The growth of the Internet of Things is undeniable. Over the last decade, a number of small and low-powered IoT devices have emerged on the market. This has helped solve headaches for workers across several different industries and made our everyday lives a lot easier.
However, this growth has also brought new challenges to IoT security and privacy. Whether that’s rogue devices impersonating or replacing existing devices or leaks caused by centrally stored data, there are many considerations developers need to take into account to ensure their IoT device and its users are protected.
One way of doing this is by prioritizing IoT device authentication and authorization.
Why is Authentication So Important in IoT?
Today, IoT applications span almost all sectors from medical to home automation and many more, carrying critical and sensitive data.
Moreover, IoT devices are generally designed to be resource-constrained with fit-for-computing and limited storage capabilities. Therefore, IoT devices are more prone to security attacks as most of these devices lack appropriate countermeasures.
IoT device authentication has to be different and considerably lightweight compared to an existing user or personal authentication method that is not directly applicable to IoT devices with limited resources. As a result, choosing the proper authentication method is of utmost importance to ensure robust security for IoT devices.
The Different IoT Device Authentication Methods
Single or one-factor authentication is the most basic form of IoT device authentication in which devices or users present something they know to verify their identity. Usernames and passwords are the most popular form of one-factor authentication.
Shared secrets like usernames and passwords are usually recycled at multiple places and are susceptible to various attacks. However, two-factor authentication extends the one-factor authentication of username/passwords by adding another layer in which users or devices need to verify something they possess. This could be a one-time password or something unique like fingerprints.
Three-factor or Multi-factor authentication extends security to the next level by combining multiple mechanisms to authenticate:
- Something you know (e.g., a password)
- Something you are (e.g. fingerprint or iris scan)
- Something you possess (e.g. a one-time password generator)
While two-factor and multi-factor authentication provide a higher level of security, they may add some friction in user experience (UX). This could lead to poor adoptions.
On the flipside, cryptographic public key (PKI) authentication is more secure than usernames and passwords. It overcomes brute force attacks and provides a good user experience.
Mutual authentication or two-way authentication is a process in which two parties (often client and servers) authenticate each other simultaneously using an authentication protocol. Mutual authentication can be realized through cryptographic public keys.
Cryptographic public keys are widely used in IoT and are the de facto mode of authentication in protocols like SSH.
Nabto’s own mutual authentication is based on elliptic curve cryptography public keys that provide robust security with resource requirements that are suitable for IoT applications. We’ll touch on all this in greater detail throughout the guide.
The IoT Security Authentication Models
We’re now going to take a look at the different IoT authentication models and also go into further details on some of the above IoT authentication methods listed above.
Shared Secret Authentication (Symmetric)
Shhhhh, it’s a secret.
The first on our list is shared secret authentication. As touched on, a shared secret is a term in cryptography for a piece of data that’s shared via secure communication. It refers to the authentication key of a symmetric cryptosystem.
The most common method of authentication with a shared secret is a challenge-response. This is when one party presents a question (challenge) and the other party provides the correct answer (response) for authentication. In layman’s terms, this is what a password looks like.
The issue with symmetric encryption is ensuring there is no man-in-the-middle attacker who is trying to read or spoof your communication. However, there are various IoT encryption algorithms you use to protect yourself and a decentralized IoT solution can circumvent these risks.
Public Key/Digital Certificate Authentication (Asymmetric)
Public key encryption, or public-key cryptography, encrypts the data of two different keys and makes one of the keys (the public one) available for anyone to use.
The public key infrastructure (PKI) can be used for activities where simple passwords alone are an inadequate authentication method. In cryptography, ownership is proved using the corresponding private key.
However, in some circumstances, a public key can be signed by a 3rd party authority via a digital key certificate (otherwise known as a public key certificate or identity certificate).
There are two main ways in which certificates can be authenticated:
- Thumbprint – A unique hex string identifies the certificate generated by running a thumbprint algorithm like RSA on the certificate.
- Full chain – It is arranged in a chain of digital certificates in which another trusted certificate’s private key signs each certification, and the chain continues till it reaches a globally trusted root certificate. The X.509 digital certificates provide the most secure digital identity among the software-based authentication and are standardized in IETF RFC 5280.
A digital certificate not only proves ownership, it includes information about the key, information about the key’s owner, and the digital signature from an entity that’s verified the content of the certificate (known as the ‘issuer’). If the authentication is valid and the software trusts the issuer, that key can be used to communicate securely with the certificate’s owner.
The asymmetric cryptosystem provided by public keys provides a higher level of security than a symmetric cryptosystem. That being said, it is often slower and adds a lot of complexity in terms of solution development, deployment, and management.
An alternative to this is using Nabto Edge’s Public Key Authentication model. We also use public-key authentication and get you the benefits of asymmetric authentication too. However, we crucially let you sidestep all the hassle of a full PKI and also eliminate the need for digital key certificates.
Take a look at how it works below:
If you want to learn more about our public key authentication model, book a consultation here.
Hardware Solutions For Further Key Protection
Now we’ve covered the different models that can be incorporated to provide IoT device authentication and authorization, we’re going to look at some of the hardware you can use to protect keys.
Hardware Security Module (HSM)
HSM is a separate hardware module that manages the device’s trusted computing with cryptographic processors and key storage requirements.
Therefore, digital certificates like X.509 certificates and SAS tokens can be stored and evaluated in an HSM. Storing device secrets in traditional memory is less secure compared to keeping them in a dedicated hardware security module.
Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a specialized IoT device chip that stores device-specific keys for authentication or refers to the input/output (I/O) interface that interacts with modules implementing the standard authentication.
TPMs can exist in different forms, including:
- Discrete hardware devices
- Integrated hardware equipment
- Firmware-based modules
- Software-based modules
It’s a prime example of a hardware root of trust combined with a software-based public key method that provides high trust authentication for IoT devices. What’s more, TPM chips can store secure digital credentials, including X.509 certificates. And, although TPM has various cryptographic capabilities, it satisfies IoT authentication’s three key features, namely establishing the root of trust, secure boot-up, and device identification.
Compared to symmetric key authentication, TPM can store public key certificates and is more secure than SAS token-based authentication. Furthermore, in the DPS, the TPM uses the endorsement key (EK), a form of a public or asymmetric key.
Biometric authentication is a popular method of user authentication based on the unique biological traits of users. It is implemented by devices that are capable of measuring and recognizing the user’s unique physical and/or behavioral characteristics, such as fingerprints, facial features, and many more.
That being said, translating these techniques to IoT device authentication is a challenge. However, recent advancements in Physically Unclonable Functions (PUFs) have made biometric authentication a feasible solution. The PUF authentication exploits the inherent unique variations in the semiconductor chip manufacturing process to become unclonable.
PUF authentication protocols can generate encryption keys that are digital fingerprints, which are both unique, unclonable and similar to biometrics.
The Bottom Line
Implementing secure IoT device authentication and authorization best practices has many benefits for your IoT device’s security and privacy.
The method that you choose depends on what your priorities are. However, we recommend at least two-factor authentication and, to be completely safe, use public-key cryptography from Nabto Edge.
The worst thing you can do is nothing. With that in mind, start protecting your users and device as soon as possible by implementing IoT device authentication.
Read Our Other Resources
We’ve also published a range of IoT resources for our community, including:
- Buying versus building an IoT platform, which discusses how to choose the best option for you.
- Our guide on how to Develop IoT Apps and what platforms you can use.
- A Comparison of IoT Protocols for Developers will help you find the perfect protocol for your device.
- Find the right microcontroller by reading our Complete Guide to Microcontrollers for IoT.