FIDO Device Onboard (FDO), sometimes called 'device provisioning,' is a device onboarding protocol developed by the FIDO Alliance. It is an automatic onboarding mechanism for IoT devices, meaning it is invoked autonomously and performs only limited, specific interactions with its environment to complete.
What is "Device Onboarding"?
Device onboarding is the process of installing secrets and configuration data into a device, so it can connect and interact securely with an IoT platform. An IoT platform could range from an application on a user’s computer, phone or tablet, to an enterprise server, to a cloud service spanning multiple geographic regions. The device owner uses the IoT platform to manage the device by patching security vulnerabilities, installing or updating software, retrieving sensor data, interacting with actuators, and more.
Here are the top ten things you should know when it comes to FIDO Device Onboarding:
1. A Device Owner Can Choose the IoT Platform at a Later Stage
A unique feature of FIDO Device Onboard is its owner's ability to select the IoT platform at a late stage in the device life cycle. The configuration data or the secrets can also be created or chosen at the late stage. This feature is called 'late binding'.
The most common case of onboarding happens when a device is first installed. The device connects to a prospective IoT platform over a communications medium, with the intent to establish mutual trust and enter an onboarding dialog. Because of late binding, the device doesn't yet know the prospective IoT platform to which it must connect. That's why the IoT platform shares information about its network address with a 'Rendezvous Server'. The device connects to one or more rendezvous servers until it determines how to communicate to the prospective IoT platform.
2. FIDO Device Onboard Establishes the Ownership During Manufacturing
FIDO Device Onboard works by determining the ownership of a device during manufacturing, then tracking the device's ownership transfers until it is provisioned and put into service. This way, the device onboarding problem can be seen as a device 'transfer of ownership' or delegation problem. Between its manufacturing and first-time powering up and accessing the Internet, the device may transfer ownership several times. A digital document called 'Ownership Voucher' is used to transfer digital ownership credentials from owner to owner without even powering the device.
3. An Installer Performs Physical Installation of the IoT Device
In onboarding, an installer performs the physical installation of the IoT device. In the untrusted installer model, the device has no guidance on how to onboard. In the trusted installer model, the device can take direction from the installer, simplifying onboarding.
4. FIDO Device Onboard Protocol Doesn't Limit the Owner's Credentials During Onboarding
During onboarding, the FIDO Device Onboard protocol does not limit or mandate the device's specific owner's credentials. It allows the manager to supply a number of keys, secrets, credentials, and other data to the device to be remotely controlled and enter service efficiently.
5. Once Under Management, FIDO Device Onboard are Updated for Future Use in Repurposing the Device
Once a device is under management, FIDO Device Onboard enters a dormant state, and the device enters normal IoT operations. The manager can perform subsequent updates outside of FIDO Device Onboard. However, if the device is sold or re-provisioned, the manager may clear all credentials and data and re-enable FIDO Device Onboard.
6. During Manufacturing, an IoT device with FDO is typically configured with:
- A processor containing a Restricted Operating Environment (ROE); which is a combination of hardware and firmware that provides isolation of the necessary FIDO Device Onboard functions and applications on the device. This is a crucial part guaranteeing built-in secure functionalities.
- A FIDO Device Onboard application that runs in the processor's ROE that maintains and operates on device credentials;
- A set of device ownership credentials, accessible only within the ROE.
7. FIDO Device Onboard can be Deployed in Different Operating Environments
FIDO Device Onboard may be deployed in multiple operating environments, with different security capabilities such as application isolation and tamper resistance. These include a microcontroller unit (MCU) with a hardware root of trust, or a an OS daemon process using keys securely stored in a TPM.
8. Simplified Multiple Onboardings for Demos
Credential Reuse protocol allows devices to reuse the Device Credentials across multiple onboardings. The intended use case for this protocol is to support demos and testing scenarios where the onboarding can be run repeatedly and quickly without having to change the Ownership Voucher or resetting the system after each onboarding. Since credential reuse can permit the previous Owner unlimited access to the device, it is NOT recommended for use in the normal device supply chain.
9. Functional, Interoperable, Privacy and Security by Design
FIDO Device Onboard has many protocol features that make it hard for cybercriminals to track information about a device's progress from manufacturing to ownership to resale or decommissioning. All keys exposed by protocol entities in FIDO Device Onboard can be limited to be used only in FIDO Device Onboard. Future FIDO certification program is expected to guarantee a certain level of security assurance, functional conformance and interoperability.
10. Towards IoT device Secure Deployment at a Scale
FIDO succeeded transitioning from traditional authentication methods to a passwordless world and this new protocol is expected to bring in this balance between user convenience and security to the IoT industry thus fostering IoT device secure deployment at a scale.