A number of high-profile DDoS attacks last year highlighted the importance of ensuring robust security for IoT devices, and according to one industry expert, two-factor authentication may be the best way to secure them.

Marc Boroditsky is the vice president and general manager of Authy, a Twilio service. Authy provides businesses and individuals with numerous methods of integrating two-factor authentication (2FA), including one-time codes via SMS, soft tokens via a smartphone app, or yes/no authentication questions via push notification.

“I think it’s going to be the inevitable security solution for IoT devices, simply due to the fact that IoT devices by and large have little or no user experience and capability,” he told IoT Hub.

“Some devices may be enhanced via a mobile app, but more importantly, all of them have the characteristic of being networked, and typically need to be protected because they sit on oftentimes open Wi-Fi networks, or become the point of access on open Wi-Fi networks.

“So providing some degree of restriction and control to the device itself and the broader network is a base requirement.”

Boroditsky added that companies have no choice but to move beyond their use of static passwords to enable connectivity, especially given that this was what was exploited during the Mirai botnet.

“Today, 2FA can take a number of different forms, and offers something that’s dynamic, can be channel-independent, and can be controlled by a myriad of control points.”

How can you implement it?

For the various IoT devices available on the market, some have a user interface via a smartphone app, for example, while others do not.

Boroditsky explained how 2FA could be deployed in each of these scenarios.

“You could expose to the end user an authentication interface that provides a code that could then be entered into the device’s user interface,” he said.

“Or, you could present a UI that an event is taking place requiring authentication or authorisation, and that UI could stand on its own, providing the means for approval or denial.”

Boroditsky sees a number of IoT scenarios where 2FA has to be considered a necessity.

“Any situation where the connected devices are sitting on the network and could potentially afford some kind of access to a broader network, or situations where access to a device for administrative or patching purposes is required would be where 2FA would be a necessity,” he said.

“Also, any situation where access to the device could enable physical access, such as smart locks, would be ideal for 2FA.

“Finally, any other types of systems that are providing some kind of service to the end user where, if exploited, could cause some kind of harm or danger to the end user, such as access to on-board systems on a car, or to digital health devices, should also be places where you have 2FA.”

The challenge of global adoption

While this ideal of enabling 2FA for each and every IoT device is a noble one, the unfortunate reality is that the manufacturers of these IoT products reside in different countries where security requirements differ.

For Boroditsky, there’s no easy answer to this burning question.

“It’s probably one of the most significant challenges for traditional vendors that are either regionally focused or expecting that when adopted, the customers adopting their products will take care of any region-specific requirements,” he explained.

“Most IoT manufacturers don’t typically have the required level global services experience, and if we look at some of the recent problems that they’ve experienced when they’ve bundled in componentry that had out-of-date security controls, they looked right past what the possible implications were in the devices they were building.”

“That being said, [Authy] have built a globally delivered capability, where we provide authentication services across 205 countries worldwide, and producing millions of authentication events per day.

“For us, we were built to be global, we were built to be ready for a global purpose. Whether or not any of our customers has the need, we have the capability to support our customers wherever they are.”