Bluetooth SIG, FIDO collaboration could bring better security to Internet of Things

The Bluetooth Special Interest Group's work with the Fast iDentity Online (FIDO) Alliance on two-factor authentication could have implications for the Internet of Things (IoT), providing a layer of much-needed security.

The YubiKey NEO on a keychain. (Source: Yubico)

The Universal Second Factor (U2F) Bluetooth transport specification allows the creation of special-purpose Bluetooth Smart U2F devices that require just the press of a button to authenticate to an online service, according to the FIDO Alliance. The alliance announced earlier this month that it is working with the Bluetooth SIG to use Bluetooth Smart as an alternative to using a USB dongle in U2F authentication.

Since the beginning of the Internet, the user name and password combination has been used as a common log-in process. While that system has its advantages, including anonymity for the consumer, "we wanted to portray that in a different type of way and, at the same time, add the security," Sami Nassar, vice president of cyber security solutions at NXP Semiconductors, told FierceWirelessTech. "So maintaining ease and security, and for that we created the FIDO protocol," which is akin to carrying the key to your front door in your pocket.

"Ultimately, from the consumer's perspective, the old-fashioned key is something everybody accepts," he said. "It's something you have in your pocket and you know when you lose it." Now with an electronic key, it can be in a USB key or embedded into a phone, so the phone acts as the key. "You can embed it into all kinds of different devices," including a car or wearables.

Bluetooth is "everywhere" in the smartphones and tablets that consumers can also use for payments and other things, and it offers strong security, said Errett Kroeter, senior director of marketing at the Bluetooth SIG. All Bluetooth connections are FIPS compliant and sport 128-bit AES encryption, he said.

The thinking is that "people have these smartphones in their hands. There's no reason we couldn't use, if it's secure enough, the mobile phone and Bluetooth connection to provide the physical connection, the thing that people have, along with that PIN code, to authenticate who they are and then open up whatever device that people are trying to connect to," Kroeter said.

The really exciting part? Kroeter says that's the ability to get rid of the reliance on so many complicated--or super easy to guess--passwords. "You can imagine a world, and I can't wait for this to happen, [where] you don't have to remember a complicated password to make your access to your computer at work secure," or to get access to your house, for example. The phone can be used to authenticate the person with a PIN code, and "we get out of this world of having to come up with these incredibly complex passwords that are secure, but nobody can remember."

The FIDO U2F technical working group is now publishing technical specification for Bluetooth and near-field communications (NFC).

The first wireless U2F product on the market is the YubiKey NEO, which is available now on with both USB and NFC communications. That product will work for FIDO U2F NFC authentication once relying parties incorporate support, according to Yubico's CEO and founder, Stina Ehrensvard. "Later this year, we expect to see both NFC and Bluetooth FIDO U2F devices from multiple vendors," including Yubico, she told FierceWirelessTech.

A few months ago, NXP and Qualcomm Technologies (NASDAQ:QCOM) agreed to collaborate to accelerate adoption of NFC and security in mobile, wearable and IoT devices.

For NXP or semiconductor vendors in general, "this is very important for the Internet of Things," Nassar said. "This is actually a big part of it" because the Internet of Things may include phones but wearables and a lot of other devices, like the connected car, will be part of the IoT as well. "It has to be simple" and cost effective for people to use, he added.

Of course, a lot of technologies are competing for a piece of the IoT, including Wi-Fi. The Bluetooth SIG wants to make sure it's right in there. "Absolutely, we see it as an essential ingredient," Kroeter said. "If you want to connect all these remote little devices, you need to be able to connect in a really reliable way to lots of different kinds of devices. You also have to have that super power efficiency. You can't be worried about changing the sensors in your house every couple months, the batteries every couple of months, and you don't want to have to worry about pulling wires to that, so we see that Bluetooth will have a big role to play in smart home, building automation and industrial applications," and those are the areas where Bluetooth will likely see the most growth in the next five years, he said.

Related articles:
Bluetooth SIG offers SDK to jump-start development around IoT
Bluetooth SIG establishes mesh working group for Internet of Things
Security is top of mind for Internet of Things Thread Group
Bluetooth 4.2 targets Internet of Things with better privacy, IPv6