On our most recent IoT Podcast, we took an interesting question from Brent on our IoT voicemail hotline. Brent is wondering how to balance security and convenience when it comes to the smart devices in our home. He wonders if there’s an approach that device makers should be using to help us with this challenge.
There are a few threat vectors here: Our device data and credentials in the cloud as well as how we set up our devices and our networks. The recent Ring “hacks”, for example, happened because the credentials of Ring device users were stolen. That gave nefarious individuals the opportunity to spy on certain homes that use Ring’s gear. So in this instance, the situation is no different than having your credentials compromised for any other device or online service.
However, this is precisely why we’ve called for smart device makers to incorporate an additional security layer: Two-factor authentication or 2FA. This approach combines something you know, such as account credentials, with something you have, which could be a short-term code generated by an authentication app, a hardware key or some other unique item.
That beefs up security but of course, it comes at the price of convenience. And balancing the two is a personal choice. I choose, for example, to enable 2FA on every device, app, and service that supports it. I can’t log into my Chromebook without inserting a USB security key into it after I sign in. Nor can I sign in to a service using my Google credentials without entering a second bit of information from the Google Authenticator app. That’s a choice that I’ve made because I prefer the extra security over the added inconvenience.
Not everyone wants to make that choice, of course. However, our thought is that for specific IoT devices where security and privacy are of the utmost importance, device makers should require 2FA or some similar solution. A light bulb probably should need this but devices with cameras and microphones in the home? Absolutely they should because it doesn’t get more personal than what those devices can capture.
We’re not the only ones who think this. A new law goes into effect starting January 1 in California requiring device makers to implement “reasonable” security features based on what the device is and what data it can collect.
Ideally, since most handsets support some sort of biometric security such as face unlock or fingerprint sensors, these could be used as a reasonably convenient and still secure 2FA method in the future.
To hear Brent’s question in full, as well as our discussion on the topic, tune in to the IoT Podcast below: