This draft has been retired (June 06, 2017).
Further development of this specific document was discontinued.
[Concept Paper] Identity and Access Management for Smart Home Devices
Date Published: June 2016
Email Questions to:
The National Cybersecurity Center of Excellence (NCCoE) is seeking comments from industry on the challenges of identification, authentication, and authorization for devices in the Internet of Things (IoT) space; specifically requirements for authentication and authorization of autonomous non-person entities (NPE) found in smart home devices. Areas of interest include the following:
- models for the lifecycle of IoT and/or smart home devices;
- threat vectors and attack surfaces of smart home devices throughout their lifecycle;
- using commercially available technology, methods for the identification, authentication, and authorization of smart home devices including:
- core requirements in addressing these three capabilities;
- implementation challenges;
- potential security weaknesses or gaps;
- mechanisms for NPE-to-NPE, NPE-to-Network, and NPE-to-Cloud authentication;
- mechanisms for binding device, APIs, and user identity with applicable authentication contexts;
- privacy risks to individuals raised by improving smart home device identification and authentication;
- mechanisms that enable improved identification and authentication of smart home devices while maintaining individuals' privacy;
- models for handling encryption on constrained devices; and
- business cases for the identification, authentication, and authorization of smart home devices for which the NCCoE could build a demonstrable solution.
Based upon community feedback on these topics, the NCCoE will consider instantiating a project to engage in building an example solution using commercially available technology.
Comments due: None--comments accepted on an ongoing basis.
Submit comments using the link below.
Internet of Things; IoT; non-person entities; smart home; authentication; identity and access management; authorization
Access Control; Identification and Authentication