FIDO Alliance shifts its security focus to IoT devices

The Trusted Computing Group recently unveiled a new IoT-focused trusted platform module (TPM), and this was quickly followed by the news that the FIDO Alliance had announced new working groups and two new standards, aiming to improve IoT identity verification.

The issue of IoT security is still far from solved, but FIDO’s new efforts provide developers with more options to tackle the over-arching problem.

The Fast Identity Online (FIDO) Alliance was established to try to solve the problem of using user names and passwords for online authentication, looking to create a better system of primary and secondary identification, such as biometrics like fingerprints and iris scans, as well as two-factor authentication devices. Integrated scanners and USB-based dongles have proven popular form factors.

But the FIDO Alliance has been looking at the IoT in dismay, and so it has set up the IoT Technical Working Group (TWG), to provide a comprehensive authentication framework for IoT devices that is in keeping with the alliance’s core focus of passwordless authentication. Headed up by representatives from ARM and Qualcomm, the IoT TWG also features Idemia, Intel, Lenovo, Microsoft, Nok Nok Labs, OneSpan, Phoenix Technologies and Yubico.

The IoT TWG is going to be developing use cases, target architectures and specifications. Specifically, it will focus on device attestation, automated on-boarding, and device authentication and provisioning via IoT hubs and routers.

The second new thrust from the FIDO Alliance is less IoT-focused, but is similar in structure. The alliance is setting up the Identity Verification and Binding working group (IDWG), to focus on new account on-boarding and existing account recovery, where identities are bound to a user via the FIDO system. Compliance with new Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations are cited as drivers, but the gist is that FIDO wants to be able to secure the account recovery process if a FIDO device is lost or stolen.

Back in May 2018, the Alliance announced the launch of its FIDO2 standard, in partnership with the World Wide Web Consortium (W3C), when Amazon and Facebook joined the board of directors. Since then, it has announced biometric wins with Samsung and Microsoft, with Android also achieving FIDO2 certification.

Now, the organization is expanding into the IoT world, before it has become a clear presence in the consumer market. FIDO has a lot of supporters, but it is far from being a brand that consumers would recognize. This isn’t exactly a hinderance for moving into the IoT, but it is not clear if the Alliance has the clout to alter that marketplace dramatically.

Of course, this is a problem for any organization that wants to improve the overall state of IoT security. In mass market consumer devices, any expenditure on security features can be viewed as missed profits by the generic manufacturers, and for the high value brands, extra expenditure on security increases the price difference between them and the low cost challengers.

“The FIDO Alliance has catalyzed a diverse set of stakeholders who have collaborated to answer the industry’s password problem through the standardization of FIDO Authentication – which has grown from concept to global web standard supported in leading browsers and platforms in just seven years,” said Andrew Shikiar, CMO of the FIDO Alliance.

“As we look at the threat vectors in the marketplace, however, it has become apparent that there’s a gap between the high assurance provided by FIDO Authentication standards and the lower assurance methods used in identity verification for account recovery and IoT authentication. This gap can be most effectively addressed through industry collaboration and standardization rather than siloed, proprietary approaches.”