September 13, 2019 | Written by: shane.weeden
Categorized: Cloud Identity | FIDO2 | General Technical
Share this post:
In our work at IBM building FIDO2 services for both on-premise (IBM Security Access Manager) and cloud (IBM Cloud Identity) offerings, we have been looking at scenarios for using FIDO2 authentication technology beyond the mainstream use case of browser-based authentication with WebAuthn. One scenario we decided to experiment with is FIDO2 for IoT devices – allowing standalone internet-capable devices to securely report on their operations when a human is not present.
With this goal in mind we set about putting together a prototype system including construction of a device that could initially be registered against a user’s account, and which would then perform authenticated transactions – i.e. send signed messages that provide non-repudiation that the message came from the same device that was registered to the user (subject to some assumptions about the real future construction of such a device … more on that later). So was born the hobby project – a Raspberry Pi based camera that utilises FIDO2 authentication technology to sign image files sent to a server. This article is a story about this project, providing a discussion of the technology used along the way and some future considerations for other real applications of FIDO2 authentication. I’d like to thank my colleague Lachlan Gleeson for his efforts to help bring this hobby project to life.
There is an assumption of basic knowledge about FIDO2 as you read this article – it is not a FIDO2-for-beginners article. There are plenty of other online resources to get you up and running with a technical overview of FIDO2 authentication. What we want to do here is explore “applied” FIDO2, to a context in which there are not currently widespread applications.
Note: The choice of a “camera” IoT device for this project was purely arbitrary and just a representative example – this pattern could apply to any IoT device that has important information to convey to a server and wants to do so in a manner that limits an attackers ability to spoof the device (i.e. submit transactions that appear to have come from the device but have actually come from the attacker). In the case of our IoT device the “information” is a picture file, but for other IoT devices it could be sensitive monitoring data or anything else for which strong integrity requirements exist.
Let’s take a look at the overall system architecture for our project:
As you can see there are several major components of the system. In the following sections we will dive into what these components are, the interfaces between them, and some interesting technologies we used to put the system together.
The IoT Service Application
A view of the web application Emily may use to register devices and view transactions:
IBM Cloud Identity Services
The IoT Camera
A custom mounting board was 3D-printed by Lachlan to secure the Pi and camera.
The mounting board was secured into a case, with cutouts for the power cable (a battery and switch is next on the list), shutter button, Solokey Hacker FIDO2 USB authenticator and a hole for the camera lens.
Assembled – the camera lens is visible, and the Solokey Hacker FIDO2 authenticator is plugged in on the left. Certainly not pretty, but will do the job!
Software on the Pi
Yubico FIDO2 libraries and tools
Device lifecycle managment
Alternatives to FIDO2 and FIDO2 variants