USER AUTHENTICATION IN THE IOT: WHAT THE FINANCIAL INDUSTRY NEEDS TO KNOW

By George Avetisov, CEO and co-founder, HYPR Corp.

ZK Research reports that the Internet of Things (IoT) will have 50 billion endpoints by 2020. With the outbreak of data breaches as just one example, it takes little imagination to anticipate the security challenges that all these network connections pose.

In this environment ripe for increased cyber crime, banks and financial institutions are required to navigate the choppy waters of user authentication with even greater resolve. Existing methods for authentication, such as passwords aided by a second factor, are being rendered moot due to human error as well as the enhanced sophistication of malware and other attacks. A new paradigm is needed because the granting of physical access that the IoT brings will be unforgiving to solutions that are insecure, inconvenient, or both.

Passwords are insecure and inefficient, which won’t work in the IoT – even when supported by a hardware or software two-factor solution.  We’re accustomed to having access to our analog homes, cars and other devices or appliances being instantaneous and seamless.  Moving to connected iterations of the same residences, devices and appliances means we won’t have time or patience for slower, clumsier access. In fact, we’ll expect far more from a connected experience than we do from the present unconnected one.

How Two-Factor Solutions Fall Short

With the rise in sophisticated and relentless attacks against the network, the use of two-factor authentication (2FA), which typically combines a password with a second layer of protection, has risen. These solutions were a step in the right direction for average computing, but a tiny step, and one that will not protect or facilitate IoT use.

Attempts to improve password complexity, to in turn shore up this eroding security strategy, have failed because most people use the same common characters over and over. Inputting complex passwords is burdensome, particularly when it comes to mobile devices, and mobile devices are part of why the IoT is not only possible but also flourishing.

Hardware tokens used in 2FA were always unpopular in the workplace, and they will fair even worse in the IoT. To use a 2FA token for authentication, a user first has to provide a password and then either plug the hardware token into their computer or punch in a six-digit code that appears on the token’s display.  This multiplies the time required to authenticate and also requires users to manage a completely separate device. People will struggle to ponder a use case for hardware 2FA in the IoT.

Another factor that makes hardware tokens a bad idea: When a token is stolen, it potentially can be used by the person who stole, or found, it. When a token is lost, it must be replaced before a user can access company resources.

In an Internet world, it seems like a 2FA software-based solution would be the answer. There are dozens of these available, but they don’t implement a unified protocol. This creates a fragmented authentication field where each 2FA solution is not interoperable with another. Lack of interoperability for computing is already a hassle and in the IoT it will be even more glaringly inefficient.  What’s more, if fragmentation of this kind persists in the IoT, the IoT itself would fail, and that is why agreed-upon specifications like the ones the FIDO Alliance™ put forth are good for the IoT.

The Benefits of Going Biometric

Passwords and 2FA aren’t up to the challenge of user authentication for the IoT. What else is there? Enter biometric security, which addresses the problem of authentication by answering the question, “Am I who I say I am?” Biometric authentication is a conclusive, logical way to prove one’s identity – a password can be replicated, for instance, but a fingerprint scanned with a decent sensor cannot.

This is a major step forward in the cause of authentication. The latest Apple and Samsung mobile phones, as well as many new desktop and laptop computers, contain embedded biometric sensors. These devices also include a Trusted Platform Module, or Trusted Execution Environment, that handles the validation of biometric information separately from the device’s core operating system. This is an important distinction, as those core operating systems are susceptible to malware.

Another major reason that authentication takes place on the smart device rather than on the user’s end: When authenticating to a smart lock, or even a smart car, malware may be used to spoof the authenticated user identity and unlock a smart node without the proper credentials. However, by embedding validation capability directly into a smart lock, the authentication is effectively split across both the user’s mobile device and the lock itself. A secure lock becomes a standalone biometric validation server and cannot be remotely authenticated without the presence of a trusted biometric device.

This new type of biometric-enabled process has the ability to change the way that users authenticate to services they use every day, including email, social media, banking – and now for physical access.  Research firm Acuity Market Intelligence forecasts that within three years, biometrics will be a standard feature on smartphones as well as other mobile devices. What better use for these devices than to secure access to the connected lives developers and manufacturers are working hard to bring us?

George Avetisov
George Avetisov

The Future of Authentication is Here

Low-cost sensors, the explosion of mobile device adoption and the rise of cloud computing are just a few of the factors driving the Internet of Things. Gartner analysts predict that by 2020, the IoT will consist of some 26 billion connected devices. That’s a lot more devices to potentially be hacked, and when it comes to securing sensitive data and mission critical applications, financial institutions must be vigilant.

Proper vigilance means not relying on passwords alone, or even 2FA software – which introduces its own security vulnerabilities with it. And hardware tokens are impractical, cumbersome and susceptible to falling into the wrong hands. In contrast, biometric authentication offers significant security advantages. Leading-edge technologies make this method easy to implement and scalable as well, offering the financial industry the strongest authentication available today.

George Avetisov is the CEO of HYPR Corp., a biometrics security platform provider. A former Webmaster, George has been interested in improving the Internet experience since building his first website at the age of 11—a fan page dedicated to his favorite childhood anime. At 19, he co-founded an online store generating more than $6 million in annual revenue at the time of his departure. George can be reached at george@hypr.com

Comments are closed