Authenticating Connected Systems
|出版商||VDC Research Group, Inc.||商品編碼||315705|
|出版日期||內容資訊||英文 14 Pages; 29 Exhibits
This report discusses and analyzes methods used to authenticate connected systems in the Internet of Things. It also discusses key strategic issues, trends, and other factors impacting the market for authentication solutions. Market analysis and critical considerations are offered across technology types, product categories, and industry sectors. The report integrates selected findings from VDC's recent Authentication & Encryption survey of OEM embedded device engineers. (Full survey data is provided as a separate Excel spreadsheet.)
Authentication is a critical aspect of security for connecting devices to people or other devices and services. Authenticating the identity of people is fraught with potential security challenges, including weaknesses of both the people and the procedures. The use of multi-channel and multi-factor authentication to improve the security of human-to-machine authentication is increasing in many business applications, but their acceptability for day-to-day consumer applications is less certain. Machine-to-machine authentication is based on asymmetric encryption and commonly relies on Public Key Infrastructure (PKI) and a Certificate Authority (CA) as a trusted third party. The number of encryption keys that an embedded device needs to manage grows with the number of devices with which it connects, potentially straining embedded devices with limited resources.
[Data available in full report.]
Authentication is a critical aspect of security for connected devices, yet the process is fraught with potential weak points. For human-to-machine authentication, a password is usually the weak point, or more specifically, a human that chooses and must remember the password is the weak point. Given the security risks that increase exponentially with the number of devices connected, VDC sees it as inevitable that multi-channel and multi-factor authentication will replace passwords alone as the standard for H2M. This shift has already occurred in many high-risk systems, such as banking and finance, and is growing in general business applications. But the largest volume opportunity is for commercial solutions in the consumer IoT market. Multi-channel passwords are generally palatable to consumers, but multi-factor solutions are an open question.
It remains to be seen is whether consumers can be convinced en masse of the need to adopt true multi-factor solutions, such as low-cost hardware tokens (e.g. Yubico's YubiKey) or biometrics for day-to-day device access. A portion of consumers are bound to lose tokens or other physical authentication devices, necessitating a means (temporarily at least) to bypass them, which in itself constitutes a potential security hole. And many consumers perceive biometrics to be somewhat creepy, due to concerns about potential theft of their most personal attributes. A number of vendors, such as Keypasco and Delfigo Security, are developing solutions (currently targeted at mobile phones and tablets) that are easier to use than tokens or even biometrics. We anticipate more of these types of solutions to make their way into the embedded device market.
For machine-to-machine authentication, the solutions largely exist already, with several caveats. First, encryption key management will become more critical as the number of devices in an IoT system increases. Many embedded devices won't have sufficient resources to handle the task, including key revocation and purging of keys otherwise no longer being used. To better handle key management, the IoT expands opportunity for Authentication-as-a-Service.
Second, the existing PKI system relies on trusted Certificate Authorities. Although breaches of CAs have been rare and small-scale thus far, large scale breaches of those CAs could undermine the entire current PKI system.
And third, the National Security Agency (NSA) and other entities are actively developing quantum computers, which could someday crack the public key cryptography technology widely used for authentication by being able to derive a private key from its matching public key. Even the threat of that could produce a huge surge of research and investment in quantum-resistant cryptography, such as NTRU.