Paul Madsen, Ping Identity
Discussing a security and identity model for things that do not make the existing password problem orders of magnitude worse (perhaps using identity protocols like OAuth & OpenID Connect), and how our things might facilitate our own interactions with applications.
5. What does it mean for a thing to have an identity?
• Things will have attributes that distinguish it from other things
• Things will have means to prove to other things that they a) belong to
a class of things or b) are a particular thing
• Things will have means to verify that other things a) belong to a class
of things or b) are a particular thing
• Things will be provisioned with certain attributes at origin but over
time may add additional attributes
• Things have a finite lifetime, at the end of which some portions of their
identity may need to be cancelled
• In their 50s, things will have an identity crisis – divorce their spouse,
join a gym and buy a sports car. 5
11. 11
How
do
we
give
users
meaningful
control
over
their
things
and
their
ability
to
operate
on
their
behalf?
1.
Ini7al
authoriza7on
2.
Ongoing
visibility
3.
Eventual
revoca7on
15. Tsk tsk!
• Client must store passwords
• Teaches users to be indiscriminate with their
passwords
• More difficult to move to multi-factor and federated
authentication
• Doesn’t support granular permissions, e.g. X can
read but not write
• Doesn’t support knowledge/differentiation of the
access granted
• Doesn’t support (easy) revocation – to be sure of
turning off access users must change password
21. Binding OAuth to MQTT
21
• Paul
Fremantle
has
been
exploring
using
OAuth
access
tokens
on
MQTT
messages
as
alterna7ve
to
passwords
(as
MQTT
spec
now
supports)
• An
Arduino
obtains
an
OAuth
token
from
an
authoriza7on
server
and
then
uses
on
Connect
message
• hXp://www.slideshare.net/pizak/
securing-‐the-‐internet-‐of-‐things