The document discusses using FIDO authenticators for IoT devices. It presents eWBM's biometric external FIDO authenticator and its security features. Potential applications of FIDO authentication for IoT are then described, including for device authentication over LoRa networks, drone control, and public WiFi access. The use of a BLE FIDO authenticator for personalized smart speaker services is also proposed. The conclusion recommends slimming down the FIDO client for embedded systems and achieving at least Security Level 2 certification for IoT authenticators.
1. All Rights Reserved | FIDO Alliance | Copyright 20181
Using Fido Authenticator
for IoT devices
Stephen Oh
eWBM
2. All Rights Reserved | FIDO Alliance | Copyright 20182
AGENDA
1. eWBM’s Authenticator
2. Fido and IoT Application
3. Conclusion
3. All Rights Reserved | FIDO Alliance | Copyright 2018
eWBM’s
Biometric External FIDO
Authenticator
4. All Rights Reserved | FIDO Alliance | Copyright 20184
eWBM’s Fido Authenticators
5. All Rights Reserved | FIDO Alliance | Copyright 2018
FIDOUSBAuthenticatorModel1
5
6. All Rights Reserved | FIDO Alliance | Copyright 2018
USB for PC
Protection Sleeve
Snooping Resistance
Fingerprint sensor
Aluminum body for
Device integrity
(Metal preferable for
finger pushing application)
[Inside]
Secure chip for Maximum security
(both fingerprint recognition and
Fido protocol happen inside the chip)
All biometric data stored inside the chip encrypted
– no one can access the stored information
eWBM’s device
6
7. All Rights Reserved | FIDO Alliance | Copyright 2018
FIDOUSBAuthenticatorModel2
7
8. All Rights Reserved | FIDO Alliance | Copyright 2018
eWBM’s device
USB for PC
Snooping Resistance
Fingerprint sensor
[Inside] Secure chip for Maximum security
(both fingerprint recognition and
Fido protocol happen inside the chip)
All biometric data stored inside the chip encrypted
– no one can access the stored information
FCC, CE, KC
8
9. All Rights Reserved | FIDO Alliance | Copyright 2018999999
Inside eWBM’s Fido2 Authenticator
USB Chip MS500
SPI
SPI
USBTypeA
1. All Crypto functions
2. Fido Protocol
3. Fingerprint Recognition Algorithm
4. Fingerprint templates stored encrypted
5. All Crypto keys stored encrypted
6. Each device has its own unique key set
7. Secure Booting
Fingerprint sensor
10. All Rights Reserved | FIDO Alliance | Copyright 2018
Fido Authentication and IoT
Application
11. All Rights Reserved | FIDO Alliance | Copyright 2018111111111111
Fido Security Level (L2) & IoT
• Why L2 for typical consumer usage?
• Security Level 2 definition:
• “Authenticator Certification Level 2 (L2) evaluates FIDO
Authenticator protection against basic, scalable attacks.”
(fidoalliance.org)
→L2 Authenticator is the minimum requirement for
potential basic attacks (L1 is mostly SW implementation).
• IoT Security Concern
• IoT lifecycle (~10 years) is much longer than that of
development period
• Vulnerability chance is high for IoT device → protection
mechanism against attacks is mandatory
• Any Fido authenticator for IoT application is
recommended to achieve L2 security Level.
eWBM’s Fido Authenticator is backed by
one of the most secure MCUs in the industry,
MS500.
12. All Rights Reserved | FIDO Alliance | Copyright 2018
What is LoRa?
LoRa (Long Range) is a digital wireless data communication technology for Low power Wide Area
network (LPWA). LoRa uses license-free sub-gigahertz radio frequency bands like 169 MHz,
433 MHz, 868 MHz (Europe) and 915 MHz (North America). LoRa enables very-long-range
transmissions (more than 10 km in rural areas) with low power consumption. (Wikipedia)
- Data Rate < 10Kbps
- Battery life >10 years
- Security feature:
- AES-128
- three (3) keys: NwkSKey, AppSKey, AppKey
- NwkSkey for device authentication (PSK)
12
13. All Rights Reserved | FIDO Alliance | Copyright 2018
Lora Module EVB + Ext Ant.
