The federal government wants consumers to abandon passwords, even for smart home appliances that collect large amounts of personal data.
As part of a new pilot, the National Institute for Standards and Technology awarded a $1.86 million grant to a tech company claiming it can devise a security system that protects individuals' data in the "Internet of Things," but also saves consumers from "password fatigue" (having to manage several increasingly complex codes to access their own systems).
Tozny, a subsidiary of tech company Galois, aims to test one system that encrypts user data generated by the "smart home," and another that would let transit riders use their mobile phones as tickets, Galois principal investigator Isaac Potoczny-Jones said in a blog post outlining more details about the project.
The NIST pilot, through an initiative called the "National Strategy for Trusted Identities in Cyberspace," focuses on these two applications. But NIST has recently been drafting broader standards for tech companies creating products for the "Internet of Things": In September, it released a Draft Framework for Cyber-Physical Systems, essentially a guide teaching device manufacturers how to build safer devices.
The company already has a smart-home security pilot in apartments in Portland, Oregon, and San Francisco. Its app allows users to control and monitor their lights, energy use, and home security from anywhere using their smartphone. Tozny plans to collaborate with mobile payment company GlobeSherpa on the transit ticketing project.
NIST isn't the only federal group thinking beyond the password.
At a conference last week, the Defense Department's Deputy Chief Information Officer for Cybersecurity Richard Hale told an audience "replayable" access keys such as passwords, which can be used more than once, could make the physical assets in the Internet of Things more vulnerable to intruders.
The Pentagon has worked to "basically get rid of things like passwords and move to credentials" for access to virtual networks, he said.
"The Internet of Things is going to need the same thing . . . We have to drive out passwords," Hale added.