NoteVerse

Authentication and authorization of devices

Comprehensive study notes, diagrams, and exam preparation for Authentication and authorization of devices.

Authentication and authorization of devices

Definition

Authentication and authorization of devices are the security mechanisms used in IoT systems to verify the identity of a device and to control what that device is allowed to do after it is identified.

  • Authentication answers the question: “Is this really the device it claims to be?”
  • Authorization answers the question: “What is this authenticated device permitted to access or perform?”

In an IoT application, these two processes are essential because many devices communicate over networks, send sensitive data, and trigger real-world actions such as opening doors, turning on motors, controlling medical equipment, or reporting environmental conditions. Without proper authentication and authorization, unauthorized devices could join the system, steal data, send fake readings, or manipulate operations.

Main Content

1. Device Authentication

Device authentication is the process of confirming that a device is genuine and trusted before it is allowed to communicate with an IoT platform, gateway, cloud service, or another device.

  • Identity verification methods
  • Devices may authenticate using usernames/passwords, cryptographic keys, digital certificates, shared secrets, SIM-based identity, hardware security modules, or biometric-linked controllers in specialized systems.
  • Strong authentication usually relies on cryptographic proof rather than simple passwords, because passwords can be guessed, stolen, reused, or intercepted.

  • Example: A smart thermostat uses a device certificate issued by the manufacturer or IoT platform to prove it is an approved thermostat and not a spoofed device.

  • Why device authentication matters

  • It prevents rogue devices from entering the network and ensures that only registered devices can exchange data.
  • It protects against impersonation attacks, man-in-the-middle attacks, replay attacks, and unauthorized data injection.
  • Example: In a smart factory, if a counterfeit sensor sends false temperature data, the control system may shut down machines or make unsafe decisions. Authentication helps block such fake devices before they can participate.

Common Authentication Approaches

a) Password or shared-secret based authentication

  • The device sends an identifier plus a secret known to the server.
  • Simple to implement but weak if secrets are exposed or reused.
  • Suitable only for low-risk environments or as a basic layer combined with stronger methods.

b) Certificate-based authentication

  • Each device receives a digital certificate from a trusted certificate authority (CA).
  • The device proves possession of the matching private key during the handshake.
  • Very common in enterprise IoT because it scales better and provides strong trust.

c) Token-based authentication

  • A device obtains a token after initial verification and uses it for later requests.
  • Tokens may have limited lifetimes, reducing exposure if stolen.
  • Common in cloud-connected applications and API-driven IoT platforms.

d) Mutual authentication

  • Both the device and the server verify each other.
  • Particularly important in IoT because a device must not only trust the server, but the server must also trust the device.
  • Example: A medical infusion pump should authenticate the hospital server, and the server should authenticate the pump, before any command is accepted.

2. Device Authorization

Device authorization is the process of determining the exact operations a verified device is allowed to perform in the IoT system.

  • Access control decisions
  • Authorization defines permissions such as reading sensor data, sending telemetry, receiving firmware updates, controlling actuators, or accessing specific API endpoints.
  • A device may be authenticated successfully but still be denied access to certain resources if it lacks permission.

  • Example: A temperature sensor may be allowed to upload readings but not allowed to change HVAC settings.

  • Fine-grained permission management

  • Authorization can be designed at different levels: device-level, resource-level, action-level, or even message-topic-level in MQTT-based systems.
  • This ensures that different devices have only the minimum access needed for their functions, following the principle of least privilege.
  • Example: In a smart home, a light bulb device can be allowed to receive “on/off” commands but not to read camera feeds or unlock doors.

Common Authorization Models

a) Role-Based Access Control (RBAC)

  • Permissions are assigned based on roles such as sensor, actuator, admin, gateway, or maintenance device.
  • Easy to manage when many devices share similar functions.
  • Example: All environmental sensors may share the role “telemetry sender.”

b) Attribute-Based Access Control (ABAC)

  • Access is decided using attributes such as device type, location, time, firmware version, security status, and ownership.
  • More flexible than RBAC and useful for complex IoT environments.
  • Example: A device may be permitted to access a resource only if it is in a factory zone, running approved firmware, and connected during working hours.

c) Policy-Based Authorization

  • Central policies define what devices can do under specific conditions.
  • Useful for enterprise and cloud IoT systems where rules may change frequently.
  • Example: A gateway may be allowed to send commands to actuators only if the request originates from an authenticated maintenance application.

d) Scope-Based Authorization

  • Common in token systems, where the token contains scopes that define allowed actions.
  • Example: A token may allow “read:sensors” but not “write:actuators.”

