The Internet of Things has seen explosive growth over the last decade as a number of new small and low-powered IoT devices have emerged on the market. This expanding market has helped solve headaches for workers across several different industries and made our everyday lives a lot easier. 

Still, this growth comes with some downsides, among them new challenges to IoT security and privacy. There are many new considerations developers need to take into account to ensure their IoT devices remain secure, such as securing additional unprotected points of access into a system to prevent malicious IoT devices from connecting to legitimate networks. 

One way of addressing such problems is by prioritizing IoT device authentication and authorization.

How Does IoT Device Authentication Work?

IoT device authentication is all about access control. Once an IoT device has access to your network, the user also has access to sensitive information that you are sharing on that network. So the goal of IoT device authentication is to make sure only the right devices connect to your system. 

Without adequate authentication, a rogue IoT device – meaning a device that only exists for malicious purposes – could potentially connect to your network and cause a serious breach. Device authentication means any device that wants to join the network has to fulfill a set of criteria. 

For example, one-factor identification sets a particular password that the user whose device is joining the network needs to enter. Two-factor and three-factor authentication might require an extra layer or two, like an email or text verification. Then you have cryptographic authentication, which is more complicated and involves a specific, often highly-complex key to unlock access.

Why is authentication so important in IoT? 

Today, IoT applications span almost all sectors from medicine to home automation and many more, carrying critical and sensitive data. Old data protection regulations like HIPAA and new, even stricter ones like GDPR and CCPA mandate the highest levels of security and privacy. 

Moreover, IoT devices are generally designed to be resource-constrained, with limited storage and computing capabilities. Therefore, IoT devices are more prone to security attacks as most of these devices lack appropriate out-of-the-box countermeasures.

IoT device authentication has to be lightweight compared to a typical user authentication method for, say, a website login. As a result, choosing the proper authentication method is of utmost importance to ensure robust security for IoT devices.

IoT Device Authentication Methods

Single/one-factor authentication

This is the most basic form of IoT device authentication, in which devices or users present something they know to verify their identity. Usernames and passwords are the most popular form of one-factor authentication.

Unfortunately, most people recycle usernames and passwords on multiple devices and websites. This means if malicious actors gain access to one device, they can potentially access multiple accounts, so one-factor authentication can leave entire systems susceptible to various attacks. 

Two-factor authentication

This extends the one-factor authentication of username/passwords by adding another layer in which users or devices need to verify themselves through something they possess. This could be a one-time password sent to your email address or something unique like your fingerprints.

Three-factor/multi-factor authentication 

Three-factor authentication takes security to the next level by combining multiple mechanisms to authenticate:

• Something you know (e.g., a password)
• Something you are (e.g. fingerprint or iris scan)
• Something you possess (e.g. a one-time code or password generator)

While two-factor and multi-factor authentication provide a higher level of security, they may add some friction in user experience (UX) because the user has to work harder to gain access. 

Cryptographic authentication 

All of the above fall somewhere under the realm of password protection, whereas encryption/cryptography is another category of authentication. Cryptographic authentication is more secure than usernames and passwords. It generally overcomes brute force attacks and provides a good user experience.

Mutual authentication or two-way authentication is a process in which two parties – often clients and servers – authenticate each other simultaneously using an authentication protocol. Mutual authentication can be realized through cryptographic public keys, which are widely used in IoT and are the de facto mode of authentication in many IoT security protocols.  

Nabto’s own mutual authentication is based on elliptic curve cryptography public keys that provide robust security with resource requirements that are suitable for IoT applications.  We’ll touch on all this in greater detail throughout the guide.

IoT cryptographic security authentication models 

We’re now going to take a look at the different cryptographic authentication models and how to use them in IoT. 

Shared secret authentication (symmetric)

The first on our list is shared secret authentication. As we’ve touched on, a shared secret is a term in cryptography for a piece of data that’s shared via secure communication. It refers to the authentication key of a symmetric cryptosystem.

The most common method of authentication with a shared secret is a challenge-response. This is when one party presents a question (challenge) and the other party provides the correct answer (response) for authentication. In layman’s terms, this is what a password looks like. 

The issue with symmetric encryption is ensuring there is no man-in-the-middle attacker who is trying to read or spoof your communication. However, there are various IoT encryption algorithms you use to protect yourself. Also, a peer-to-peer IoT platform can circumvent these risks by enabling direct communication between two parties without any option for a third-party to intercept data. 

Public key/digital certificate authentication (asymmetric)

Public key encryption, or public key cryptography, encrypts the data of two different keys and makes one of the keys (the public one) available for anyone to use.

The public key infrastructure (PKI) can be used for activities in which simple passwords alone are an inadequate authentication method. In cryptography, ownership is proved using the corresponding private key.

However, in some circumstances, a public key can be approved by a 3rd party authority via a digital key certificate – otherwise known as a public key certificate or identity certificate.

There are two main ways in which certificates can be authenticated:

• Thumbprint – A unique hex string identifies the certificate generated by running a digital thumbprint algorithm like RSA (named for the developers, Rivest, Shamir, and Adleman) on the certificate. 
• Full chain – The certificate that needs to be authenticated forms part of a chain of digital certificates in which another trusted certificate’s private key signs each certification, and the chain continues until it reaches a globally trusted root certificate. The X.509 digital certificates provide the most secure digital identity among the software-based authentication standards. 

