Identity and Access Management for Smart Home Devices

Current Status

Seeking Feedback on Concept Paper

Please download the Identity and Access Management for Smart Home Devices Concept Paper. Comments will be reviewed on an ongoing basis. Our hope is that stakeholders will help identify models, methodologies, protocols, best practices, or standards from other industries that may be relevant to securing smart home technology.

You can submit comments through our website.

Summary

The Internet of Things (IoT) refers to the ability of everyday objects (things) to connect to the internet and to send and receive data. This includes cameras, home automation systems, and industrial control systems. It is estimated that there are already 6.4 billion connected devices, and by 2020, there will be 20 billion. Industry experts agree that in spite of this projected growth, IoT technology is immature and lacks adequate security safeguards.

The NCCoE is seeking comments from industry on the challenges of identification, authentication, and authorization for devices in the IoT space; specifically requirements for authentication and authorization of autonomous non-person entities (NPE) found in smart home devices. Areas of interest include the following:

  • models for the lifecycle of IoT and/or smart home devices
  • threat vectors and attack surfaces of smart home devices throughout their lifecycle
  • using commercially available technology, methods for the identification, authentication, and authorization of smart home devices including:
    • core requirements in addressing these three capabilities
    • implementation challenges
    • potential security weaknesses or gaps
    • mechanisms for NPE-to-NPE, NPE-to-Network, and NPE-to-Cloud authentication
    • mechanisms for binding device, APIs, and user identity with applicable authentication contexts
    • privacy risks to individuals raised by improving smart home device identification and authentication
    • mechanisms that enable improved identification and authentication of smart home devices while maintaining individuals’ privacy
  • models for handling encryption on constrained devices
  • business cases for the identification, authentication, and authorization of smart home devices for which the NCCoE could build a demonstrable solution

Based upon community feedback on these topics, the NCCoE will consider instantiating a project to engage in building an example solution using commercially available technology. 

Join Our Community of Interest

Interested in joining the Identity and Access Management for Smart Home Devices Community of Interest? Contact us!

A Community of Interest is a group of professionals and technical advisors convened to support the cybersecurity resiliency of the U.S. economy. Read More.

News and Events