Device authentication – it’s all about convenience!

Username and password as authentication are no more! – We’ve been prophesying this for a while, but today we want to look at an area of authentication where password authentication no longer plays a role at all and why that is – authentication on devices.Networking and digitization are increasingly finding their way into both the business and private spheres; in addition to smartphones and laptops, networked household appliances or industrial systems are thus also playing an important role. In the private sector, in addition to convenience, the onboarding of new users or devices as well as changing users, e.g., a family or a group of friends with streaming providers or a vehicle, play an important role. In industry, the keyword Operation Technologies (OT) is often used to describe the IT in the production line. Problems with regard to device authentication are the old machinery, as well as obstacles such as background noise or the wearing of protective equipment such as masks or gloves.In this context, the question arises as to how users are authenticated on these devices and between the devices themselves. This is because authentication and, based on this, authorization are also essential for these devices in order to enable authorized access to certain resources. (Learn the difference between authentication and authorization!

Password-based authentication as a problem for device authentication

We have already written a number of articles about the password (“Worldwide, 4 out of 5 data breaches occur due to weak or stolen passwords” or “The Psychology of Password Allocation”), but today we want to focus specifically on the problem of password-based authentication in the context of device authentication and show why passwordless authentication on the device is already much more advanced than in other use cases.

Password-based authentication is a challenging problem, especially when authenticating on devices such as a smart TV. When logging in to a smart TV via traditional password entry, the user experience is often cumbersome and time-consuming because the remote control is not ideally suited for entering complex passwords. This not only leads to frustration, but also lures users to use simpler passwords, jeopardizing the security of the user account and device, as well as associated resources, such as personal information. In addition, smart TVs are connected to the Internet and online services, making them more vulnerable to attacks and data breaches. Given these challenges, it is clear that the development of passwordless authentication methods for smart TVs and similar devices is of great importance to increase security while ensuring convenient use.

The OAuth2 Device Code Flow – Authentication via another device!

The OAuth2 Device Code Flow is a grant type specified in the OAuth2 protocol, designed to make device authentication secure and convenient. The process begins when the device to be authenticated, such as a smart TV, displays a code to the user, which the user enters on an authentication page or scans via a smartphone. In this way, the authentication and authorization are transferred to another device, where the user authenticates himself and then authorizes the device. The device to be authenticated then sends this code to the authorization server along with its authentication requests. This verifies the code and then provides the device with an access token. The device can then use this access token to access the resources. OAuth2 Device Code Flow thus offers an effective solution to increase security and at the same time improve the convenience of device authentication by transferring authentication and authorization from a device without an input medium to another device such as a smartphone, on which the authentication and authorization can be carried out more easily or may already exist.

Login via WLAN, NFC, or Bluetooth!

With the OAuth2 Device Code Flow, a good specification has been created, but it still does not cover all use cases and devices. Smart TVs or kitchen appliances with a display can be authorized quickly and easily, but there are also many devices in the household without a display, and the OAuth2 Device Code Flow is often not suitable in the context of industrial plants either.

However, the OAuth2 Device Code Flow has shown that adding another device, such as a smartphone, for which the user is already authenticated in the best case and the device only has to be authorized, is very useful. This delegation of authentication and authorization therefore serves as a model for many other processes and the transfer to another device takes place via a wide variety of technical media/protocols, such as Bluetooth, NFC, or WLAN. Depending on the use case, the user flow can be designed individually, from the connection with the device to be authenticated via Bluetooth or WLAN to the transmission of authentication tokens in a WLAN network to which both devices are connected.

Authentication at the machine without additional device!

But we also have to keep an eye on authentication on a device without another additional device, such as a smartphone. A machine in production can be considered here as an example. Production employees usually do not have a smartphone or other device to which authentication and authorization can be transferred. Thus, direct authentication and authorization at the machine itself are necessary, where only limited other devices or gadgets are available to the employee. In addition to an employee ID card, which can be used for authentication via RFID or NFC, biometric methods such as face or voice recognition are of particular interest in order to enable convenient and practical authentication.

cidaas offers a wide range of functions for authentication on devices, including the OAuth2 Device Code Flow as well as authentication directly on the device via, e.g., biometric methods. In addition, with the “Offline Access” functionality, authentication is also possible without a permanent Internet connection.