Secure Authorization, Authentication and Access Control for IoT

Access Control for IoT

To help organizations prepare for Internet of Things (IoT) threats, we outline some key security recommendations for IoT authorization, authentication and access control. 

Security experts and IoT developers are keenly aware they often need to guard against credential theft. With so many different types of home and enterprise IoT devices connected to the internet, insecure IoT devices can often lead to lost identities, passwords, access tokens or even private keys.

In a recent report, more powerful IoT botnets based on Linux/IRCTelnet malware are being used for Distributed Denial of Service (DDoS) attacks.

This malware and other similar strains are often used to discover open ports and weak/default vendor passwords. To add, the malware can communicate with compromised Linux-based IoT devices.

This comes after many other high profile IoT DDoS attacks that took down Dyn and affected many web service providers. 

To help IoT developers secure their products and fight future DDoS attacks, the Cloud Security Alliance (CSA) IoT Working Group issued a report titled “Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products.”

In this article, we highlight some key points from the CSA report, to include guidelines on how to better Secure Authorization, Authentication and Access Control for IoT products.

Authentication protocols

According to the CSA guidelines, many IoT protocols used for device-to-device communication offer some good secure communication options to include: 

  • OAUTH2 (token-based authentication)
  • MQTT with TLS
  • CoAP (multiple authentication options for device-to-device; pair with datagram TLS (D-TLS))
  • DDS (e.g., x.509 certificate (PKI) tokens)
  • XMPP (e.g., Simple Authentication and Security Layer, SASL-RFC4422, which supports 1-way anonymous and mutual authentication with encrypted passwords and certs).

IoT devices can also communicate to cloud services securely via secure gateways that also support MQTT and REST communications. In addition, “device-to-cloud” communications often use API keys for specific services that need to interact with IoT devices. 


Certificates can be used for authentication. However, developers will need to ensure public key infrastructure (PKI) is used in a secure manner to issue certificates. For instance, PKI can issue the certs based on receipt of Certificate Signing Request (CSR). 

To aid in the certificate issuance process, organizations should also consider Simple Certificate Enrollment Protocol (SCEP) and Enrollment over Security Transport (EST) protocols. Devices are typically authenticated based on the possession of private key and trust in the PKI. 

Also, developers should consider implementing two-way certificate authentication. Examples include x.509 certificates, that can offer a valuable layer of security for TLS communication, secure electronic messaging.

In addition, the IoT device can pass along its two-way certificate for validation by the cloud service, gateway or peer device that its communicating with. 

Other options to consider are Certificate-Less Authentication Encryption (CLAE) and also biometrics. For instance, fingerprint technology can be used to provide authentication within IoT ecosystem.

OAuth 2.0

OAuth 2.0 requires an authorization server (a protected resource) used to verify the user/device identity without passwords and issues a token for access. For example, Amazon Smart Home Skill API uses OAuth 2.0. Google moved to OAuth 2.0 back in 2012. 

Keep in mind that all tokens should be stored securely, such as via iOS keychain or Android’s Keystore. 

See more details on OWASP’s authentication cheat sheet and also “OAuth: Where are we going?

User Managed Access (UMA)

UMA is an OAuth-based access management protocol approved by the Kantara Initiative in 2015 and puts control of information in the hands of the user. 

According to the Kantara Working Group charter, the UMA standard helps “enable a resource owner to control the authorization of data sharing and other protected-resource access made between online services on the owner’s behalf or with the owner’s authorization by an autonomous requesting party.”

There are numerous UMA implementations to include ForgeRockGluuJericho Systems, and MITREid Connect to name a few.

The CSA Working Group paper concludes with other good recommended IoT controls to include key management, logging and security assessments. 

This concludes the five part series on IoT security. You can also read more about IoT controls in our previous article: “Improving Data Security with Secure Communications, Applications and APIs for IoT” (part 4). See also Secure Development and Integration (part 1), Framework and Platform IoT security (part 2) and Hardware-based Security Controls for IoT (part 3).