The following blog is based on my FIDO Authenticate Conference speech, 2022.

The FIDO Alliance has helped to embed a standard cryptographic stack that extends from the cloud all the way out the edge, where computerized devices increasingly come with a built-in basket of security and privacy primitives, for developers to leverage.

As the alliance has evolved, FIDO has branched into the Internet of Things but even before it defined new activities for that domain, I reckon FIDO had established a de facto baseline for authentication (and authorization too) on the IoT. This is because almost anything humans do online will soon be done by non-human actors. 

We are approaching a time where IoT devices will act as intelligent agents, typically representing their human owners, but also acting in the interests of various other parties: public organisations regulators, manufacturers and supply chain members. IoT devices will communicate with one another and with public and private infrastructure. In so doing, devices will present and prove critical pieces of information such as their place of origin, ownership, standards certification, service history, operational status, and recent performance.

These critical pieces of information can be carried as verifiable credentials, where the subjects are not people but devices. At Authenticate 2021 I explained a shift in thinking from verified “identity” of things to verified information about things — a broader, deeper and ultimately more powerful concept. In other words, verifiable credentials for humans are being extended to verifiable credentials of non-human subjects, and from there to verifiable data about things in general.

All these messages and transactions flowing between things need to be verifiable, genuine and reliable — qualities that are delivered by the FIDO standards stack.

And it will become important that third parties can — with the correct permissions of course — load their own verifiable credentials to the device’s secure elements. I am thinking here of service records, certificates of compliance, change of ownership, and logs of software upgrades. All such facts, which must be vouched for by recognised sources, are amenable to being conveyed as verifiable credentials.

Under the covers, every FIDO capable device has a common suite of features. It will have a tamper-resistant secure element or microcontroller which stores private keys and other secrets. Critical software operations are executed privately within the confines of that secure element, including key pair generation and digital signing of transactions on behalf of the device user or controller. The secure element will also hold firmware that runs all cryptographic operations and will ideally be independently quality certified.

For mobile phones carrying virtual bank cards, boarding passes and concert tickets, the metaphor of a wallet is natural, and the visualisation has become commonplace. For autonomous agents, we may need a new analogy to describe the collection of credentials they will carry.

The FIDO basket of capabilities is the cousin of portable cryptography technologies going back over 30 years ago, including SIMs and the Trusted Platform Module built into many personal computers.  Recently we have seen a new generation of programmable IoT controller modules such as the Microsoft Azure Sphere, with the same native abilities to perform cryptographic authentication, verification and authorization.

Thus, FIDO has helped to set the scene for devices on the IoT to have extraordinarily rich and reliable “lives” in which non-human agents can know and show critical information about each other, autonomously.