A few weeks ago I wrote about using to secure IoT endpoints and as a good example of its implementation using text messaging, email, or voice. two-factor authentication mentioned Facebook This is what I posted a few weeks ago … Two factor authentication an option for the IoT and you can read about how it works using low power wireless communications right or click this presentation to the ← left of this text. is here But the two-factor news of the week is Facebook’s announcement of an additional option for two-factor authentication using … communications! You can check out Facebook’s announcement but basically the authenticating technology is (near-field communications), a really short range technology increasingly used for mobile payments including Apple Pay. When logging into Facebook, you are asked to place your NFC-enabled hardware device like a smartphone or next to your desktop or mobile phone, thereby making it much harder for a hacker 3,000 miles away to impersonate you since they don’t have this extra physical layer of security. low power wireless here NFC a third party device like this NFC is not new and neither is two-factor authentication, but Facebook endorsing a combination of the two is an important milestone. For the IoT, which is still digging out from the Mirai debacle and mostly lacking for compelling security stories, Facebook’s announcement comes at an opportune moment. Here are a few — actually seven — reasons why I think this is such an important event for the IoT: Facebook is early in the process of rolling this out, but their message is obvious: we are moving beyond text messaging and email for two-factor authentication. NIST as a secure means of two-factor authentication and the search for a better way is on. few IoT solutions even use two-factor yet, but for those contemplating it, Facebook just offered a vision for leapfrogging yesterday’s two-factor approaches with something better and perhaps easier to use. “Conventional” two-factor authentication is not enough. no longer endorses SMS Takeaway: Authentication of internet-connected devices as a killer non-payment use case for NFC always seemed so obvious to me but … maybe it takes a consumer application vendor like Facebook to do the obvious first. if it’s good enough for everyday Facebook users, it’s good enough for most IoT developers. Low power wireless as a second authentication factor is officially mainstream. Takeaway: Bluetooth is being studied by the same team at Facebook and it’s safe to assume that it will be their next wireless authentication option. these are short range technologies that will normalize the use of low power wireless for authentication, but as users and use cases like the IoT demand more flexibility or capabilities, longer range authentication options will be added to the portfolio. Facebook just gave NFC a huge imprimatur, but they will support other wireless technologies also. Takeaway: NFC is inexpensive, already found on smartphones, and requires no power supply on peripherals. More than a few hardware vendors will follow Facebook’s hint and choose to integrate NFC into their “smart” IoT devices as a security precaution (e.g. “our security story today is full of holes so let’s at least copy Facebook, which our customers use anyway …”) Such integration need not be limited to consumer devices like Dropcam but could extend to any number of enterprise and industrial IoT devices. Choosing NFC, rather than Bluetooth, was a smart starting point for Facebook. NFC range is very limited and periodic authentication of, say, industrial devices via NFC could become a baseline precaution for IoT security. But more a more practical path would follow the approach which makes a simple modification to existing NFC silicon and re-uses the NFC antenna to enable much longer range (hundreds of meters or even kilometers, if desired). For example, someone attempting to send a command to WiFi camera from a location 500 yards away could only do so if their NFC+ wristband authenticates that they are indeed 500 yards away. Mirai-type botnet attacks, executed remotely, would be more difficult if this additional physical layer of protection were invoked every time someone attempted to access that camera. NFC has the potential to be the foundation for second factor authentication in the IoT, but also as a longer-range, low power connectivity option. NFC will kick-off the search for even better options for wireless two-factor authentication. next-gen “NFC+” Takeaway: Facebook smartly recommends that can — wirelessly — authenticate my Facebook app on my Android phone. keyfobs, watches, fitness trackers, access control badges, and the like are all candidates for this new authentication role and many, like FitBit, already support NFC. Facebook also endorsed “new” form factors for authentication. third party gadgets Takeaway: Apple’s challenges with Apple Pay security are behind to open up the NFC API on the iPhone. So unless Apple decides to open up their NFC API they’ll support Facebook (and many others who will follow Facebook — banks, Amazon, et al) with Bluetooth. Apple will eventually support wireless two-factor authentication with Bluetooth on the iPhone, but Bluetooth will be a poor choice for stand-alone authentication widgets for security and battery life reasons. Apple will play along, but with Bluetooth. their unfortunate reluctance Takeaway: Good news: You can see how my company, Haystack, views the technology integration side of this opportunity . We began thinking about NFC and the IoT and baked it into our product strategy. NFC’s data format, , for example, is a core part of the way our software exchanges data between OSI layers. someone is already out there solving for IoT two-factor authentication. here years ago NDEF I do not think of Facebook as an IoT company but it’s funny when non-interested companies inadvertently drive or even settle industry norms or standards in non-adjacent sectors like the IoT. Security for the IoT is kind of a big deal and government regulation seems not far off, but given the fragmentation and heterogeneity of what we now call the “IoT”, maybe it’s not so surprising that it’s Facebook helping to solve for IoT security rather than an “interested” IoT participant. You can reach me via @patdash7 or via email at pat @ haystacktechnologies dot com. Also, if you liked this post, please consider scrolling down and recommending it here on Medium by clicking on the heart-shaped icon at the bottom left.
