New FIDO Protocol Simplifies IoT Device OnboardingStandard Designed to Cut the Cost and Time to Securely Connect IoT Devices
The FIDO Alliance, an association that has developed voluntary authentication standards with a goal of minimizing the use of passwords, has launched an onboarding protocol for IoT devices that's designed to enhance security.
The onboarding protocol uses asymmetric public key cryptography to provide a fast and secure way of onboarding IoT devices to any device management system.
The new FIDO Device Onboard protocol "will enable businesses to truly take advantage of the full IoT opportunity by replacing the current manual onboarding process with an automated, highly secure industry solution,” says Christine Boles, vice president, IoT group at Intel.
Andrew Shikiar, executive director at the FIDO Alliance, notes: “Businesses recognize the huge potential of IoT and the enormous benefits it can bring to manufacturing, retail, healthcare, transportation, logistics and more. The paradigm needs to shift immediately so we can move IoT technologies ahead with safer, stronger and more secure means of authentication for these important uses in industrial and commercial environments.”
Representatives of Intel, Amazon, Google, Microsoft, Qualcomm, ARM and the FIDO Alliance’s IoT Technical Working Group collaborated on the protocol's development.
The new FIDO protocol calls for using a single device SKU - Stock Keeping Unit or identifier - that can be onboarded to any platform. This less technical approach enables onboarding to be carried out quickly and efficiently, FIDO says.
The protocol leverages asymmetric public key cryptography, enabling managers to use a variety of keys, secrets or credentials and other associated data with the device so it can be remotely controlled, adding to the flexibility of how devices connect to IoT platforms.
The new protocol will make it more difficult for third parties to track information about a device’s progress from manufacturing to ownership, resale or decommissioning, FIDO says.
IoT Regulatory Activity
Research, analysis and advisory company IDC predicts the IoT market will maintain double-digit annual growth, and spending on IoT devices will surpass $1 trillion in 2022.
In light of the explosion of IoT devices, the U.K., European Union and United States have taken regulatory action.
The U.K. Department for Digital, Culture, Media & Sport has proposed new regulations that would create standards for built-in cybersecurity of smart devices and force manufacturers to be transparent about security.
Under the proposal, Apple, Samsung, Google and other manufacturers would have to specify when smart devices will stop getting security updates. The U.K. government also plans to ban manufacturers from using default passwords, which are often preset in a device’s factory settings.
Niamh Muldoon, global data protection officer at OneLogin, notes, "This new (U.K.) standard coming into effect establishes a baseline and guidance for manufacturers who need to be held responsible for following the best practices when designing 'connected' devices. Although such standards won’t eliminate all vulnerabilities, they could bring order to what is right now the 'Wild West' of IoT."
George Daglas, chief operating officer, Obrela Security Industries, says that under the U.K. proposal, "IoT vendors will now be forced to apply security measures into the development stages of products, rather than bolting them on at the end or leaving users to optionally apply them. This is long overdue, particularly considering that smartphones are now one of the primary ways consumers shop and bank online."
In the U.S., a new federal law requires that IoT devices procured by government agencies meet minimum security standards. The Internet of Things Cybersecurity Improvement Act of 2020 requires federal agencies to only procure devices that meet minimum cybersecurity standards and establishes a vulnerability reporting and notification program (see: First Federal IoT Security Legislation Becomes Law).