An industry group is working on a secure, password-free access standard for IoT devices to help solve one of the main problems facing connected devices.
The FIDO Alliance, which creates standards to make remote logins easier, pointed to poor industry practices and a lack of standards in IoT security.
“Lack of IoT security standards and typical processes such as shipping with default password credentials and manual onboarding leave devices, and the networks they operate on, open to large-scale attack,” said the Alliancethis week.
The organization has responded with an IoT Working Group, which will develop technical profiles to handle device authentication between different IoT devices and service providers. Its reference platforms will also standardize the setup of IoT devices and their connection to specific users and applications.
As with other FIDO initiatives, the IoT group is industry-led. Its chairs work for ARM Holdings and Qualcomm, while other participants include Google, Intel, Lenovo, Microsoft, and hardware key manufacturer Yubico.
Intel and ARM have already worked together on a process called ‘late binding,’ in which an IoT device discovers its target cloud platform seconds after powering on. This concept works with microcontrollers from both companies and enables IoT devices using their components to connect securely with a variety of cloud-based services after deployment.
The move will help to solve an increasing problem for IoT users: securing access across devices that often number in the tens of thousands. The use of default password credentials is commonplace, prompting standards bodies in Europe to introduce a voluntary standard prohibiting them, and the government of California to ban them. The UK government is also mulling regulations forbidding the use of default IoT passwords.
FIDO also introduced another working group that focuses on secure verification when recovering remote accounts from attacks like phishing. The Identity Verification and Binding Working Group is considering several methods to remotely identify users trying to get back into their own accounts after an attack. These include biometric selfie matching, along with the use of government-issued identity document authentication.