Device Identity is more than just a device ID

First of all, let’s put down the important reason why we need Device Identity.

It’s like your Personal Identity (driver license, passport, etc.), you use that to identify yourself and enroll in all kinds of services in this society. That’s how people know you, verify you, and manage you (by the law and gov). Without your identity, you won’t be able to travel, open a bank account, or go to school. A non-ID world can operate only within a minimum radius of the place. For example, a small town with 200 people. Everybody knows each other, and you do businesses based on that. However, it won’t work in today’s chaotic world. We have 7.594 billion (2018) of people living on this planet, that’s not something you can recall by your brain;

A legal identity is so critical to nearly every aspect of contemporary life in the developed world that many of us scarcely stop to think about it, or, for that matter, to consider what it would mean not to have one. 

Cave paintings estimated to be 31,000 years old are accompanied by handprints. Archeologists say prehistoric people used the markings as signatures.

Some fun facts:

The first known traveling paper was issued in 450 BCE in ancient Persia. Nehemiah, an official serving King Artaxerxes, requested permission to travel to Judah.

Citizens of ancient Rome had 30 days to register a child’s birth with Roman officials. After the father presented seven witnesses, a wooden diptych became the child’s proof of citizenship.

Device Identity

Similar to Personal Identity, device Identity is becoming a burning issue today. According to Biocatch, identity is most often based on three aspects:

  • What You Know: Static information, also called personally identifiable information (PII), like passwords, the answer to a security question or your social security number or phone number
  • What You Have: A unique token or a device used to verify your identity
  • Who You Are: Specific user behavior, based on how an individual interacts with a device, like tap pressure and swipe patterns, or how they enter information into a form

However, on their own, it’s no longer secure to identify a device anymore. For example, What You Know is fragile because Data breaches have made information in the what you know category easily accessible to cybercriminals.

What you have, such as device ID, are also facing tremendous challenges.

  • stolen credentials
  • hard to link a single user to a device
  • easy for fraudsters to circumvent

A lot of cloud providers and data companies are using Who you are to help verify the identity. How?? They leverage big data. By analyzing user/device patterns, they can detect abnormal behavior and warn the users. An interesting read:

I love big data, and I trust this will work (my friend and I built an anomaly detection solution for elevator maintenance prediction in a hospital).

However, it’s not going to work every time due to the accuracy of your prediction model. People hate false alerts. Plus, if you don’t have good quality of data, the model won’t work either. Last straw to crack your camel’s back is: the brutal reality is that you only need one single command to shut off the valve, open the door, turn off an engine, etc. Therefore, it makes no sense to predict that single action unless it’s associated with a lot of other actions that show you a pattern.

So, the reality is you just have to make sure your Device Identity is trustable, period.

A full device identity must consist of its unique ID and all the other relevant device information.

According to AIOTI (Alliance for internet of things innovation),

IoT Identifier in the domain model of User, IoT service, Device, data.

An IoT Identity is not a pure ID, but an identifier that can be used to to identify a device uniquely. Please let me put it in a more official definition:

Definition of Device Identifier:

An identifier is a pattern to uniquely identify a single entity (instance identifier) or a class
of entities (i.e. type identifier) within a specific context.

And in the context of IoT Identity, it’s a combination of IoT related Identifiers

Namely, a collection of IoT service Identifier, thing identifier, user identifier, application identifier, and data identifier.

Great, now we know what to expect for an IoT Identity. It’s the backbone of security and everything in the IoT industry. We have a good start 😉

Question: the IoT identity seems like a dynamic profile that will change over time, how can we use it securely?

I will discuss it in our next article “How to use IoT Identity in your IoT solutions?”