How to ensure device authenticity in IoT?

An effective and robust authentication system enables IoT devices to link with each other, applications and people to deliver data from the device and to accept commands to the device. Secure authentication ensures proper data flow to and from an IoT device.We all agree on the fact that authentication plays an important role in securing access for IoT devices. But, the authentication methods which are used in today’s IT may not work for all IoT devices classes.

Authentication approaches for different life cycles

IoT device classes

• There are three basic IoT device types according to the current classification methods:Class 1 devices are simple, for example sensors that sense and transmit data, or simple actuators that receive data to initiate commands.
• Class 2 devices are ones which are more sophisticated and are able to perform data storage or analysis functions in addition to class 1 capabilities, such as simple hub, concentrator or gateway for devices.

Class 3 devices are sophisticated systems, much the same as general purpose servers. They usually serve as key aggregation points in an IoT network.

The device class, purpose and environment can constrain the choice of authentication methods.Establish Identity Assurance

IoT network and security designers must first establish the identity assurance requirements of their IoT devices. Assurance or trust-level requirements vary from device to device, depending on the device class, type of application, strength of network etc.

The authentication methods considered appropriate for class 1 or class 2 devices in a wireless local-area network won’t provide a sufficient level of trust for gateways that connect different IoT worlds and ensure the running of critical operations in the network. Proper examination of different IoT device life cycle phases must be done in order to determine identity assurance requirements at each phase. The examination can become complicated in case of multiple actors being involved in initiating and maintaining operations at different phases.

IoT security designers must use a risk-adaptive approach to determine the identity assurance requirements associated with each device. Security designers should also demand that device manufacturers and authentication solution providers use customer experiences for contextual data points derived during the device life cycle, and utilize the extracted data for assigning risks associated with a particular device operation. Trust elevation mechanisms can then be identified and invoked when the identified risk pertaining to the device operation exceeds a customer-defined level of trust. Compromised devices or unidentified actors on the network can be detected easily when this approach is followed.

Some life cycle phases may require one-way authentication approaches, which involve either of the two connecting parties to authenticate each other, while other stages may require mutual authentication for both parties involved in communication to authenticate to each other.

The growth of IoT has bought about with itself the need for device authentication. As enterprises increase the use of IoT, the need for proper authentication will also increase. IoT network and security designers must try to establish identity assurance requirements for specific device classes.