of massive interconnectedness means that networks now potentially have billions of end points, and the security implications are clear. The mobile industry was already struggling to authenticate users, and it is becoming more and more difficult. Existing methods for authentication, such as passwords aided by a second factor, are being rendered moot due to human error as well as the enhanced sophistication of malware and other attacks.
Consequently, it’s time to construct a new framework for approaching authentication. A new paradigm is needed because the granting of physical access that the IoT brings will be unforgiving to solutions that are insecure, inconvenient, or both. That is, the use of passwords, even when supported by a two-factor hardware or software solution, presents insecurities and inefficiencies that are untenable for the IoT. We’re accustomed to having instantaneous and seamless access to our analog homes, cars and other devices or appliances. Moving to connected iterations of the same residences, devices and appliances means we won’t have time or patience for slower, clumsier access. In fact, we’ll expect far more from a connected experience than we do from the present unconnected one.
The fault in two-factor solutions
As security breaches have escalated in both number and sophistication, the use of two-factor authentication – combining a password with a second layer of protection – has risen as well. These solutions were a step in the right direction for average computing, but a very small step, and one that will neither protect nor facilitate IoT use.
The problem with passwords is that they are subject to misuse by their users. Efforts to increase password complexity have failed simply because most people use the same common characters over and over. Inputting complex passwords is onerous, particularly when it comes to mobile devices, and mobile devices are part of why the IoT is not only possible but flourishing.
To use a 2FA token for authentication, a user first has to provide a password and then either plug the hardware token into their computer or type in a six-digit code that appears on the token’s display. This significantly increases the amount of time required to authenticate and also requires users to manage a completely separate device. And if a token gets lost or stolen, it can potentially be used by the person who stole or found it. The token would need to be replaced before a user could access company resources. Two-factor hardware tokens are a usability nightmare in the workplace, and for the IoT they will perform even more poorly. Newer NFC tokens offer improved usability, but still require separate carrying and must be near the “thing” being authenticated.
So, it’s clear that 2FA hardware tokens are not going to work, but 2FA software-based solutions don’t remedy the situation, either. Dozens of these solutions are available but don’t implement a unified protocol, creating a fragmented authentication field where each 2FA solution is not interoperable with another. Lack of interoperability for computing is already a hassle, and in the IoT it will be even more glaringly inefficient. What’s more, if fragmentation of this kind persists in the IoT, the IoT itself would fail, and that is why agreed-upon specifications of chips and devices are good for the IoT.
The modern security solution
If none of these methods will work for the IoT, where else is there to turn? Biometric authentication. It is a conclusive, logical way to prove one’s identity – a password can be replicated, for instance, but a fingerprint cannot.
This form of authentication has already begun to enjoy consumer adoption. New Apple and Samsung mobile phones, as well as many new desktop and laptop computers, contain embedded biometric sensors. These devices also include a trusted platform module or trusted execution environment that handles the validation of biometric information separately from the device’s core operating system. This is an important distinction as those core operating systems are susceptible to malware.
Here is a specific example of how biometrics improve authentication in the IoT: When authenticating to a smart lock, or even a smart car, it is important that the authentication take place on the smart device rather than on the user’s end. Malware may be used to spoof the authenticated user identity and unlock a smart node without the proper credentials. By embedding validation capability directly into a smart lock, the authentication is effectively split across both the user’s mobile device and the lock itself. A secure lock becomes a standalone biometric validation server and cannot be remotely authenticated without the presence of a trusted biometric device.
Biometric-equipped devices are changing the way users authenticate themselves to services they use every day, including e-mail, social media, banking – and now physical access. Research firm Acuity Market Intelligence forecasts that within three years, biometrics will become a standard feature on smartphones as well as other mobile devices. What better use for these devices than to secure access to the connected lives that developers and manufacturers are working hard to bring us?
Reliable, convenient security
No longer a buzzword or the gleam in a developer’s eye, the IoT is now a legitimate fixture of the human experience. Gartner analysts predict that by 2020 the IoT will consist of some 26 billion connected devices. That’s a lot more devices to potentially be hacked, and when it comes to securing intellectual property and mission-critical applications, the mobile industry cannot take chances. Previous authentication efforts have proven ineffective or unworkable for the context of the IoT, yet authentication has never been more important – or more problematic. Biometric security offers a scalable and convenient approach for strong user authentication that mobile organizations can provide to keep them and their users safe.
George Avetisov is the CEO of HYPR Corp., a biometrics security platform provider. A former webmaster, Avetisov has been interested in improving the Internet experience since building his first website at the age of 11 – a fan page dedicated to his favorite childhood anime. At 19, he co-founded an online store generating more than $6 million in annual revenue at the time of his departure. Avetisov can be reached at george@hypr.com.
Editor’s Note: The RCR Wireless News Reality Check section is where C-level executives and advisory firms from across the mobile industry share unique insights and experiences.
Photo copyright: jianghaistudio / 123RF Stock Photo