Abstract: Traditional authentication methods can not satisfy the requirements of IoT system due to the features such as diversified devices, narrow bandwidth, low latency, heterogeneous environment and mass privacy information. FIDO specifications with a lightweight design decouple the authentication methods from authentication protocol, leveraging public-key cryptography to achieve the secure, convenient and privacy enhanced authentication. The complex scenarios of IoT authentication are analyzed, and the authentication solution based on FIDO technology is proposed through deploying the FIDO server on demand. This solution covers cloud, network, edge, and endpoint, fulfilling the crossing authentication among users, devices and services. The full lifecycle management of IoT devices and the relationship of the keys in devices are analyzed. The strengths and characteristics of the solution such as lightweight, decentralization and zero trust concept are summarized as the references for IoT authentication.

Key words: FIDO, Internet of things, authentication, authenticator, lightweight, decentralization

摘要： 物联网系统具备设备类型多样化、窄带宽、低时延、异构环境以及海量隐私信息等特点，传统身份认证方式已经不能满足物联网身份认证需求。轻量化设计的FIDO协议将认证手段和认证协议进行解耦合，使用公钥体制实现安全、便捷并且保护用户隐私的身份认证。通过对物联网复杂认证场景的分析，将FIDO服务器进行灵活按需部署，提出了基于FIDO技术的物联网身份认证解决方案，全面覆盖“云”、“网”、“边”、“端”，实现了对于用户、设备和服务之间的交叉认证。对物联网设备的全生命周期管理以及设备密钥种类和关系进行分析，并对方案所具备的轻量化、去中心化和零信任理念等优势和特点进行了总结，为物联网身份认证提供了参考。

关键词: 在线快速身份, 物联网, 身份认证, 鉴别器, 轻量化, 去中心化