3. Security Architecture for Device Access

Authentication and authorization work together in a layered security architecture that protects IoT communication from the device onboarding stage to ongoing operations.

  • Device onboarding and provisioning
  • Before a device joins the system, it must be provisioned with credentials, certificates, tokens, or keys.
  • Secure provisioning ensures that credentials are generated, stored, and delivered safely.

  • Example: A factory may preload each device with a unique certificate during manufacturing or first-boot registration.

  • Continuous trust validation

  • Devices should not be trusted forever after one successful login.
  • Systems may re-check identity, validate tokens, rotate keys, and monitor device behavior over time.
  • Example: If a device suddenly starts sending unusually large amounts of data or connects from an unexpected location, the platform may revoke its access.

Typical Security Flow in IoT Device Access

Initial registration

  • The device is registered in the IoT platform.
  • A unique identity is assigned.

Credential issuance

  • The platform or CA issues certificates, keys, or tokens.
  • Secrets are stored securely in the device hardware or trusted storage.

Authentication handshake

  • The device proves its identity to the server.
  • The server verifies the proof and optionally authenticates itself to the device.

Authorization check

  • The system evaluates policies and determines what actions the device may perform.
  • Access is granted only for approved resources and operations.

Ongoing monitoring and revocation

  • Sessions are monitored for anomalies.
  • Compromised or decommissioned devices are revoked immediately.

Visual Flow

Device -> presents identity/credential -> Auth Server
Auth Server -> verifies device identity -> Accept/Reject
If accepted:
Device -> requests action/resource -> Authorization Engine
Authorization Engine -> checks policy/role/scope -> Permit/Deny

Practical Examples in IoT

  • Smart home
  • A smart lock authenticates to the home hub using a certificate.
  • It is authorized only to receive unlock/lock commands from the owner’s approved app.
  • Industrial IoT
  • A vibration sensor authenticates to the plant gateway.
  • It is authorized only to publish sensor telemetry, not to send machine-control commands.
  • Healthcare IoT
  • A patient monitor authenticates to the hospital network.
  • It is authorized to send patient readings to a specific medical server, but not to access unrelated databases.

Working / Process

  1. Device registration and identity creation
  2. Each device is enrolled into the IoT ecosystem with a unique identity.
  3. The identity may be a device ID, certificate subject, public key fingerprint, SIM identity, or secure token.
  4. During manufacturing, deployment, or first boot, the device may be assigned credentials that link it to the trusted platform.

  5. Example: A smart meter receives a unique certificate before installation at a customer site.

  6. Authentication of the device

  7. When the device connects, it proves its identity using its credential.
  8. The server checks whether the credential is valid, unexpired, and issued by a trusted authority.
  9. If mutual authentication is used, the device also verifies the server to prevent fake cloud endpoints.

  10. Example: Over TLS, the device and server exchange certificates and cryptographic proof before any data is transmitted.

  11. Authorization and enforcement

  12. After authentication, the system evaluates permissions based on policy, role, scope, or attributes.
  13. The platform grants only the allowed actions, such as publish, subscribe, read, update, or command execution.
  14. If access is denied, the system blocks the request and may log the event for auditing.
  15. Example: An authenticated irrigation controller may be allowed to receive soil-moisture thresholds, but not to edit user profiles or view other devices’ data.

Advantages / Applications

  • Prevents unauthorized access
  • Ensures only trusted devices can connect to the IoT network.

  • Reduces the risk of rogue devices, fake sensors, and malicious controllers.

  • Protects data integrity and system reliability

  • Stops attackers from injecting false readings or unauthorized commands.

  • Helps maintain accurate telemetry and dependable automation.

  • Supports secure real-world IoT applications

  • Used in smart homes, industrial automation, healthcare monitoring, connected vehicles, agriculture, energy grids, and smart cities.
  • Example: In a smart city traffic system, authenticated and authorized devices can safely control signals and exchange data without interference from unknown devices.

Summary

  • Authentication verifies a device’s identity, while authorization controls what that device can do.
  • Strong IoT security needs both mechanisms working together.
  • Device credentials, policies, and access rules help protect IoT communication and actions.
  • Important terms to remember: authentication, authorization, device identity, certificate, token, role, policy, least privilege, mutual authentication.
← Prev: Device data storage
Next: Industrial automation →