A digital certificate not only proves ownership, but it also includes information about the key, information about the key’s owner, and the digital signature from an entity that has verified the content of the certificate. This entity is known as the “issuer.” If the authentication is valid and the software trusts the issuer, that key can be used to communicate securely with the certificate’s owner.

The asymmetric cryptosystem provided by public keys provides a higher level of security than a symmetric cryptosystem. That being said, it is often slower and adds a lot of complexity in terms of solution development, deployment, and management.

An alternative to this is using Nabto Edge’s Public Key Authentication model. The model provides public key infrastructure (PKI) authentication and can get you the benefits of asymmetric authentication too. We crucially let you sidestep all the hassle of a full PKI and also eliminate the need for digital key certificates. 

Take a look at how it works below:

If you want to learn more about our public key authentication model, book a consultation here. 

Hardware options for further IoT key protection

Now that we’ve covered the different models that can be incorporated to provide IoT device authentication and authorization, we’re going to look at some of the hardware you can use to protect keys. 

Hardware security module (HSM)

HSM is a hardware module that manages the device’s security with cryptographic processors and key storage requirements.

Therefore, digital certificates like X.509 certificates and SAS tokens can be stored and evaluated in an HSM. Storing device secrets in traditional memory is less secure compared to keeping them in a dedicated hardware security module.

Trusted platform module (TPM)

A TPM is a specialized IoT device chip that stores device-specific keys for authentication or refers to the input/output (I/O) interface that interacts with modules implementing standard authentication.

TPMs can exist in different forms, including:

• Integrated hardware equipment
• Separate hardware devices
• Firmware-based modules
• Software-based modules

Compared to symmetric key authentication, TPM can store public key certificates and is more secure than SAS token-based authentication. Furthermore, in the DPS, the TPM uses the endorsement key (EK), a form of a public or asymmetric key.

Biometric authentication 

Biometric authentication is a popular method of user authentication based on the unique biological traits of users. It is implemented by devices that are capable of measuring and recognizing the user’s unique physical and/or behavioral characteristics, such as fingerprints, facial features, and many more.

That being said, translating these techniques to IoT device authentication is a challenge because not every IoT device has biometric sensors built-in. However, recent advancements in physically unclonable functions (PUFs) provide an easier and equally secure digital alternative to biometric authentication. PUF authentication protocols can generate encryption keys that are digital fingerprints, meaning they are completely unique, similar to a physical fingerprint. 

Hardware Security Module (HSM)

HSM is a separate hardware module that manages the device’s trusted computing with cryptographic processors and key storage requirements.

Therefore, digital certificates like X.509 certificates and SAS tokens can be stored and evaluated in an HSM. Storing device secrets in traditional memory is less secure compared to keeping them in a dedicated hardware security module.

Trusted Platform Module (TPM)

A Trusted Platform Module (TPM) is a specialized IoT device chip that stores device-specific keys for authentication or refers to the input/output (I/O) interface that interacts with modules implementing the standard authentication.

TPMs can exist in different forms, including:

• Discrete hardware devices
• Integrated hardware equipment
• Firmware-based modules
• Software-based modules

It’s a prime example of a hardware root of trust combined with a software-based public key method that provides high trust authentication for IoT devices. What’s more, TPM chips can store secure digital credentials, including X.509 certificates. And, although TPM has various cryptographic capabilities, it satisfies IoT authentication’s three key features, namely establishing the root of trust, secure boot-up, and device identification.

Compared to symmetric key authentication, TPM can store public key certificates and is more secure than SAS token-based authentication. Furthermore, in the DPS, the TPM uses the endorsement key (EK), a form of a public or asymmetric key.

Biometric Authentication

Biometric authentication is a popular method of user authentication based on the unique biological traits of users. It is implemented by devices that are capable of measuring and recognizing the user’s unique physical and/or behavioral characteristics, such as fingerprints, facial features, and many more.

That being said, translating these techniques to IoT device authentication is a challenge. However, recent advancements in Physically Unclonable Functions (PUFs) have made biometric authentication a feasible solution. The PUF authentication exploits the inherent unique variations in the semiconductor chip manufacturing process to become unclonable.

PUF authentication protocols can generate encryption keys that are digital fingerprints, which are both unique, unclonable and similar to biometrics.

The Bottom Line

Implementing secure IoT device authentication and authorization best practices has many benefits for your IoT device’s security and privacy. 

The method that you choose depends on what your priorities are. However, we recommend at least two-factor authentication and, to be completely safe, use public-key cryptography from Nabto Edge.

The worst thing you can do for IoT security is nothing. Start protecting your users and devices as soon as possible by implementing advanced IoT device authentication.

Read Our Other Resources

We’ve also published a range of IoT resources for our community, including:

• Buying versus building an IoT platform, which discusses how to choose the best option for you
• Our guide on how to Develop IoT Apps and what platforms you can use
• A Comparison of IoT Protocols for Developers will help you find the perfect protocol for your device
• Find the right microcontroller by reading our Complete Guide to Microcontrollers for IoT