Arshad Noor - Jun 29, 2020

The Wake-Up Call for Stronger Authentication: California’s IoT Bill SB-327


Along with the California Consumer Protection Act (CCPA), the cybersecurity law CA SB-327 known as the “IoT bill” went into effect January 1, 2020, with enforcement beginning July 1, 2020. While the CCPA, which is focused on personal data control and privacy, has grabbed most of the headlines, the lesser known Internet of Things bill is focused on the security of connected “smart” devices.

The IoT bill was passed in hopes of preventing manufacturers from shipping thousands or even millions of devices with the same default password that many consumers will never change. The existing password practice has left these devices vulnerable to hackers who can compromise your personal privacy and safety.

The bill requires that all manufacturers of devices that connect to the internet have a unique preprogrammed password or to force users to set their own password the first time they connect. While some believe this is a good step toward providing consumers with adequate levels of security, the legislature missed an opportunity to more thoroughly address vulnerabilities. They started with the assumption that the passwords used to secure IoT devices are unsafe making the devices themselves unsafe versus recognizing the very method of using passwords is outdated.

Passwords are the leading cause of data breaches on the internet accounting for more than 80 percent of hacking-related breaches. This, in addition to the bands of botnets with billions of stolen credentials for reuse in attacks on websites, presages a major security risk to consumers across not only the state of California but across the globe.

The sooner we as a society can eliminate passwords and other forms of shared-secret authentication, such as one-time pins (OTP), knowledge-based authentication (KBA) and SMS codes, the safer we will be.

Stronger Authentication Exists

It’s not for a lack of alternatives that the problem persists. The FIDO Alliance, a non-profit standards group of more than 200 companies from around the world, has been working for more than five years to eliminate passwords from the internet. They have standardized three protocols that have had dozens of implementations on the market for the past four years.

In 2017, the National Institute of Standards and Technology (NIST) published a draft Special Publication 800-63-3, Digital Identity Guidelines, naming FIDO-based solutions as the highest level of authentication technology assurance for federal use.

The NIST National Cybersecurity Center of Excellence (NCCoE) has successfully completed two projects — and is working on a third — where FIDO protocols were specifically chosen to address mission-critical problems for public safety/first responders, as well as to mitigate the risk of e-commerce fraud on the internet. Practice guidelines have also been published by the NCCoE to assist anyone choosing to adopt this superior authentication capability.

Some U.S. federal agencies are starting to incorporate FIDO-based authentication technology into their web applications, and the U.K. government has named deployment of FIDO-based strong authentication as one of its most important initiatives in its 5-year cybersecurity plan.

The Passwordless Opportunity

The bill is already in effect, and it presents an opportunity for enterprising companies to move into this new niche with a better alternative for authenticating humans to devices. The vast majority of these authenticating devices need nothing more than the basic Universal Second Factor (U2F) protocol in passwordless mode to enable the registration of the first U2F key presented as the administrator's key to the device.

Accordingly, IoT devices won’t need to store more than two registered keys. Manufacturers can make many assumptions about the protocol when they are designing something for their specific device. Given the price of basic U2F authenticators on e-commerce sites, to bootstrap this process manufacturers could even give away a free U2F authenticator with each $50 IoT device. There is even FIDO Certified® software that will allow manufacturers to bootstrap this process.

Toward a More Secure Future

Even though many agree that passwords are inconvenient and ultimately unsuccessful as a security measure, people are reluctant to forego them because they are familiar. It’s the way things have always been done. But when passwords are responsible for the vast majority of hacking-based breaches, it’s time to admit that what was meant to keep us safe is actually putting us in jeopardy.

Legislators are making efforts to keep consumers safe with the personal data controls and privacy of CCPA and to secure of connected smart devices, many of which control aspects of our home life, through the SB-327. However, more must be done, since the reliance on passwords means vulnerabilities still exist.

An opportunity remains to enable a stronger method of authentication through a modified IoT bill and begin the process of strengthening our digital infrastructure. But, as a consumer, don’t wait for the law to catch up to reality; you have the power to secure access right away to many popular websites on the internet — Gmail, Facebook, and Twitter among others — using passwordless authentication based on FIDO protocols, at little more than the price of a latte.

About the Author

Arshad Noor is the CTO of StrongKey, a company based in Cupertino, CA and Durham, NC, focused on securing data through key management, strong authentication, encryption, and digital signatures. He has 32 years of experience in the Information Technology sector, of which more than 19 have been devoted to designing and building key management infrastructures for dozens of mission-critical environments around the world. He has been published in periodicals and journals, has authored XML-based protocols for two technical committees at OASIS, is a member of the Forbes Security Council, and represents StrongKey in the FIDO Alliance. Arshad is also a frequent speaker at forums such as RSA, ISACA, OWASP and the ISSE. He can be reached at