Amid growing concerns that internet of things (IoT) devices are inherently vulnerable to attacks that could compromise users’ information privacy and security, the NIST National Strategy for Trusted Identities in Cyberspace (NSTIC) has awarded a $1.86 million grant to build a secure data storage system.
NSTIC is a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies and other organizations to improve the privacy, security and convenience of online transactions. The pilot program team includes Tozny, which has built a password-free cryptographic authentication system, its parent company Galois, which builds open and secure technologies for government and commercial organizations; IOTAS, which provides smart-home technology for apartment buildings; GlobeSherpa, a mobile transit ticketing company; SRI International, the non-profit research institute and leader in biometric authentication; and 6 Degrees Privacy Consulting, which specializes in privacy policy.
Tozny, will serve as the technical lead for the NSTIC pilot program.
The team will build a data storage and sharing platform that guarantees security and enables new use cases for collaborative connected devices—with an initial focus on allowing consumers to securely store and share private information across IoT-enabled smart homes and transportation systems. The system will protect the users’ data from being involuntarily shared, while at the same time enabling multiple IoT services and devices to easily collaborate in better serving smart home and connected device users.
The pilot program will initially focus on two NSTIC pilot program applications:
Smart Home IoT Authentication – Due to lack of standards and security expertise, many commodity IoT devices and cloud services have not been designed to be secure, easy to use and interoperable. Furthermore, elements of the system that are authenticated typically use weak passwords for login. IOTAS is already operating a smart-home pilot in apartment units in Portland, Oregon and San Francisco, CA. NSTIC support will allow IOTAS and Tozny to collaborate to add transparent but privacy-preserving authentication and encryption to this pilot.
Transit IoT Authentication – Many municipalities are deploying mobile ticketing in their public transit platforms, which allows riders to buy transit tickets on their mobile phone and use the phone itself as the ticket. Password authentication is a barrier for users suffering from password fatigue—particularly acute for mobile devices where inputting sufficiently complex passwords is challenging. NSTIC support will fund collaboration between Tozny and GlobeSherpa to pilot secure, password-free authentication.
“In the rush to build IoT products and services, security and privacy is often ignored until it’s too late,” said Isaac Potoczny-Jones, founder of Tozny and Galois’ principal investigator for the project. “The collective vision of this team is to enable data sharing between everyday connected devices, while putting security and privacy first. By the end of the pilot, users will be able to create accounts and authenticate to their home without passwords; prove that they’ve purchased transit tickets just by walking to their bus; and have their home and transit systems securely communicate and collaborate—all while preserving the user’s privacy.”