Serg Nvns - Fotolia
Strong IoT security strategies use device authentication to ensure that only trusted and authorized devices access the corporate network.
Authentication also prevents hackers from assuming the identity of IoT devices to gain access to data or the wider corporate network. Manufacturers don't usually include security features in IoT devices, so IT administrators must know which authentication methods protect data and access from unauthorized users.
Identify current IoT device authentication methods
IT professionals can choose from many IoT authentication methods, including digital certificates, two-factor or token-based authentication, hardware root of trust (RoT), and trusted execution environment (TEE).
Many people are familiar with two-factor authentication (2FA) to access websites, and the same method works for IoT devices. Devices request biometrics, such as fingerprints, retina scans or facial recognition to grant access. For devices that only connect to other devices, 2FA requires a specific Bluetooth beacon or near-field communication dongle in the requesting device that the receiving device confirms to ensure its authenticity.
Other software authentication methods
Depending on the IoT device and its network role, IT admins can use other software authentication methods such as digital certificates, organization-based access control and distributed authentication through the Message Queuing Telemetry Transport (MQTT) protocol. MQTT connects the IoT device to a broker -- a server that stores digital identities or certificates -- to verify its identity and grant access. Many manufacturers and vendors adopt the protocol because it's scalable to monitor thousands of IoT devices.
Hardware authentication methods
Hardware-based authentication methods, such as hardware RoT and TEE, have become industry standards to secure IoT devices.
Hardware RoT. This offshoot of the RoT security model is a separate computing engine that manages devices' trusted computing platform cryptographic processors. The model is not useful in other consumer devices, but it's perfect for IoT: In regular consumer devices, the RoT model restricts software that could be installed on the device and contravenes competition laws globally. In IoT devices, the restrictions protect the device from being hacked and keep it locked onto the relevant network. Hardware RoT protects devices from hardware tampering and automates reporting of unauthorized activity.
Trusted execution environment. The TEE authentication method isolates authentication data from the rest of the IoT device's main processor through higher level encryption. The method runs parallel to the device's OS and any other hardware or software on it. IT admins find the TEE authentication method ideal for IoT devices because it puts no additional strain on the device's speed, computing power or memory.
Trusted Platform Module. Another hardware authentication method is Trusted Platform Module (TPM), a specialized IoT device chip that stores host-specific encryption keys for hardware authentication. Within the chip, software can't access authentication keys, which makes them safe from digital hacks. When the device tries to connect to the network, the chip sends the appropriate keys and the network attempts to match them to known keys. If they match and have not been modified, the network grants access. If they don't match, the device locks and the network sends notifications to the appropriate monitoring software.
Which IoT device authentication works best?
IT admins who decide which IoT authentication method to use must consider the IoT device type, the data it transmits over the network and the device's location.
Some organizations use X.509 digital identity certificates for authentication because they're secure, easy to use and vendors offer many options. However, the sheer number of certificates an organization needs makes them an expensive option and makes lifecycle management a challenge.
TPM comes standard in the Windows OS with simple credential management. IT admins can find it difficult to incorporate TPM into prebuilt devices because they get locked into a particular chip size and shape. Manufacturers build credential management into the chips, which means IT admins must physically remove the chip and insert a new one to change credentials.
IT admins must follow some general factors and recommendations to choose the best IoT authentication method for their organization.
Understand drawbacks of IoT authentication methods
The IoT industry currently has no standard for IoT device authentication methods and it remains fragmented. Manufacturers use varied authentication strategies for hardware, software and communication protocols.
Manufacturers, historically, have not always considered security in IoT device design and deployment, but they have begun to include it as part of the design process. They incorporate these methods into devices and make them compatible with other security and monitoring technologies.