Identity and the Internet of Things

5 min readJul 8, 2019

IoT is basically interconnection of devices through the internet enabling them to send or receive data. Well that sounds so simple. But making this happen in a real world with real world problems is not that easy.

Let’s take a simple example. Smart locks are an early example in the consumer IoT space, they let people access buildings at certain times based on clearly defined policies. In this scenario the lock must be able to authenticate users and check authorization policies to verify access. This creates few problems in the implementation. When the device starts working, for example when it captures and sends data on the user’s behalf, it needs to authenticate to a service to prove that it is real and has authority to act for the user. The device needs to authenticate against an identity. In order to prove those things the device should have an identity. This is were the Identity of Things comes in.

Do we need IAM for IoT ?

On the morning of Friday, Oct. 21, 2016 internet users experienced that webpages such as Twitter, Etsy, Spotify, Netflix and GitHub were unresponsive. The source of the problem was that one of the United States largest internet management firms, was flooded with junk traffic.It was a DDOS attack done by the use of IoT devices that we use in our home. Hackers made use of millions of refrigerators, smart TVs, security cameras and home routers to create this junk traffic. It has been so easy for them as these devices don’t have much of security implementations and we really don’t care of them. This makes IoT devices the weakest link in a network. This creates a vulnerability to enterprises as IoT devices becomes a back door to the cooperate network. Hence the identities of these devices should be handles properly. So the answer to my question is yes. We do need IAM for IoT.

Applying an Identity to a device

Applying an Identity to a device is almost same as applying an identity to a person. To identify a person we store collection of attributes of that person as claims in order to uniquely identify that person from others. Same applies to the identity of a device. A device also should have some attributes that can be used to uniquely identify that device. And there should be a mechanism to store them and process them.

Traditional IAM systems and IDoT

It’s been predicted that current traditional IAM systems will not be able to to cope with the proliferation of connected IoT devices.There are several reasons to say so. There are three main entities that need to be work together to make IoT work.

There will be billion devices associated with different policies identities software implementations and requires unique identities when it comes to IoT. But the traditional IAM systems are more focused on user identities not device identities.

IoT devices are very constrained devices so they are focused on a specific task. May be to collect data and send them to border router. So those firmware does not have the capability to deal with current IAM systems cryptography and authentication requirements. Some devices even does not have a mechanism to use complex passwords.

How Traditional IAM systems should adopt to accommodate IoT ?

Managing identity in the IoT is fundamentally different from workforce or customer identity management.As a person that worked with both IoT and IAM, I think that both IoT and IAM need to do their part to make this happen.

First lets look at the IAM side

Evaluate each individual manufacturer’s IoT implementation and choose vendors that have adhered to applicable standards and/or sought guidance or followed best practices.
Consider above selected vendors when designing your authentication and authorization schemes.
Use certificates whenever possible for device authentication and confidentiality.
The device needs to authenticate against an identity. the use of shared secrets and passwords is highly ill advised. The recommended approach is cryptography.
IoT is more about relationships among its core entities so focus more on Identity and Relationship Management than Identity and Access Management.
Support constrained protocols like MQTT, CoAP, XMPP, DDS, Zigbee, As machine to machine authentication options. Existing protocols, such as HTTP, have a very important place for many devices. Even an 8-bit controller can create simple GET and POST requests. However, the overhead of HTTP and some other traditional Internet protocols can be an issue for two main reasons. Firstly, the memory size of the program can be an issue on small devices. However, the bigger issue is the power requirements.

Then as IoT vendors they have their own task too

To perform authentication and authorization IAM tools need context. Context may be the time, Identity, Activity, Location. This context is not fixed. It depends on the scenario. So the contained protocols that been used in IoT should be able to accommodate IAM requirements in these scenarios.
There is no single standard for connecting devices on the Internet of Things this need to be changed and proper standardization should come into internet of things.
All device operating systems or firmware should be capable of supporting at least some standard protocols used in IAM.

WSo2 Identity Server with IDoT

WSo2 Identity Server is completely open source IAM product. It workes with contained protocols like , MQTT and AMQP as well as heavy popular ones like HTTP. WSO2 also can help with MQTT client code for many device platforms ranging from Arduino to Android. WSo2 Identity Server has implementations for almost all Authentication, Authorization, and Privacy Standardslike OAuth2, OIDC, UMA, FIDO. It has a SCIM implementation for Provisioning and de provisioning devices.Also has the capability of Logging and Event Analytics.