3 Auth & Authorization Basics

Understanding Identity Verification and Permission Control in IoT

3.1 Learning Objectives

By completing this chapter, you will be able to:

Distinguish between authentication and authorization as separate but related security functions
Explain the AAA framework (Authentication, Authorization, Accounting) and its role in enterprise security
Identify common authentication methods for IoT devices including tokens, certificates, and biometrics
Understand role-based access control principles and how they apply to IoT systems
Recognize security anti-patterns such as hardcoded credentials and missing authorization

Prerequisites

Before starting this chapter, you should be familiar with:

Basic security terminology (credentials, permissions, access)
Fundamental networking concepts (client-server, protocols)
Why IoT security matters (see Cyber Security Methods)

Sensor Squad: The Bouncer and the VIP List!

“Think of authentication like the bouncer at a concert,” Sammy the Sensor explained. “The bouncer checks your ticket to make sure you are really a ticket holder. That is authentication – proving your identity. But just having a ticket does not mean you can go backstage!”

Max the Microcontroller continued. “Authorization is the VIP list. Even after the bouncer lets you in, a separate list determines whether you get regular seats, VIP seats, or backstage access. In IoT, authentication verifies a device’s identity, and authorization determines what data it can access and what actions it can perform.”

“The AAA framework adds a third piece: Accounting,” Lila the LED said. “That is like the security cameras and entry logs that record who went where and when. Authentication: who are you? Authorization: what can you do? Accounting: what did you do? All three work together to create a complete security system.”

“A common mistake is confusing these two,” Bella the Battery warned. “Some systems authenticate users but then give everyone full access – that is like a building where everyone with a badge can enter every room. Or worse, some systems check permissions but never verify identity – that is like restricting rooms but never checking badges at the front door. You need BOTH authentication AND authorization working together!”

3.2 Authentication vs Authorization: Understanding the Difference

Two concepts that are often confused but are fundamentally different:

Two-step access control flowchart showing user presenting credentials to authentication step which verifies identity and answers 'Who are you?', then if authenticated proceeds to authorization step which checks permissions and answers 'What can you do?', leading to either access granted or access denied — Figure 3.1: The two-step access control process: authentication verifies identity, authorization determines permissions

Concept	Question Answered	Example	Failure Mode
Authentication	“Who are you?”	RFID card, password, fingerprint	“I don’t recognize you”
Authorization	“What can you do?”	Admin vs user privileges	“You don’t have permission”

Key insight: Authentication must happen BEFORE authorization. You cannot determine what someone is allowed to do until you know who they are.

For Beginners: A Simple Analogy

Think of a library:

Authentication is like showing your library card at the front desk. The librarian scans it to confirm you are a registered member (you are who you claim to be).
Authorization is what your membership level allows. A standard membership lets you borrow books; a research membership also gives you access to the restricted archives.

Your library card proves your identity (authenticated member), but your membership TYPE determines what resources you can access (authorization level).

Try It: Authentication vs Authorization Flow

Simulate access requests to see how authentication and authorization work as separate steps. Select a user and a resource, then observe which step grants or denies access.

Show code

viewof selectedUser = Inputs.select(
  ["badge_12345 (Maria Engineer)", "badge_99999 (Unknown)", "badge_55555 (Jake Intern)", "badge_77777 (Sara Admin)"],
  {label: "Select badge/user", value: "badge_12345 (Maria Engineer)"}
)
viewof selectedResource = Inputs.select(
  ["Temperature Sensor (Read)", "HVAC Controls (Write)", "Security Cameras (Admin)", "Fire Alarm (Emergency)"],
  {label: "Select resource", value: "Temperature Sensor (Read)"}
)

Show code

{
  const userDb = {
    "badge_12345 (Maria Engineer)": {name: "Maria Engineer", authenticated: true, role: "engineer", permissions: ["Temperature Sensor (Read)", "HVAC Controls (Write)"]},
    "badge_99999 (Unknown)": {name: "Unknown", authenticated: false, role: "none", permissions: []},
    "badge_55555 (Jake Intern)": {name: "Jake Intern", authenticated: true, role: "intern", permissions: ["Temperature Sensor (Read)"]},
    "badge_77777 (Sara Admin)": {name: "Sara Admin", authenticated: true, role: "admin", permissions: ["Temperature Sensor (Read)", "HVAC Controls (Write)", "Security Cameras (Admin)", "Fire Alarm (Emergency)"]}
  };
  const user = userDb[selectedUser];
  const authnPass = user.authenticated;
  const authzPass = authnPass && user.permissions.includes(selectedResource);

  const stepColor = (pass) => pass ? "#16A085" : "#E74C3C";
  const stepLabel = (pass) => pass ? "PASS" : "FAIL";