Rural Mountain
7 km
Inside
Building
LoRa Field Test
13
14. All Rights Reserved | FIDO Alliance | Copyright 2018
What is LoRa?
We need stronger device authentication for LoRa application.
TLS is too complex for LoRa application (LoRa’s packet size is small and data rate slow)
14
15. All Rights Reserved | FIDO Alliance | Copyright 2018
LoRa device Authentication via Fido?
- Instead of using PSK (pre-shared key) NwkSKey for device authentication, use Fido Authentication.
Authenticator Cloud (RP)FidoAuthentication overLoRa
challenge
(signed) response
- No Shared Key
- No User Verification required
(“silent” authentication)
- No Cumbersome Key provisioning
- May need to slim down Fido protocol
- Attestation Key + Metadata insertion
shall be done at manufacturing site
Fido IoT Authentication needs:
- Reduce amount data exchange
- Remove Client (Platform) layer or
collapse into authenticator for IoT Application
- Stronger Device Security feature
15
16. All Rights Reserved | FIDO Alliance | Copyright 2018
Fido Authentication for IoT
Access Control
17. All Rights Reserved | FIDO Alliance | Copyright 2018
Fido over LoRa Network (example)
Cloud (RP)FidoAuthentication
UserVerification
Remote LoRabased
LockSystem
Unlock
Approval after
User
Authentication
Proof of Presence
Biometric
Fido Authenticator
- Need to develop smaller ASM or
Client for embedded system
LoRa Network
User
Request unlock
User
Authentication
done
RP grants
user’s request
17
18. All Rights Reserved | FIDO Alliance | Copyright 2018
Fido for Drone Controller (example)
Cloud (RP)Fido AuthenticationUser Verification
After Successful Fido Authentication,
Device is ready to use
Usage Approval
Proof of Presence
Biometric
Fido Authenticator
- Need to develop smaller ASM or
Client for embedded system
18
19. All Rights Reserved | FIDO Alliance | Copyright 2018
Public Wifi Access Control (example)
Cloud (RP)
Fido Authentication
User Verification
After Successful Fido
Authentication,
Wifi AP will allow the
user data access
User Approval
Proof of Presence
Biometric
Fido Authenticator/
19
Proof of Presence
Biometric
Fido Authenticator
20. All Rights Reserved | FIDO Alliance | Copyright 2018
Personal BLE Fido device
for Voice Assistant
Platform
22. All Rights Reserved | FIDO Alliance | Copyright 2018222222222222
Smart Speaker needs more than just voice command
https://www.americanbanker.com/news/is-
amazons-alexa-ready-for-p2p-payments
23. All Rights Reserved | FIDO Alliance | Copyright 2018
Public vs Personalized wake-up words
Public wake-up word
Wake-up word with User Authentication
23
From Star Trek “Voyager Home (1986)”
Star Trek, the Next Generation
24. All Rights Reserved | FIDO Alliance | Copyright 2018
Smart Speaker Platform over multiple devices
BLE Fido Authenticator
for personalized service
CTAP2
24
25. All Rights Reserved | FIDO Alliance | Copyright 2018
Why BLE Fido Authenticator for Smart Speaker System?
Use only one voice service
with multiple machines
(phone, speaker, laptop, etc)
A team uses one smart speaker
while each member receives tailor-
made service.
25
26. All Rights Reserved | FIDO Alliance | Copyright 201826
BLE Authenticator Demo
27. All Rights Reserved | FIDO Alliance | Copyright 201827
Conclusion
• Presented three (3) Fido Authentication based IoT Applications
• Silent Fido Authentication
• Fido Authentication for IoT Access Control
• BLE Fido Authenticator for Smart Speaker Application
• Need to work on slim-down ASM (or Client) implementation for
embedded environment
• For IoT Application, we strongly believe that Fido Authenticator shall
achieve Security Level 2 (L2) or higher certification to protect from attacks
over a long period of time.