Below, we will explore the technical elements of a security-oriented wearable, and subsequent posts will concentrate on the balancing act between great security and end-user convenience.
To establish identity, we’re all used to our username/password combination, and probably have started using our fingerprints to log into our phones. Password policies are really hard to get right — so much so that, in most companies, it is the number one tech support question.
Fingerprints and other biometrics are better for a few reasons — mostly that they’re based on who you are, rather than what you know. So, you’re not going to forget your fingerprint, your retina or other things that make you who you are.
But if your fingerprint is not changing and someone steals it, what happens? Well, the short answer is that you should hope that this “template” is safely stored locally and not shareable across devices, networks and so forth. The beauty of a wearable is that it allows for the proximity necessary to keep that information close.
For example, part of a new phone setup is to capture your fingerprints. Even if you’ve owned three generations of the same phone, you can transfer your data to your new phone, but not your fingerprint. The reason was mentioned above. It is undesirable for both user and vendor to store sensitive, static data about a user.
Hopefully, this serves as a piece of useful information. In the world of wearables, portables and the like, the device should be assumed to be self-authenticating if well designed. That the information it shares is simply, “yes, this is the right person” or “no, it’s not.”
If you would like to rely on a wearable as a source of identity verification, there are some key things to keep in mind. Firstly, these devices should be able to confirm the known wearer’s identity. The next thing is thinking about how to query the wearable. Given the state of standards today, prevailing technologies for sharing this confirm/reject are Bluetooth Smart, NFC and USB.
In the real world, one would assume that a wearable must have Bluetooth Smart or NFC or both to communicate with IoT devices. Bluetooth Smart gives better range, but establishing a transient relationship with a thing is complicated and not yet standardized. NFC has less perceived threat to man-in-the-middle attacks and works well under certain circumstances, but you should assume that the wearable is on or near the user’s hand (NFC range is <20cm).
Another key component is tamper-resistance and/or tamper-proofing. A well-designed wearable will prevent a nefarious person from being able to access algorithms or biometric data. There are both physical and logical ways to preserve this data, but secure wearables can and should see tampering as a major threat.
Lastly, one should assume that a wearable has cryptographic functions. There are many options, but these devices can exchange keys with another device. This allows for encrypted messages between devices.
Experts at many security-minded companies have found these building blocks to be elemental to a credible secure wearable. My organization has demonstrated the ability to unlock computers, phones and physical doors from major players with these basic features, and these safeguards have provided the needed assurances.
Are there other considerations here? Yes. This is the beginning of a journey, but these are the lessons that we’ve learned so far.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.