NIST IoT project explores how to ditch passwords, maintain privacy


Written by

A NIST pilot project hypothetical: This woman could be heading to a cooled-down house, whose AC activated by swiping her mobile bus pass. (

A project that lets consumers use their mobile-phone bus passes to control smart home systems may set the table for a forthcoming framework from the National Institute for Standards and Technology dedicated to protecting user privacy.

In September, NIST’s National Strategy for Trusted Identities in Cyberspace program awarded $1.8 million to Portland, Oregon-based Galois Inc. for a pilot project dedicated to moving people away from passwords as the key to confirming identity and protecting data. The project, built with the help of two other companies in the Internet of Things space, is looking to build a behavior-based authentication system dedicated to finding a happy medium between the need to validate users while also guarding their privacy.

Galois subsidiary Tozny, which works on computer security and authentication, is teaming with mobile ticketing company GlobeSherpa and smart home infrastructure company IOTAS to create a system in which public transit riders can control their home utilities just by swiping the bus passes loaded onto their mobile phones. Tozny founder Issac Potoczny-Jones said what’s new about this idea are the controls set by the company’s personal data storage system that set the levels of data users can share within the system.

“The idea is to build privacy-preserving personal data stores to allow new ways for user information to be shared across organizational boundaries in a way that the user is in control over how the data shared, what is shared, with who and when,” Potoczny-Jones told FedScoop. “It’s important that with emerging IoT technologies and the new way people are getting around via ridesharing or public transit, we collect this share this information in a way that the user has a lot of control over it.”

The way Tozny moves away from the password is by combining the ubiquity of mobile phones with strong cryptography to authenticate users to privacy storage systems. More and more, companies are relying on data brokers, which have their own storage systems, to verify various identity or authentication standards before they allow people to use their services. However, to obtain pertinent data, companies often gather information that’s irrelevant for their use, raising privacy concerns in the process.

“The way this works now is you have to reveal everything just to get to the piece of information you are looking for,” Potoczny-Jones said. “It would be much better if we could just say ‘Here is the information you are looking for, Company X attested it, if you trust Company X, you don’t have to verify the rest of the information.’”

This pilot is one of 18 NSTIC has funded to move people away from using passwords. Potoczny-Jones told FedScoop the results of this pilot could eventually find their way into a forthcoming privacy framework NIST is developing, similar to what the agency created in regards to cybersecurity.

“I think the pilots are really a carrier for building out and demonstrating best practices and then as NIST does, they can standardize things,” he said. “In my opinion, you want use cases to drive standards and not the other way around. I think this is a really nice way to drive standards.”

-In this Story-

Commerce Department, Departments, Internet of Things, National Institute of Standards and Technology
Continue to