MOU signed to promote Simpler and Stronger Authentication to improve cybersecurity

Release Date: January 5th 2021

Today, the IoT Security Foundation (IoTSF) and FIDO Alliance announced that they are collaborating to improve the status of IoT security.

The main aims of the collaboration are to raise awareness on the limitations of passwords for IoT devices and provide practical alternatives for product manufacturers. The goals of the collaboration will be achieved by joint messaging and providing publicly accessible materials to help industry implement password-less authentication.

What’s the problem with passwords?

Passwords are a traditional and simple method for authenticating a user and allowing access to resources. In the past this may have been sufficient, but passwords dramatically fall short in many ways when billions of devices are expected to be connected to networks to collect and share data or provide automation – the era of IoT.

Although this is not a new problem, users are still finding it a challenge to manage and keep track of different accounts and app log in credentials. The result is that many take short cuts – using easy to remember (and guess) passwords, or using the same password across many accounts[1]. This weakens security. Now consider the growing number of home, business, medical, industrial and national infrastructure uses of IoT which bring efficiency, innovation and user benefits. IoT devices are everywhere and the trend is set to continue as this article illustrates. For IoT-class products such as routers and webcams, traditionally manufacturers have opted to have factory universal default passwords[2] and whilst these can be changed, a significant number remain set to the default. This makes them prime targets for botnets which weaponize devices for DDOS attacks such as the famous Mirai and its many variants.

This means that the sheer volume of devices is only going to exacerbate the issues experienced with passwords today. In summary, passwords are not a good solution to the requirements of IoT authentication now, or in the future.

How can this be addressed?

New standards and forthcoming regulation are helping to drive change. The ETSI 303 645[3] baseline requirements for consumer IoT cyber security standard published mid 2020, has a provision for “no universal default passwords” and this standard is now being used as a basis for regulation and certification schemes internationally[4].

Whilst “no universal passwords” is a good start for regulation[5], it does not go far enough. The good news is that there are good alternatives to passwords, so they can be eliminated, and they are also better and simpler to use.

How are IoTSF and FIDO Alliance working together?

Both organisations will work together to promote the awareness and use of password-less forms of authentication and link working group activities to ensure industry can access publicly available materials when designing new products.

The IoT Technical Working Group of the FIDO Alliance aims to build a comprehensive authentication framework for IoT devices which provides detailed technical specifications for password-less authentication.

The IoT Security Foundation publishes best practice cyber security advice for product manufacturers and users of IoT systems. Its IoT Security Compliance Framework Working Group is dedicated to the creation and maintenance of the framework which guides developers through a structured process of questioning and evidence gathering. This helps companies make better products with security by design. It is in this area where both organisations intend to collaborate at the technical level to complement the advocacy of passwords alternatives.

References

[1] https://en.wikipedia.org/wiki/List_of_the_most_common_passwords

[2] https://www.router-reset.com/default-router-password-lookup

[3] https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.00_30/en_303645v020100v.pdf

[4] https://www.iotsecurityfoundation.org/consumer-iot/

[5] https://www.gov.uk/government/news/government-to-strengthen-security-of-internet-connected-products

About the Internet of Things Security Foundation (IoTSF)

IoTSF is a non-profit corporate and professional membership association.

The mission of IoTSF is to help secure the Internet of Things, in order to aid its adoption and maximize its benefits. To do this IoTSF will promote knowledge and clear best practice in appropriate security to those who specify, make and use IoT products and systems.

IoTSF promotes the security values of a security-first approach, fitness for purpose and resilience through operating life. The security values are targeted at key stages of the IoT eco-system – those that build, buy and use products and services: Build Secure. Buy Secure. Be Secure.

IoTSF was formed as a response to existing and emerging threats in the Internet of Things applications.

IoTSF is an international, collaborative and vendor-neutral members’ initiative, driven by the IoT eco-system and inclusive of all parties including technology providers and service beneficiaries.

For more information, news and further announcements, please visit the official website at www.iotsecurityfoundation.org

About the FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.

Christina Hulka, executive director and COO of the FIDO Alliance said, “The FIDO Alliance mission is to reduce the world’s reliance on passwords with simpler and stronger authentication, including in IoT which unfortunately continues to rely on default or weak password authentication. We look forward to working with the IoT Security Foundation to accelerate our path toward bringing passwordless authentication to IoT.”

John Moor, Managing Director IoTSF said, “The use of passwords for security is an outdated and outmoded security practice for the digital age. There are solutions which are stronger from a technical perspective and better from a user’s perspective. We are delighted to be working closely with the FIDO Alliance to help eliminate the use of passwords and drive better practice for our manufacturing members.”