FIDO Alliance plans new IoT initiatives as security still struggles

Last week saw the Trusted Computing Group unveil a new IoT-focused TPM module, and this week we see the FIDO Alliance announce new working groups and two new standards to improve IoT identity verification. The issue of IoT security is still far from solved, but FIDO’s new efforts provide developers with more options to tackle the overarching problem.

The Fast Identity Online (FIDO) Alliance was established to try and solve the problem of using usernames and passwords for online authentication, looking to create a better system of primary and secondary identification, such as biometrics like fingerprints and iris scans, as well as two-factor authentication devices. Integrated scanners and USB-based dongles have proven popular form factors.

But the FIDO Alliance has been looking at the IoT in dismay, and so it has set up the IoT Technical Working Group (TWG), to provide a comprehensive authentication framework for IoT devices that is in keeping with the alliance’s core focus of passwordless authentication. Headed up by reps from Arm and Qualcomm, the IoT TWG also features Idemia, Intel, Lenovo, Microsoft, Nok Nok Labs, OneSpan, Phoenix Technologies, and Yubico.

The IoT TWG is going to be developing use cases, target architectures, and specifications. Specifically, it will focus on devices attestation, automated onboarding, and device authentication and provisioning via IoT hubs and routers.

The second new thrust from the FIDO Alliance is less IoT-focused, but is similar in structure. The alliance is setting up the Identity Verification and Binding working group (IDWG), to focus on new account onboarding and existing account recovery, where identities are bound to a user via the FIDO system. Compliance with new Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations are cited as drivers, but the gist is that FIDO wants to be able to secure the account recovery process if a FIDO device is lost or stolen.

Back in May 2018, the alliance announced the launch of its FIDO2 standard, in partnership with the World Wide Web Consortium (W3C), when Amazon and Facebook joined the board of directors. Since then, it has announced biometric wins with Samsung and Microsoft, with Android also achieving FIDO2 certification.

Now, the organization is expanding into the IoT world, before it has become a clear presence in the consumer market. FIDO has a lot of supporters, but it is far from being a name-brand that consumers would recognize. This isn’t exactly a hinderance for moving into the IoT, but it is not clear if the alliance has the clout to dramatically alter that marketplace.

Of course, this is a problem for any firm that wants to improve the overall state of IoT security. In the mass-market consumer devices, any expenditure on security features is viewed as missed profits by the generic manufacturers, but for the reputable brands, any extra expenditure on security just increases the amount that these no-names can undercut them by. This is a critique that can just as easily be leveled against FIDO as the recent TPG TPM announcement, but it’s a problem that still shows no signs of going away. For now, the FIDO IoT TWG is going to try and come up with a compelling answer to the question, but we’re still of the opinion that the people who need to implement IoT security the most have no interest in spending any extra on their devices.

“The FIDO Alliance has catalyzed a diverse set of stakeholders who have collaborated to answer the industry’s password problem through the standardization of FIDO Authentication – which has grown from concept to global web standard supported in leading browsers and platforms in just seven years,” said Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance. “As we look at the threat vectors in the marketplace, however, it has become apparent that there’s a gap between the high assurance provided by FIDO Authentication standards and the lower assurance methods used in identity verification for account recovery and IoT authentication. This gap can be most effectively addressed through industry collaboration and standardization rather than siloed, proprietary approaches.”