FIDO Alliance moves to secure IoT devices – Technologist

The FIDO Alliance has announced two new initiatives to expand standards and certifications to the Internet of Things. The ultimate goal: remove password use from IoT. 

In support of this objective, FIDO said it has formed two new working groups — the Identity Verification and Binding Working Group (IDWG) and the IoT Technical Working Group (IoT TWG).

The IDWG will define criteria for remote identity verification and develop a certification program and led by co-chairs Rob Carter, Mastercard, and Parker Crockford, Onfido Ltd. Other participating organizations include Aetna, Google, Idemia, Lenovo, Microsoft, Nok Nok Labs, NTT DOCOMO, OneSpan, Phoenix Technologies Ltd., Visa Inc., Yahoo! JAPAN, Yubico and the UK Cabinet Office.

Meanwhile, the  IoT TWG team will be working to provide a comprehensive authentication framework for IoT devices and will develop use cases, target architectures and specifications covering IoT device attestation/authentication profiles, automated onboarding and binding of applications, and IoT device authentication and provisioning via smart routers and IoT hubs.

FIDO said this team is led by co-chairs Marc Canel, ARM Holdings, and Giridhar Mandyam, Qualcomm Inc. Other participating organizations include Google, Idemia, Infineon Technologies, Intel Corporation, Lenovo, Microsoft, Nok Nok Labs, OneSpan, Phoenix Technologies Ltd., Yahoo! JAPAN and Yubico.

Andrew Shikiar, executive director and chief marketing officer of the FIDO Alliance, explained that as they  look at the threat vectors in the marketplace, they noticed a gap between the high assurance currently provided by FIDO Authentication and other methods of identity verification and authentication for IoT.

“This gap can be most effectively addressed through industry collaboration and standardization rather than siloed, proprietary approaches,” he said.

Citing data from Gartner, FIDO said 20.4 billion connected things will be in use by 2020, opening up opportunities for increased efficiencies and innovation across industries. 

“Yet, lack of IoT security standards and typical processes such as shipping with default password credentials and manual onboarding leave devices, and the networks they operate on, open to large-scale attack,” it said.

Formed in July 2012 to address the lack of interoperability among authentication technologies, the FIDO Alliance counts  as members global tech leaders across enterprise, payments, telecom, government and healthcare sectors.

It has published three other specifications for authentication — FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and FIDO2, which includes the W3C’s Web Authentication (WebAuthn) specification and FIDO Client to Authenticator Protocol (CTAP).