The Real Internet of Things: Identity and Authentication

the-real-internet-of-things-cover

These are published chapters from my book The real Internet of Things, published on January 1st, 2017.

A key component of daemonization is the fact that each person’s (or object’s) daemon represents their unique and centralized identity online, and all object daemons are speaking authoritatively as themselves.

So when a DA requests to see products, requests a ride, votes for something, pays for meals, opens doors, or sends a payment to someone, these actions will all come from the centralized identity of the principal that all receiving systems can associate properly. The receiving daemon will then determine whether the requesting entity is able to perform the action in question, and will either approve or deny it.

This is the same way that access is limited to one’s own daemon. Only certain people can interact with a daemon to pull information, make requests, etc., depending on the sensitivity of the data/action and the requester’s relationship to it. So when someone authenticates to their device—a mobile device for example—they’ll be proving that they not only own that device, but also that they are authorized to broadcast and update their daemon as well.

Their DA will then be given access to their daemon, and then they can go about their regular activities.

However, this is going to require a very different approach to authentication.

Right now our identities, and authentication thereof, are handled in a very primitive way. We are who we are because we know something that anyone else could easily know. Or because we have something that anyone else could have. Fingerprints, iris scans, and other types of biometric authentication help, but they don’t solve the problem.

The problem is the Last Mile of Authentication, meaning the links between the user, the device, and requests coming from the device, aren’t strong enough to enable the kind of functionality that will come with daemonization.

I believe what we’re going to move to is continuous authentication, and I think it’ll make use of a separate type of service, which I’ll call an Identity Validation Service (IVS). And rather than your authentication being based on one thing, or even two or three, it’ll be based on dozens or hundreds.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

People and things will constantly stream data points to the IVS, and those markers will be used to maintain a real-time confidence rating that the person (or thing) is actually itself. For humans that’ll mean you’ll be streaming your voiceprint, your fingerprints, the shape of your face, the way you walk, the places you normally are, the sounds in the area, your heartbeat, and dozens of others.

All these flow in constantly to the IVS. Then, when your DA goes to make a request to a daemon on your behalf, it will send your request with a number of signatures. It’ll be signed by the device, perhaps some other entities, but most importantly, the request will be signed by the IVS. The signature will include a confidence score that—for this particular request, at this particular time—the service is X% confident that it’s in fact the right person making this request.

So if someone grabs your mobile device and starts running, they’re suddenly lacking wearable input, they’re sprinting in a way that’s different from you, and when they try to enter a password (which they somehow know) they type differently than you and/or their voice is different. This is all streamed to the IVS (maybe combined with a theft report you just made from your watch), and the IVS is now refusing to sign requests made from that system. Your DA also disassociates from the device.

Additionally, different types of requests will have different levels of sensitivity. Most things you want to do, and that your DA will request for you, will require no additional authentication prompts because your authentication stream and its associated confidence level will be adequately strong. But for certain events, like sending large sums of money, or entering protected areas, your DA might prompt you to authenticate in some way. The requirement will be mapped to the sensitivity of the activity and will depend on how deeply and securely you’re already authenticated through your stream.

This is the type of identity and authentication system that will be needed for a daemonized world where your DA is making dozens, hundreds, or thousands of requests on your behalf throughout the day.

Summary

  1. Daemonization will require an extremely robust identity and authentication infrastructure.

  2. Each object will be presenting authoritatively as itself.

  3. Authentication will move from a periodic model to a continuous model, and will make use of an Identity Validation Service.

  4. Most authentication will be transparent, but certain sensitive activities will require additional, DA-brokered prompts.

Related posts: