Will the Internet of Things kill off passwords?

Interview with Simon Moffatt of ForgeRock

The tech goliaths Google, Apple and Facebook are all starting to take steps towards killing off password authentication once and for all. They see the opportunity to shore up security while also cutting down the number of password resets that consumers have to deal with.

Is there a big crossover here to the Internet of Things (IoT)? Will we really have to remember or store hundreds of complex, unique passwords for everything from our fridge to our watch or washing machine?

Here, Jeremy Cowan talks exclusively to Simon Moffatt, EMEA director, Advanced Customer Engineering at identity management specialists, ForgeRock. We’re rapidly approaching a time when the conventional login-and-password approach to authenticating users and authorising access will no longer be workable. So what will come next?

IoT Now: Does ForgeRock believe that managing passwords is already unworkable? If not yet, when?

Simon Moffatt (SM): Passwords have been used since the birth of computing. They are such an integral part of how we access digital services that they will not become extinct overnight. However, it is now generally accepted that password-based security, on its own, is a low security option. Issues constantly arise with respect to how services store password data, with data breach incidents in the news daily.

Many service providers enforce password complexity rules for their users. However, this can often result in password reuse and the dreaded anti-pattern of writing the password down! A new sub-industry of security focusing entirely on password management via browser plugins has looked to alleviate some of the end-user burden with respect to generating and storing complex passwords. But, whilst this increases user convenience, it does not solve the underlying issue of passwords being a weak form of authentication.

From a workability perspective, passwords still play a big part in many end-user login journeys and whilst more secure login processes exist, until user convenience increases with those more secure processes, passwords will be around for some time yet.

IoT Now: Isn’t this still a consumer concern? Does it already affect enterprise IoT, or just connected consumers?

SM: Password management really affects all users, devices and systems, from both an internal, external and IoT standpoint. From a consumer perspective, the big paradox is between user convenience and security. End users want to trust that their passwords and personal data are being kept safe.

The service provider, on the other hand, wants to reduce the time and friction that often occurs during sign up and sign in. If the security mechanisms are too inhibitive, this can turn users away from their service.

Internet-facing or consumer based services often have a bigger attack vector from malicious users and software that can access their publicly facing applications and sites. This is where increasing security is now a big driver for many providers.

IoT Now: What are the shortcoming of 2FA and biometrics?

SM: Many services look to enhance password based security, through the use of multi-factor or 2nd factor authentication (2FA). This has traditionally been done through the use of a 6- or 8-digit one-time-password (OTP) that is transmitted to a pre-registered mobile number or email address.

The main shortcomings are really twofold – one is user convenience: There is often a time delay and pause during the login sequence as the OTP is transmitted via SMS or email. If email is used, there is then another hop that is required with respect to logging in to the designated email account. The second shortcoming is that SMS-based OTP delivery has been scrutinised with respect to security.

Biometrics, especially the use of fingerprint and facial recognition, have been introduced over the last couple of years via the big mobile phone operating system vendors. This has increased usage and understanding amongst consumers, but still many concerns exist with respect to the storage of biometric data. Is it being securely stored? Can it be breached? Is it being used for other services?

A second issue is that of implementations with poor cross-over rates – a ratio that measures the number of authentications that were failed but should have been allowed, against the number of authentications that were allowed that should have been failed.

IoT Now: What is ForgeRock’s solution?

SM: The ForgeRock Identity Platform is an open source identity solution that has built access management, identity management, identity gateway, directory and other services into a single, modular platform. Where most identity products on the market today are built to protect internal identities, meaning employees and staff within an organisation, our platform is optimised for customer identity and access management.

There are a number of key challenges around securing external identities that we’ve had to overcome. First, our platform can scale to handle hundreds of millions of individuals, devices and things. We regularly work with customers that require their identity platform to process as many as 50,000+ transactions, such as token validations and authentications, per second.

Second, each and every one of the millions of identities, devices and things needs to be secured at all times. ForgeRock’s platform helps companies continuously protect against threats, using a risk-based system. We also help organisations to manage and personalise highly complex relationships between identities – whether people, devices or things.

