Establishing secure IoT platforms is essential for payments by things

With more than 30 billion connected things projected to be in use by 2020, you would think that basics like efficient onboarding, security, and distribution channel provisioning for the Internet of Things (IoT) would be well-established, with industry wide standards in place. That is not the case. 

At the same time, industrial and consumer IoT products alike can be equipped to make payments. These range from sensors and robots on production lines that can order new parts or supplies to smart refrigerators that can order and pay for groceries and connected cars that can locate and pay for gas or parking. 

While secure payment processing is separate from device security and efficient onboarding, establishing standards and certification processes for identifying, authenticating, and managing IoT devices will greatly benefit all applications of connected devices, including payments. 

Weak security, inefficient processes, and lack of standards plague IoT 

There are many issues facing device onboarding and lifecycle management in the IoT realm. Security can be notoriously weak, as we saw with the massive Mirai botnet distributed denial of service (DDoS) attack that compromised more than 650,000 network-connected IoT devices. It worked by exploiting default user account and password combinations shipped with the devices and were not changed at installation. 

Processes for securing IoT devices through the distribution chain and setting them up during deployment are very inefficient or completely lacking. Today, in an industrial setting, onboarding an IoT device is highly manual and typically takes up to 20 minutes per device, which is a long time when onboarding even a single device, let alone a fleet of dozens or hundreds of devices. Similar inefficiencies are observed when onboarding consumer devices, which leads to frustration and abandonment. 

As devices move through distribution channels, different organisations may need to access and modify device software to add value or customise it for the deploying organisation. Since these devices today rely primarily on passwords, this can create multiple points of vulnerability. 

Furthermore, methods for handling all aspects of IoT device distribution, onboarding, and lifecycle management vary greatly between manufacturers and lack standardisation. 

The resulting problems create barriers to more efficient deployment and rapid growth for the IoT industry, and contribute to a lack of trust in smart devices of all types. These challenges also impact IoT payments and in fact are the same problems faced with any payment system. Does the payment come from an authenticated device? Was the payment authorised by the rightful owner of the payment account? Is the device or the network communication compromised by bad actors? 

Answering these questions to ensure payment security is perhaps even more complicated with IoT devices than with conventional payment terminals, which have proven problematic despite rigorous industry efforts to ensure their security. IoT devices will be more numerous, more broadly deployed, and less managed than payment terminals. 

Since an IoT device could be compromised at any point in its manufacturing, deployment or use, protecting the integrity of IoT devices throughout the distribution chain and lifecycle are just as essential to payments as they are to maintaining the security and integrity of the systems to which the device is connected. 

Open standards from a cross-industry organisation 

To address weak IoT security and other challenges in IoT lifecycle management, the FIDO Alliance recently launched an initiative to provide a comprehensive authentication framework for IoT devices in keeping with our fundamental mission: to provide stronger, simpler authentication that reduces reliance on insecure passwords. 

The vision is to do for IoT devices what FIDO has done for mobile devices and web applications: establish free and open standards that authenticate both the device and the user with a secure and fast login experience. The goal is to create standards-based authentication profiles that work at the device level to enable interoperability between service providers and IoT devices, automate onboarding of devices onto a local network or public cloud, and, for industrial applications, to enable provisioning via smart routers and IoT hubs. 

Achieving this requires close cooperation between all stakeholders, from competing chip manufacturers to OEM device manufacturers and online service and platform providers. To get there, FIDO has established the IoT Technical Working Group (IoT TWG) that brings together representatives from this diverse set of players who recognise that device-level security and interoperability issues need to be addressed at an industry level. 

Organisations participating in the working group include ARM Holdings, Google, Idemia, Infineon Technologies, Intel Corporation, Lenovo, Microsoft, Nok Nok Labs, OneSpan, Phoenix Technologies Ltd., Qualcomm, Inc., Yahoo! JAPAN, and Yubico. 

FIDO IoT authentication sits beside payments, making it safer 

Payments are not directly addressed in the world of FIDO authentication. Rather it is one of many types of interactions that stands on its own but depends greatly on a secure identity that is validated with strong authentication and transmitted via encrypted connections. 

Once a device and the user or organisational owners are verified using FIDO’s modern authentication, the IoT platform is identified and communications are encrypted, reducing risk. Payments can then take place using existing payment card networks and payment industry security standards like tokenization. 

However, the payments and IoT industries evolve as we work our way toward 30 billion connected devices, and there will always be a need for a strong connection between the device, its identity, and authentication. When these steps are provided, other aspects of the device onboarding process can be standardised for greater efficiency for the entire industry. Having globally accepted standards and certification processes will help the IoT industry fulfil its vision of smart things everywhere, and do so while protecting the devices, their owners and the machines enabling the world around us. 

About Andrew Shikiar 

Andrew Shikiar is the Executive Director and Chief Marketing Officer at FIDO Alliance, a global consortium working to create open standards and an interoperable ecosystem for simpler, stronger user authentication. He has deep experience in multi-stakeholder organisations, having previously led market development efforts for Tizen Association, LiMo Foundation and Liberty Alliance Project – and also helped structure and launch groups such as the Smart TV Alliance and Open Visual Communications Consortia. 

About the FIDO Alliance 

The FIDO Alliance was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.