Tag Archives: authentication

FTC IoT guideline describes complexity, nuance of IoT

FTC IoT development guidelines http://1.usa.gov/1LeGOpX

FTC IoT development guidelines http://1.usa.gov/1LeGOpX

The Federal Trade Commission (FTC) has issued a guideline to companies developing Internet of Things (IoT) products and services. The guideline addresses security, privacy, encryption, authentication, permission control, testing, default settings, patch/software update planning, customer communication and education, and others.

IoT irony

The irony is that the comprehensiveness of the document, the things to plan for and look out for when developing IoT devices and systems, is the same thing that makes me think that the preponderance of device manufacturers will never do most of the things suggested. At least not in the near term. Big companies that have established brand, (eg Microsoft, Cisco, Intel, others) will have the motivation (and capacity) to participate in most of these recommendations. However, the bulk of the companies and likely the bulk of the total IoT device/system marketplace entries will be from the long tail of companies and businesses.

These companies are the smaller companies and startups that are just trying to get into the game. They won’t have an established brand across a large consumer base. This can also be read as, ‘they don’t have as much to lose’. Their risk and resource allocation picture does not include an established brand that needs to protected. They don’t have a brand yet. For most of these startup and small companies, they will view their better play to be:

  • throw our cool idea out there
  • get something on the market
  • if we get a toehold & start to establish some brand, then  we’ll start to worry about being more comprehensive with the FTC suggestions


Again, to be clear, I am appreciative of the FTC guideline for manufacturers and developers of Internet of Things devices. It’s a needed document and is thoughtful, well-written, and thorough. However, the same document can’t help but illustrate all of the variables and complexities of networked computing regarding privacy and security concerns — the same privacy and security concerns that most companies will have insufficient resources and motivation to address.

We’re in for a change. It’s way more complicated than just ‘bad or good’. Where we help protect and manage risk for our organizations, we’re going to have to change how we approach things in our risk management and security efforts. No one else is going to do it for us.

Password usage seems to follow Zipf distribution

Like word distributions and company sizes, frequency of usage of particular passwords seems to follow a Zipf distribution or power law distribution. That is, there are a lot of people that pick from a small common pool of passwords and that the number of people that use a particular password drops off quickly once you step away from that common pool.

passworddistributionMark Burnett’s research shows that, of a list of 10,000 ranked passwords:

  •  91% of users have a password from the top 1000 passwords
  • 79% of users have a password from the top 500 passwords
  • 40% of users have a password from the top 100 passwords

BTW, almost 5% of all users have the password, ‘password’.

List of top passwords here.  Heads up — there’s some colorful language in play here for popular passwords.

Risk-based authentication as alternative to chronically problematic password paradigm

riskmeterAuthentication, the process of trying to prove that you are who you say you are to an online system, has primarily been driven by user ID’s, aka logins or user names, and an accompanying password.  In theory, the password is secret, only known by the user associated with it, and thereby by able to authenticate or provide proof of identity.  The problem is that there are a plethora of flaws to that.  Some of these include:

  • the password is not secret because the user shared it with someone else
  • the password is not secret because the user wrote it down on a yellow sticky note & stuck it to their monitor at work or school
  • the password is guessable and could be figured out if there were readily available, free password cracking tools available online
  • there are a million readily available, free password cracking tools available online
  • a password hacked on one site is used on another user site — because users use the same password across multiple different accounts & sites because it’s very hard to remember different complex passwords for many different accounts and sites
  • and on and on

An alternative is a newer approach that computes a risk score that is associated with login attempts (the authentication process).  A usage profile is developed based on several factors:

  • user ID
  • user device
  • geographic location
  • target system (what they’re trying to log onto)
  • time of day they typically log in
  • their IP address
  • typing speed

A user that tends to log into their company’s database on weekdays at a particular time of day from a particular workstation will generate a baseline profile.  An attempt to login to that database Sunday morning from a mobile device will generate a disparity.  This will signal the need for additional proof of identity (maybe a phone call or PIN) or perhaps disable the login entirely.

It seems some time in use and data to analyze effectiveness is called for, but if that looks good, this is pretty cool.  More here.  Even Bruce Schneier likes it!