As the IoT becomes central to modern life, all of these challenges will continue grow, and digital identity will become even more critical to securing all kinds of interactions, including mobile banking, smart cars, smart homes, industrial logistics, healthcare and more. Our platform is specifically designed to perform in the IoT environment.

Trust is also key to all business and personal relationships. Our platform enables businesses to give customers and employees a convenient way to determine who and what gets access to personal data, for how long, and under what circumstances.

Digital identity has long played a key role in managing secure access. Increasingly, however, it is being used to supporting frictionless user experiences. Our Identity Platform is the first open source identity management solution to support passwordless login and frictionless second factor authentication. This means that we can provide continuous security. For example, where other identity management products offer passwordless login at the beginning of a session, we invoke passwordless, second factor authentication any time during a session, should an anomaly occur.

To give a real-world example, if your laptop switches from a secure company wifi network to an unsecure network in a coffee shop, re-authentication would be invoked. This might require a response to a push notification sent to your phone – through a biometric TouchID, a swipe, or other action – in order to maintain access to the online service.

This kind of continuous security without passwords is essential for a frictionless customer experience in a number of business cases – from securing the smart car and smart home applications, to healthcare devices, wearables, mobile banking and industrial IoT situations where ease of use and the highest level of access security are essential.

IoT Now: Is it available now? What are the costs and technology requirements?

SM: The ForgeRock Identity Platform is available for free trial download on the ForgeRock website. ForgeRock solutions are built on a family of open source identity products (OpenAM, OpenIG, etc.), and are available in both free open source and fully licensed proprietary versions from ForgeRock. The downloads on the ForgeRock site are the most recent builds available.

IoT Now: Which customer groups is it aimed at?

SM: The platform is optimised for customer identity and access management implementations where millions of customers (or citizens), devices and things need to be securely managed. That means that our target customer groups span multiple industries and countries, and range from Fortune 500 enterprises to fast-growing startups, government organisations and non-profits in higher education and healthcare.

The need for secure, trusted relationships is universal, so we have customers within almost every industry, including automotive (Toyota), manufacturing (Axalta), telecommunications (Kabel Deutschland, KPN, Spark New Zealand), Internet of Things (TomTom), retail (Zalando, AutoZone), banking and financial services (Allianz, GEICO, BinckBank, PNB Paribas) healthcare and pharmaceuticals (McKesson, Philips Healthcare). The scalability of the platform has meant that another obvious customer group is national governments and government agencies. For example, the Government of Norway, the European Parliament, and entities within the governments of New Zealand, Australia, Canada, Switzerland, the U.S. and the U.K. are all using the platform.

Jeremy Cowan, IoT NowThe author is Jeremy Cowan,
editorial director &
publisher of IoT Now

 

 

Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow

RECENT ARTICLES
woman holding her finger balance with coins

Quantinuum raises US$300m in equity funding

Posted on: April 18, 2024

Honeywell has announced the closing of a US$300 million equity fundraise for Quantinuum at a pre-money valuation of US$5bn. The round is anchored by Quantinuum’s partner JPMorgan Chase, with additional participation from Mitsui, Amgen and Honeywell, which remains the company’s majority shareholder. This investment brings the total capital raised by Quantinuum since inception to approximately

Read more
close up man using smart touch screen server

ITRI and Arm launch new SystemReady Lab in Taipei to boost AIoT industry

Posted on: April 18, 2024

ITRI has established the ITRI・Arm SystemReady Lab in Taipei, in partnership with Arm. This certification centre is the fourth of its kind globally, following the ones in the United States, Europe and India. The lab combines ITRI’s R&D strengths with the Arm SystemReady compliance programme to deliver comprehensive certification services for the AIoT industry. This

Read more
FEATURED IoT STORIES
What is IoT answer

What is IoT? A Beginner’s Guide

Posted on: April 5, 2023

What is IoT? IoT, or the Internet of Things, refers to the connection of everyday objects, or “things,” to the internet, allowing them to collect, transmit, and share data. This interconnected network of devices transforms previously “dumb” objects, such as toasters or security cameras, into smart devices that can interact with each other and their

Read more
iot adoption

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more
IoT Now Enterprise Buyers’ Guide Which IoT Platform 2021

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more
CAT-M1 vs NB-IoT

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more
internet of things isometric illustration of connected things

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
iot challenges and issues

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more