Will the Internet of Things kill off passwords?

Interview with Simon Moffatt of ForgeRock

The tech goliaths Google, Apple and Facebook are all starting to take steps towards killing off password authentication once and for all. They see the opportunity to shore up security while also cutting down the number of password resets that consumers have to deal with.

Is there a big crossover here to the Internet of Things (IoT)? Will we really have to remember or store hundreds of complex, unique passwords for everything from our fridge to our watch or washing machine?

Here, Jeremy Cowan talks exclusively to Simon Moffatt, EMEA director, Advanced Customer Engineering at identity management specialists, ForgeRock. We’re rapidly approaching a time when the conventional login-and-password approach to authenticating users and authorising access will no longer be workable. So what will come next?

IoT Now: Does ForgeRock believe that managing passwords is already unworkable? If not yet, when?

Simon Moffatt (SM): Passwords have been used since the birth of computing. They are such an integral part of how we access digital services that they will not become extinct overnight. However, it is now generally accepted that password-based security, on its own, is a low security option. Issues constantly arise with respect to how services store password data, with data breach incidents in the news daily.

Many service providers enforce password complexity rules for their users. However, this can often result in password reuse and the dreaded anti-pattern of writing the password down! A new sub-industry of security focusing entirely on password management via browser plugins has looked to alleviate some of the end-user burden with respect to generating and storing complex passwords. But, whilst this increases user convenience, it does not solve the underlying issue of passwords being a weak form of authentication.

From a workability perspective, passwords still play a big part in many end-user login journeys and whilst more secure login processes exist, until user convenience increases with those more secure processes, passwords will be around for some time yet.

IoT Now: Isn’t this still a consumer concern? Does it already affect enterprise IoT, or just connected consumers?

SM: Password management really affects all users, devices and systems, from both an internal, external and IoT standpoint. From a consumer perspective, the big paradox is between user convenience and security. End users want to trust that their passwords and personal data are being kept safe.

The service provider, on the other hand, wants to reduce the time and friction that often occurs during sign up and sign in. If the security mechanisms are too inhibitive, this can turn users away from their service.

Internet-facing or consumer based services often have a bigger attack vector from malicious users and software that can access their publicly facing applications and sites. This is where increasing security is now a big driver for many providers.

IoT Now: What are the shortcoming of 2FA and biometrics?

SM: Many services look to enhance password based security, through the use of multi-factor or 2nd factor authentication (2FA). This has traditionally been done through the use of a 6- or 8-digit one-time-password (OTP) that is transmitted to a pre-registered mobile number or email address.

The main shortcomings are really twofold – one is user convenience: There is often a time delay and pause during the login sequence as the OTP is transmitted via SMS or email. If email is used, there is then another hop that is required with respect to logging in to the designated email account. The second shortcoming is that SMS-based OTP delivery has been scrutinised with respect to security.

Biometrics, especially the use of fingerprint and facial recognition, have been introduced over the last couple of years via the big mobile phone operating system vendors. This has increased usage and understanding amongst consumers, but still many concerns exist with respect to the storage of biometric data. Is it being securely stored? Can it be breached? Is it being used for other services?

A second issue is that of implementations with poor cross-over rates – a ratio that measures the number of authentications that were failed but should have been allowed, against the number of authentications that were allowed that should have been failed.

IoT Now: What is ForgeRock’s solution?

SM: The ForgeRock Identity Platform is an open source identity solution that has built access management, identity management, identity gateway, directory and other services into a single, modular platform. Where most identity products on the market today are built to protect internal identities, meaning employees and staff within an organisation, our platform is optimised for customer identity and access management.

There are a number of key challenges around securing external identities that we’ve had to overcome. First, our platform can scale to handle hundreds of millions of individuals, devices and things. We regularly work with customers that require their identity platform to process as many as 50,000+ transactions, such as token validations and authentications, per second.

Second, each and every one of the millions of identities, devices and things needs to be secured at all times. ForgeRock’s platform helps companies continuously protect against threats, using a risk-based system. We also help organisations to manage and personalise highly complex relationships between identities – whether people, devices or things.

As the IoT becomes central to modern life, all of these challenges will continue grow, and digital identity will become even more critical to securing all kinds of interactions, including mobile banking, smart cars, smart homes, industrial logistics, healthcare and more. Our platform is specifically designed to perform in the IoT environment.

Trust is also key to all business and personal relationships. Our platform enables businesses to give customers and employees a convenient way to determine who and what gets access to personal data, for how long, and under what circumstances.

Digital identity has long played a key role in managing secure access. Increasingly, however, it is being used to supporting frictionless user experiences. Our Identity Platform is the first open source identity management solution to support passwordless login and frictionless second factor authentication. This means that we can provide continuous security. For example, where other identity management products offer passwordless login at the beginning of a session, we invoke passwordless, second factor authentication any time during a session, should an anomaly occur.

To give a real-world example, if your laptop switches from a secure company wifi network to an unsecure network in a coffee shop, re-authentication would be invoked. This might require a response to a push notification sent to your phone – through a biometric TouchID, a swipe, or other action – in order to maintain access to the online service.

This kind of continuous security without passwords is essential for a frictionless customer experience in a number of business cases – from securing the smart car and smart home applications, to healthcare devices, wearables, mobile banking and industrial IoT situations where ease of use and the highest level of access security are essential.

IoT Now: Is it available now? What are the costs and technology requirements?

SM: The ForgeRock Identity Platform is available for free trial download on the ForgeRock website. ForgeRock solutions are built on a family of open source identity products (OpenAM, OpenIG, etc.), and are available in both free open source and fully licensed proprietary versions from ForgeRock. The downloads on the ForgeRock site are the most recent builds available.

IoT Now: Which customer groups is it aimed at?

SM: The platform is optimised for customer identity and access management implementations where millions of customers (or citizens), devices and things need to be securely managed. That means that our target customer groups span multiple industries and countries, and range from Fortune 500 enterprises to fast-growing startups, government organisations and non-profits in higher education and healthcare.

The need for secure, trusted relationships is universal, so we have customers within almost every industry, including automotive (Toyota), manufacturing (Axalta), telecommunications (Kabel Deutschland, KPN, Spark New Zealand), Internet of Things (TomTom), retail (Zalando, AutoZone), banking and financial services (Allianz, GEICO, BinckBank, PNB Paribas) healthcare and pharmaceuticals (McKesson, Philips Healthcare). The scalability of the platform has meant that another obvious customer group is national governments and government agencies. For example, the Government of Norway, the European Parliament, and entities within the governments of New Zealand, Australia, Canada, Switzerland, the U.S. and the U.K. are all using the platform.

Jeremy Cowan, IoT NowThe author is Jeremy Cowan,
editorial director &
publisher of IoT Now



Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow


How will OEMs manufacture the smart factories of the future?

Posted on: September 23, 2022

“By 2025, there will be approximately 27 billion connected IoT devices. Someone is going to have to manufacture these, and OEMs are gearing up to enable as many functions as possible to be integrated into the devices they build.”REGISTER NOW TO READIoT relies on manufacturing efficiency to get massive volumes of devices out into the

Read more

IoT meets the property sector to combat rising energy costs and climate change while increasing property value

Posted on: September 23, 2022

Ericsson released a Connected Buildings Energy Management report in partnership with Nordic property technology company Kiona and Arthur D. Little.

Read more

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox