Protecting the People: Securing Identities Within IoT Systems
Taking steps to secure the identities of system users is a critical step in IoT security. Implementing a properly managed two-factor authentication system requiring a U2F key, or other technology, can create a solid technical barrier in front of would-be hackers looking to control a device or gain access to data through phishing and other social engineering scams. Passwords and authentication can seem abstract to those unfamiliar with technology, but the concept of a U2F key compares closely to the idea of house and car keys in protecting your most important assets.
It is important to keep in mind, however, that good security does not always equate to a good user experience. Although requiring two-factor authentication for every application would be more secure, it can be cumbersome for users. Again, this balance must be considered based on the level of risk associated with the device connected to the platform. Flexible options for a two-factor authentication application can enable users to succeed without being too prescriptive in risk evaluation. The authentication can be cached and recognized on a single device or there could be a timeout for the authentication. Of course, these options increase the opportunity for a hacker to gain access, but the risk of having an unusable application could outweigh the risk of the connected device.
Two-factor authentication also does not solve all issues, as the manner of implementation can have a significant impact on the level of security this method provides. The demands of a good user experience can require that a security token is valid for as long as 12 hours, which gives attackers a rather long window of opportunity if they gain access to user credentials and a temporary key. And, answers to question verifications like “What was the name of your first pet?” or “Where was your first job?” can often be looked up by a motivated attacker. Depending on the level of risk associated with a solution, it may be useful to consider other options like text verifications and phone-based authentication apps that provide significantly better protection than security questions.