Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can biometrics be the key to securing the IoT chain of trust?

The booming internet of things is on course to double in just five years, growing from 15 billion connections in 2015 to nearly 31 billion by 2020 according to IDC . As the number of connections and use cases explodes, so does the number of security vulnerabilities. The fate of the marketplace depends on our ability to trust the devices, data and networks that make IoT possible.

However, a sobering new market survey by industry research firm Vanson Bourne reveals that 90% of consumers lack confidence in the security of IoT devices. In addition, more than two-thirds of consumers and nearly 80% of enterprises surveyed support government regulation of IoT security, indicating a lack of trust in industry stakeholders to secure the ecosystem.

It’s clear that consumers and businesses alike have serious concerns about IoT security. But the good news is that security by design is proving effective in mitigating risk and preventing breaches, and biometrics is becoming an increasingly important part of the plan. By working together, consumers and enterprises can build a chain of trust across the IoT ecosystem that protects devices, data and networks and prevents IoT technology from becoming an open door for hackers.

Strengthen the security core

Enterprises across the IoT ecosystem, including software providers, device manufactures, service providers and the people that interact with IoT products and services, must all play a part in securing the ecosystem. Every link in the chain must be held accountable to this same set of core security objectives, which include four core goals:

  1. Availability: Ensuring timely and reliable access to and use of information is an essential component of any IoT system. Without actionable, real-time and reliable access to data, the benefits of IoT simply cannot be realized. Data must be securely collected, distilled and shared in order to support any negative effects on availability.
  2. Integrity: IoT technologies depend on reliable and accurate data. To prevent fraud and other harmful attacks, security measures must be taken to ensure that data is accurate and free from manipulation.
  3. Confidentiality: IoT systems generate huge volumes of data that must be collected, stored and analyzed. Some of this data will include sensitive details about citizens themselves. Steps must be taken to prevent unauthorized disclosure of sensitive information.
  4. Accountability: Users of any IoT system must be responsible and accountable for the actions they perform. This means that user interactions with sensitive systems must logged and associated with an authorized user. These logs must be difficult to forge and have strong integrity protection.

The IoT ecosystem is inherently complex and interconnected. However, complexity and risk can be mitigated though strong authentication and ID management technologies that enable a secure digital handshake between all ecosystem players. These systems encompass both hardware and software that either allows or denies access to devices, data and networks. When integrated throughout the ecosystem, they mitigate risk of attack and strengthen the four core objectives of IoT security.

Securing the chain of trust in IoT systems

In order to trust IoT, we need to validate the chain of trust throughout the ecosystem. Security mechanisms including secure elements, SIM and MIM cards, strong encryption, authentication and trusted key management technologies facilitate the secure digital handshake and serve as the backbone of IoT security. They ensure the four core objectives of security for all the links in the chain of trust, starting with the IoT device. They ensure that the device is not a rogue device, but a certified trusted element of the ecosystem. Second in the chain of trust is the software. Strong encryption and authentication ensures that the software running on the device has not been tampered with and is true. We also use encryption and key management to ensure that the data coming out of the device has not been tampered with. The final link in the chain of trust is authenticating the individual or the user that is interacting with the IoT product at the very edge of the chain is authorized to do so and can be trusted. This is where biometrics is booming.

The rise of biometrics in IoT security

The lines between enterprise and consumer IoT are blurring in objects and systems like connected cars, smart cities and smart energy. Biometrics, encompassing fingerprints, face recognition, iris scanning and more, are gaining traction in the mix of authentication technologies. The introduction of the iPhone 5s delivered a paradigm shift in the general acceptance of biometrics. Up to that point, fingerprinting was traditionally associated with policing and crime, which made people hesitant and cautious about allowing their fingerprints to be recorded. However, the widespread use of fingerprints to unlock smartphones, authorize downloads and approve mobile secure payments, coupled with the increased use of biometrics in the passport and visa process is helping to reposition biometrics as a more widely accepted identity assurance technology for convenience applications. In addition, scanning technology is continuing to advance, eliminating the need to touch sensors or stare into a camera for image capture, making it less invasive, more convenient and easier than other forms of ID management. To increase security for more sensitive applications, multifactor authentication methods including passwords, tokens and smart cards can be used in combination with biometrics applications to mitigate risk.

What specific IoT applications use biometrics?

In the autonomous vehicle industry, biometrics is a key component of the security and mobility services that brands like Volvo and Toyota will be delivering in the coming years. The ability of a car to recognize its owner as they approach, to unlock itself and activate personal settings, including mirror and seat position, temperature and musical preferences, is capable with existing biometric technologies. And exciting R&D is underway. For instance, carmakers such as Jaguar and Land Rover are patenting a biometric system to allow car owners to open the door based on a combination of facial and gait recognition technologies. Other leading auto manufacturers are testing biometric sensors integrated into door handles, key fobs, touchscreens and steering wheels that offer seamless authentication and customized mobility services. This includes using biometrics in combination with an automatic breathalyzer test to enable car ignition for drivers previously convicted of a DUI. Consequently, Markets and Markets is predicting that the biometric market will increase from $10.74 billion in 2015 to $32.73 billion by 2022, at an impressive compound annual growth rate of 16.79%.

In the future, fingerprinting and other biometrics will move not just to the car, but also to the home, potentially doing away with the need for keys altogether. Biometrics are being integrated into power meters, door locks, safes and guns, as well as home and office security systems for strong authentication. In these types of systems, where IoT devices are tied into a back-end system that interacts with critical infrastructure, identifying and authenticating an authorized individual on the other side of the network is crucially important. This is also true in the retail space where biometrics can be used to identify individual clerks managing a cash register or for use in marketing and customer loyalty programs to track a customer’s preferences as they shop and examine specific items.

In today’s evolving IoT landscape, biometrics is becoming an increasingly important method for authenticating the individual and securing the chain of trust. The trinity of identity, security and privacy is well supported by biometric technology, especially as more people become comfortable with physiology becoming an individual’s key to their home, car and office, as well as their passport to a myriad of essential services.

All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.