IoT devices need passwordless authentication

The problem with passwords

Accessing an IoT device is often a matter of simply inputting a password. The issue is that this authentication method relies too heavily on the user, and people have not historically followed recommended password practices.

The IET reported that only 38.9% of UK adults use unique passcodes on every site, and almost 20% use the same one for every account. Similarly, just 35.45% of users regularly change their passwords. More worryingly, fewer than half change their credentials after receiving a notification of a breach.

It’s also worth noting that passwords are the most commonly leaked data point in breaches in the UK. In light of how rarely people change or use different codes, this leaves password-reliant systems severely vulnerable to credential stuffing.

This way of authenticating users is only safe when authorised individuals use strong, unique passcodes and change them regularly, but people don’t often do that. Even if they did, advances in artificial intelligence (AI) have raised the bar for brute force attacks. As the world relies more on the IoT, it needs a different verification mechanism.

Possible passwordless IoT authentication methods

Given these risks, it’s time for IoT device manufacturers to embrace passwordless authentication measures. While this is a newer field, a few options have already emerged.

Biometric passkeys

Passkeys – on-device cryptographic credentials – are the leading passwordless technology, and they come in several forms. Biometrically accessed options are among the most common.

Here, a face or fingerprint scan triggers the passkey to unlock the device. Because it does not rely on passwords and the key remains on the endpoint itself, it mitigates credential stuffing and user error concerns. Biometrics are also seamless to use, so there’s no learning curve.

The primary downside to biometrics is that users cannot change their biometric information if breached. While passwords are less secure, following the advice to change them every three months prevents a leaked code from becoming usable. Stealing biometric data is harder, but if hackers are successful, it remains effective.

PIN-based passkeys

Alternatively, IoT device makers can use PIN codes to access passkeys. The underlying concept is the same, but instead of scanning a finger or their face, users enter a unique PIN.

Unlike biometrics, authorised users can change a PIN if it leaks. While attackers can brute-force a four-digit code instantly, this is less of a concern when they must do so on the device itself. Restricting physical access to an IoT device is often easier than preventing wireless connectivity, so a PIN-passkey pairing can be surprisingly effective.

Cybercriminals may be able to steal PINs through social engineering. However, needing in-person access to the terminal in question still reduces the chances of a breach.

One-time passcodes

Another passwordless authentication option is to use one-time passcodes (OTPs). Here, the IoT endpoint sends a passcode or QR code to a preauthorised number, email address, or internal company chat. The key remains active for a limited time before expiring or, if users input it successfully, after login.

Because OTPs have such a short life span, they’re immune to credential stuffing. They’re also user-friendly, as people do not need to remember any passwords or PINs.

The main downside is that OTPs rely on the Internet, introducing reliability concerns. Hackers could also theoretically breach the account the OTP goes to, giving them access, albeit within a limited time.

A passwordless IoT is a safer IoT

While no current solution is perfect, all three of these passwordless solutions offer security advantages over conventional credentials. Integrating support for such functionality, especially in Industrial IoT devices, may prove critical to the safety of this technology going forward. Additional research into this field may produce new, better alternatives.