FIDO device onboarding integrated into IoT identity access management - Embedded.com

FIDO device onboarding integrated into IoT identity access management

With the Device Authority announcing its support for FIDO device onboarding in its IoT identity access management platform, we take a closer look at FDO.

Advertisement

Device Authority, a company providing identity and access management (IAM) for the internet of things (IoT), said it has integrated FIDO device onboarding (FDO) into its KeyScaler platform for device provisioning.

What is FDO?

FIDO Device Onboard (FDO) is an automated onboarding protocol for IoT devices, leveraging asymmetric public key cryptography to provide the industrial IoT industry with a fast and secure way to onboard any device to any device management system. The scheme was developed by the IoT technical working group of the FIDO Alliance to address the process of installing secrets and configuration data into a device so that the device is able to connect and interact securely with an IoT platform.

Provisioning with FIDO device onboarding - FDO
Illustrating how FIDO Device Onboarding (FDO) works. (Source: FDO Alliance)

FDO is invoked autonomously and performs only limited, specific, interactions with its environment to complete. A unique feature of FDO is the ability for the device owner to select the IoT platform at a late stage in the device life cycle. The secrets or configuration data may also be created or chosen at this late stage, with a feature called “late binding”.

Various events may trigger device onboarding to take place, but the most common case is when a device is first unboxed and installed. The device connects to a prospective IoT platform over a communications medium, with the intent to establish mutual trust and enter an onboarding dialog.

Due to late binding, the device does not yet know the prospective IoT platform to which it must connect. For this reason, the IoT platform shares information about its network address with a “Rendezvous Server.” The device connects to one or more rendezvous servers until it determines how to connect to the prospective IoT platform. Then it connects to the IoT platform directly.

The device is configured with instructions (RendezvousInfo) to query rendezvous servers. These instructions can allow the device to query network-local rendezvous servers before internet-based rendezvous servers. In this way, the device’ determination of the IoT platform can take place on a closed network. FDO is designed so that the device initiates connections to the rendezvous server and to the prospective IoT Platform, and not the reverse. This is common industry practice for devices connected over the internet.

Software functions within FIDO-Device-Onboard - FDO
The major software functions within FDO. The device is configured with instructions (RendezvousInfo) to query rendezvous servers. These instructions can allow the device to query network-local rendezvous servers before internet-based rendezvous servers. (Source: FIDO Alliance)

Tracking transfers of ownership

FDO works by establishing the ownership of a device during manufacturing, then tracking the transfers of ownership of the device until it is finally provisioned and put into service.  In this way, the device onboarding problem can be thought of as a device “transfer of ownership” or delegation problem.

In a common situation for FDO that uses the “untrusted installer” model, an initial set of credentials and configuration data is configured during manufacturing. Between when the device is manufactured and when it is first powered on and given access to the internet, the device may transfer ownership multiple times. A structured digital document, called an “Ownership Voucher”, is used to transfer digital ownership credentials from owner to owner without the need to power on the device.

FIDO Device onboarding ownership-voucher-chain
The Ownership Voucher is a structured digital document that links the manufacturer with the owner. It is formed as a chain of signed public keys, each signature of a public key authorizing the possessor of the corresponding private key to take ownership of the device or pass ownership through another link in the chain. The signatures in the ownership voucher create a chain of trust from the manufacturer to the owner. (Source: FIDO Alliance)

Once a device is under management, the FDO credentials are updated to allow for future use in repurposing the device. Then FDO enters a dormant state and the device enters normal IoT operations. Subsequent incremental update of the device may be performed by the manager, outside of FDO. However, if the device is to be sold or re-provisioned, the manager may choose to clear the device of all local credentials and data and re-enable FDO.

Device Authority integrates FDO into KeyScaler platform

Device Authority said its KeyScaler platform, an identity access management (IAM) solution for IoT security lifecycle management, now has support for the FDO standard within its platform. This allows devices to securely enroll themselves and be provisioned with the security assets required. The company said current and future customers will be able to leverage FDO in their IoT projects when deploying KeyScaler. FDO delivers maximum value for industrial and enterprise devices such as gateways, servers, sensors, actuators, control systems, and medical devices. It enables multi-ecosystem applications and services as it is not tied to a specific cloud/platform framework.

Integrating FIDO FDO with KeyScaler for secure device onboarding brings a standardized approach to phase one in a device’s lifecycle. There are several phases beyond the initial onboarding, where KeyScaler can also bring significant additional benefit for IoT use cases. That includes credential management (renewal and revocation), end-to-end data crypto, secure update management, edge based security operations (for local private networks), HSM access control and IoT SBOM compliance (Biden’s Executive Order).

Darron Antill, CEO of Device Authority, said, “It’s been an exciting time to engage with the FIDO working group as they adopted the previous Intel SDO program and are now driving this as a standard, FIDO FDO, into the market. Our team has worked closely with FIDO and the contributing ecosystem partners, and we are delighted to be one of the first IoT security companies to add this FDO standard to our KeyScaler platform.”

Giri Mandyam of Qualcomm Inc., and co-chair of FIDO IoT working group, added, “Device Authority’s KeyScaler technology forms the basis for a complete and secure device management system. It combines IAM with support for the FDO secure onboarding solution, thereby providing end users with a basis for establishing trust in IoT products throughout their lifetime.”


Related Content:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.