The next area in my series on IoT Device Security Considerations and Security Layers is the User Interface.
Many IoT solutions may just have a standard Web interface to a back end system where IoT Devices and Sensors can be controlled. There is already a lot of documentation on good practices for the Web front end.
In some cases the User Interface may be on the IoT device or not delivered over a Web interface. In these cases many of the good practices for Web front ends can still be applied.
Here are a few of the main considerations:
User experience is key to any system, however security is as well. When designing your User Interface you should consider the functionality needed to what the user requirements are, keeping the design slick reduces options for hackers to exploit.
Following good code practices and testing will help in this area.
Identification and Authentication
Most applications these days requires a form of log on and password to links into another system for identification such as AD, LDAP or SSO (Single Sign On).
Ensuring that a strong password policy is in place with rules such as:
- At least 8 characters long
- Includes alphanumeric characters
- Different from previous password
- No complete words
- At least 1 upper case character
- At least 1 lower case character
- At least 1 number
- At least 1 special character
Some of these rules will depend if you are authenticating against an existing directory system and its current policies. you should consider changing them if they are not secure.
This in turn allows for the authentication of users against other methods such as a 2 factor.
Firstly ensuring that the application and interface have good error handling to reduce the number of messages that the user sees should something unexpected happen.
Secondly having simple well defined error messages reduces exposure of what systems you are running or the type of code that can appear in some errors.
Some further reading: