Last week's Dyn DNS outage has the Internet abuzz with warnings about Internet of Things (IoT) devices with weak passwords. Here's what most articles are missing, but MSPs should know: Password security is on the way out, especially on the IoT.

In a nutshell, the Dyn DNS attack, which severely slowed a host of major websites, was made possible because malicious hackers took control of a large number of IoT devices. They were able to do so because the IoT devices had passwords that were easy to guess.

It might therefore seem that the key to preventing another attack like this one is to put stronger passwords on IoT devices. Yet while that might help secure some devices, the real solution for improving IoT security is to move beyond passwords altogether.

Passwords and IoT Devices

To understand security and the IoT, you have to understand two fundamental truths:

  1. The IoT includes a broad range of devices. They vary widely in terms of processing power, memory and functionality. Although it's fashionable to refer to IoT hardware as "smart" devices, many of these devices, such as sensors, are in fact very dumb. With tiny CPUs and minimal memory, they are not capable of doing much of anything beyond one very limited function.
  2. In order for the IoT to reach its full potential, devices need to be able to exchange information securely in an automated fashion. Otherwise, communication on the IoT won't be fully automated, which means it won't be able to scale completely.

Whe you consider these characteristics, password-based authentication starts to look less attractive as a security solution for IoT devices, for two reasons:

  1. Passwords don't work well on dumb devices. They lack the power to process or store passwords.
  2. Passwords are a poor means of automated authentication. Entering a password generally requires a human to do something, and that's hard to automate. As a result, passwords aren't good for securing automated exchanges of information.

What's the lesson here? It's that the future of authentication, especially on IoT devices, is password-less.

MSPs and the IoT

That means that MSPs who want to prepare for the IoT-centric future should familiarize themselves with means of authentication that are not based on passwords.

I'm not talking here about replacing passwords with fingerprint-based logins or SMS codes sent to your phone. Those approaches obviously won't work well with automated IoT devices. They're just replacements for password authentication on traditional, human-operated devices.

On the IoT, passwords will be supplanted by other forms of trust. Blockchain technology, which has become famous so far as the basis for anonymous payment systems like Bitcoin, is likely to become an important authentication solution on the IoT as well. Blockchain makes it possible to build distributed networks of trust and use them to make decisions about whether a device is really what it claims to be. The advantage here is that there is no need to store passwords, no single device has centralized control over authentication, and the devices themselves don't have to perform significant computation in order to authenticate.

Token-based authentication, in which devices exchange preshared keys to confirm each other's identity, is another, more traditional replacement for passwords that could work on the IoT -- although it still requires devices to do some a fair amount of thinking, and the store authentication information that could be compromised.

A third option is for centralized servers to maintain lists of valid hosts on the IoT and control how information is exchanged at the network level. The drawback here is that authentication would have to be highly centralized, and the servers themselves could be compromised. But this would still remove passwords from the picture, a relieve dumb devices of the need to do a lot of processing when authenticating.

The bottom line: Passwords are past their prime, especially on the IoT. To deliver the best service, MSPs should begin preparing for a world where the infrastructure they manage does not rely on passwords.