Two factor authentication is an option for the IoT and you can read about how it works using low power wireless communications right here or click this presentation to the ← left of this text.
But the two-factor news of the week is Facebook’s announcement of an additional option for two-factor authentication using … low power wireless communications! You can check out Facebook’s announcement here but basically the authenticating technology is NFC (near-field communications), a really short range technology increasingly used for mobile payments including Apple Pay. When logging into Facebook, you are asked to place your NFC-enabled hardware device like a smartphone or a third party device like this next to your desktop or mobile phone, thereby making it much harder for a hacker 3,000 miles away to impersonate you since they don’t have this extra physical layer of security.
NFC is not new and neither is two-factor authentication, but Facebook endorsing a combination of the two is an important milestone. For the IoT, which is still digging out from the Mirai debacle and mostly lacking for compelling security stories, Facebook’s announcement comes at an opportune moment. Here are a few — actually seven — reasons why I think this is such an important event for the IoT:
“Conventional” two-factor authentication is not enough. Facebook is early in the process of rolling this out, but their message is obvious: we are moving beyond text messaging and email for two-factor authentication. NIST no longer endorses SMS as a secure means of two-factor authentication and the search for a better way is on. Takeaway: few IoT solutions even use two-factor yet, but for those contemplating it, Facebook just offered a vision for leapfrogging yesterday’s two-factor approaches with something better and perhaps easier to use.
Low power wireless as a second authentication factor is officially mainstream. Authentication of internet-connected devices as a killer non-payment use case for NFC always seemed so obvious to me but … maybe it takes a consumer application vendor like Facebook to do the obvious first. Takeaway: if it’s good enough for everyday Facebook users, it’s good enough for most IoT developers.
Facebook just gave NFC a huge imprimatur, but they will support other wireless technologies also. Bluetooth is being studied by the same team at Facebook and it’s safe to assume that it will be their next wireless authentication option. Takeaway: these are short range technologies that will normalize the use of low power wireless for authentication, but as users and use cases like the IoT demand more flexibility or capabilities, longer range authentication options will be added to the portfolio.
Choosing NFC, rather than Bluetooth, was a smart starting point for Facebook. NFC is inexpensive, already found on smartphones, and requires no power supply on peripherals. More than a few hardware vendors will follow Facebook’s hint and choose to integrate NFC into their “smart” IoT devices as a security precaution (e.g. “our security story today is full of holes so let’s at least copy Facebook, which our customers use anyway …”) Such integration need not be limited to consumer devices like Dropcam but could extend to any number of enterprise and industrial IoT devices.
NFC will kick-off the search for even better options for wireless two-factor authentication. NFC range is very limited and periodic authentication of, say, industrial devices via NFC could become a baseline precaution for IoT security. But more a more practical path would follow the next-gen “NFC+” approach which makes a simple modification to existing NFC silicon and re-uses the NFC antenna to enable much longer range (hundreds of meters or even kilometers, if desired). For example, someone attempting to send a command to WiFi camera from a location 500 yards away could only do so if their NFC+ wristband authenticates that they are indeed 500 yards away. Mirai-type botnet attacks, executed remotely, would be more difficult if this additional physical layer of protection were invoked every time someone attempted to access that camera. Takeaway: NFC has the potential to be the foundation for second factor authentication in the IoT, but also as a longer-range, low power connectivity option.
Facebook also endorsed “new” form factors for authentication. Facebook smartly recommends third party gadgets that can — wirelessly — authenticate my Facebook app on my Android phone. Takeaway: keyfobs, watches, fitness trackers, access control badges, and the like are all candidates for this new authentication role and many, like FitBit, already support NFC.
Apple will play along, but with Bluetooth. Apple’s challenges with Apple Pay security are behind their unfortunate reluctance to open up the NFC API on the iPhone. So unless Apple decides to open up their NFC API they’ll support Facebook (and many others who will follow Facebook — banks, Amazon, et al) with Bluetooth. Takeaway: Apple will eventually support wireless two-factor authentication with Bluetooth on the iPhone, but Bluetooth will be a poor choice for stand-alone authentication widgets for security and battery life reasons.
Good news: someone is already out there solving for IoT two-factor authentication. You can see how my company, Haystack, views the technology integration side of this opportunity here. We began thinking about NFC and the IoT years ago and baked it into our product strategy. NFC’s data format, NDEF, for example, is a core part of the way our software exchanges data between OSI layers.
I do not think of Facebook as an IoT company but it’s funny when non-interested companies inadvertently drive or even settle industry norms or standards in non-adjacent sectors like the IoT. Security for the IoT is kind of a big deal and government regulation seems not far off, but given the fragmentation and heterogeneity of what we now call the “IoT”, maybe it’s not so surprising that it’s Facebook helping to solve for IoT security rather than an “interested” IoT participant.