IAM and IoT: Challenges for the Future

By J Connolly.

With the expectation that there will be 20.8 billion connected IoT devices by 2020 and with the Internet of Things market predicted to grow to $1.7 trillion in the same period, the importance of IAM and IoT is only set to grow. While IAM has generally been focused on authenticating the connections between systems and individuals, IoT IAM (sometimes referred to as the Identity of Things or IDoT) systems will instead have to identify and authorise a multitude of devices with diverse functions and permissions that is already presenting the sector with new challenges when it comes to security and customer trust.

Although the growth of IoT implementation seems unstoppable, security issues are a clear concern for enterprises adopting IoT functionality. A survey undertaken by 451 Research last year found that 50 percent of IT enterprise buyers cited security as the main impediment to IoT adoption. In October 2016, unsecured IoT devices were hijacked and used to attack critical internet infrastructure. Seemingly innocent devices such as internet connected lightbulbs, fridges, and routers were able to affect the DNS services of internet behemoths. IAM systems also face issues of scale, with unprecedented numbers of devices to manage. As IoT expands from household appliances to critical sectors like healthcare, infrastructure and transport, the ability to effectively authenticate and control these devices will only grow in importance.


IAM in its current form is geared towards establishing the identities of individuals. Indeed, a principal goal of IAM is to establish a single, non-transferable single identity for every user. The Internet of Things inverts this structure by asking it to manage devices rather than people which are intermittently connected, tied to multiple users, and at a huge scale. This throws up new challenges for enterprise systems to overcome. One such, highlighted by Ping Identity in their white paper Identity Management for the Internet of Things is the impact of scale on data received by IAM platforms. IoT systems handle millions of customer and device identities which can easily produce huge amounts of data which current IAM systems are unprepared for. IAM IoT implementations will have to manage this output to reduce the data load while also utilising security intelligence and analytics to ensure devices are not compromised.

IAM IoT systems will also need to monitor potential namespace issues early on, so as IoT products grow in scale IAM systems are not overcome by naming convention obstructions. In a whitepaper released by the Cloud Security Alliance on IoT IAM, the issues of creating numerous non-colliding identifiers is addressed. It advises “an infrastructure in place that supports highly dynamic devices that appear and disappear from the network at any time, move between different local and/or private networks and [has] the flexibility to identify their user uniquely.”


New challenges for IoT producers will also be faced with regards to authentication. Current IAM verification methods such as biometric authentication and password management do not translate well to non-human users. Though most IoT devices will have an identity such an IP address or serial number, the access to that device and the information the device shares with the network complicates authentication systems. Multi-factor authentication will continue to be pivotal in strengthening IAM but new methods are already being explored such as usb-based MFA and smartphone authentication.

The key will be context. As the Ping Identity white paper notes, a simple household appliance with a sensor may only require one form of user-side authentication such as a password, while a hospital MRI machine holding sensitive customer data will require stronger authentication protocols to be able to fully harness the benefits of internet connected devices.


Due to high-profile breaches and the novelty of household appliances being hacked, much of the focus on IoT has been on security concerns. However, there is cause for optimism in that many of the current weaknesses of IoT IAM are more easily overcome than in other areas.

Frequently IoT provider’s ship products in a rush which means features such as security and access management are not considered. Security protocols which businesses consider essential elsewhere, such as strong password authentication, are routinely ignored when deploying IoT devices. This means that exploits targeting IoT have often simply utilised products not changing default passwords.

Therefore, the challenge for the IAM industry is at least partly convincing IoT vendors that security is essential and encouraging them to adopt good practices when it comes to security. This will ideally lead to the removal of default passwords, frequent security updates and consumer awareness of security issues.Security solutions currently utilised by traditional IAM systems such as the use of data analytics and context based authentication systems to identify malicious users will also have to be adapted for IoT with the added consideration of scale.

Though these challenges may seem to be daunting, the growth of IoT across numerous sectors also suggests this as an exciting period for IAM to adapt and grow alongside this new technology.