Contextual Identities for the IoT

This post was originally published on the Capital Data Summit guest blog ahead of my participation on the Identity Management in the Age of the Internet of Things panel on February 15, 2017.

Contextual identity represented as a “chord” of relationships among detectable signals.

The proliferation of Internet of Things (IoT) devices poses new security challenges. Sensitive IoT use cases, like financial transactions and access control, must be secured against novel attacker models on an unprecedented scale. Significantly, traditional identity verification and authentication methods ‒ reliant on connection and the exchange of secrets (passwords or keys) ‒ are impractical across so many billions of wireless devices. As a result, Wireless Registry envisions identity for the IoT as a “secret-less” cloud solution constructed from IoT contexts.

An IoT context is a set of wireless devices in proximity to each other. The WiFi, Bluetooth and BLE signals these things emit create temporal clusters. For example, a home context may comprise a WiFi router, Bluetooth speaker, TV and a smartphone; a transportation context a number of cars on a highway and the surrounding urban infrastructure; a payment context several routers, a point of sale and customers’ BLE wearables. Devices can leverage IoT contexts as identities that inform trust-based decision-making prior to taking an action. A driverless car, for example, may augment its assessment that it is, in fact, parked in front of an airport terminal prior to unlocking for a passenger, based on the (anonymized) “fingerprint” of detectable signals around it.

Devices move around, so proximity is constantly changing. At any given moment, wireless things enter and exit IoT contexts. Signal contexts are dynamic, both for fixed spaces and for the individual mobile devices that pass through them. A smartphone will develop a temporal identity ‒ its own IoT context ‒ based on patterns of detections of things it encounters as it moves through the world (its owner’s wearables, item tracker, car, home and work WiFi contexts, and much more). Consequently, prior to enabling a mobile payment transaction, an app may rely on several different trusted IoT contexts to support not only that it is close to a payment terminal and inside a retail store, but also alert to abnormal usage patterns that could indicate possible theft or loss of that smartphone.

In summary, whereas legacy paradigms continue to inspire security approaches that involve keys and secrets, Wireless Registry suggests that identities for the IoT may be constructed and verified through IoT contexts. Indeed, although traditional solutions are adequate on smaller scale enterprises, on a global scale they are not feasible, and thus contextual identities are the solution.

Like what you read? Give srdjan marinovic a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.