  return html`<div style="font-family: Arial, sans-serif; margin: 8px 0;">
    <svg viewBox="0 0 680 140" style="width:100%;max-width:680px;display:block;">
      <!-- Step 1: Authentication -->
      <rect x="10" y="20" width="190" height="100" rx="8" fill="${stepColor(authnPass)}" opacity="0.12" stroke="${stepColor(authnPass)}" stroke-width="2"/>
      <text x="105" y="50" text-anchor="middle" font-size="13" font-weight="bold" fill="#2C3E50">Step 1: Authentication</text>
      <text x="105" y="70" text-anchor="middle" font-size="11" fill="#7F8C8D">"Who are you?"</text>
      <text x="105" y="95" text-anchor="middle" font-size="14" font-weight="bold" fill="${stepColor(authnPass)}">${authnPass ? user.name : "UNRECOGNIZED"} — ${stepLabel(authnPass)}</text>
      <!-- Arrow -->
      <line x1="200" y1="70" x2="240" y2="70" stroke="#7F8C8D" stroke-width="2" marker-end="url(#arrowGray)"/>
      <!-- Step 2: Authorization -->
      <rect x="240" y="20" width="190" height="100" rx="8" fill="${authnPass ? stepColor(authzPass) : '#7F8C8D'}" opacity="0.12" stroke="${authnPass ? stepColor(authzPass) : '#7F8C8D'}" stroke-width="2"/>
      <text x="335" y="50" text-anchor="middle" font-size="13" font-weight="bold" fill="#2C3E50">Step 2: Authorization</text>
      <text x="335" y="70" text-anchor="middle" font-size="11" fill="#7F8C8D">"What can you do?"</text>
      <text x="335" y="95" text-anchor="middle" font-size="14" font-weight="bold" fill="${authnPass ? stepColor(authzPass) : '#7F8C8D'}">${authnPass ? (authzPass ? "PERMITTED" : "DENIED") : "SKIPPED"} — ${authnPass ? stepLabel(authzPass) : "N/A"}</text>
      <!-- Arrow -->
      <line x1="430" y1="70" x2="470" y2="70" stroke="#7F8C8D" stroke-width="2" marker-end="url(#arrowGray)"/>
      <!-- Result -->
      <rect x="470" y="20" width="190" height="100" rx="8" fill="${authzPass ? '#16A085' : '#E74C3C'}" opacity="0.15" stroke="${authzPass ? '#16A085' : '#E74C3C'}" stroke-width="2"/>
      <text x="565" y="50" text-anchor="middle" font-size="13" font-weight="bold" fill="#2C3E50">Result</text>
      <text x="565" y="75" text-anchor="middle" font-size="16" font-weight="bold" fill="${authzPass ? '#16A085' : '#E74C3C'}">${authzPass ? "ACCESS GRANTED" : "ACCESS DENIED"}</text>
      <text x="565" y="100" text-anchor="middle" font-size="10" fill="#7F8C8D">${!authnPass ? "Failed at authentication" : (!authzPass ? "Authenticated but not authorized" : "Role: " + user.role)}</text>
      <defs><marker id="arrowGray" markerWidth="8" markerHeight="6" refX="8" refY="3" orient="auto"><path d="M0,0 L8,3 L0,6" fill="#7F8C8D"/></marker></defs>
    </svg>
    <div style="margin-top:8px;padding:10px;background:#f8f9fa;border-radius:4px;font-size:0.9em;color:#2C3E50;">
      <strong>User:</strong> ${user.name} | <strong>Role:</strong> ${user.role} | <strong>Requested:</strong> ${selectedResource}<br/>
      <strong>Permissions:</strong> ${user.permissions.length > 0 ? user.permissions.join(", ") : "None (not in system)"}
    </div>
  </div>`;
}

3.3 The AAA Framework

Enterprise security systems use the “AAA” framework to structure access control:

Component	Question	IoT Example	Production Example
Authentication	Who are you?	Card ID lookup, device certificate	OAuth login, biometrics
Authorization	What can you do?	Access level check, capability flags	RBAC, ABAC policies
Accounting	What did you do?	Audit log entries	SIEM, CloudTrail

All three components are essential:

Authentication without authorization means everyone gets full access once identified
Authorization without accounting means you cannot investigate incidents
Authentication without accounting means you cannot trace who performed actions

Try It: AAA Framework Event Simulator

Generate security events and see how Authentication, Authorization, and Accounting each play a different role. Toggle components on and off to observe what breaks when one is missing.

Show code

viewof aaaDevice = Inputs.select(
  ["Sensor-042 (valid device)", "Rogue-999 (unknown device)", "Gateway-01 (admin device)"],
  {label: "Device attempting access", value: "Sensor-042 (valid device)"}
)
viewof aaaAction = Inputs.select(
  ["READ temperature", "WRITE config", "FIRMWARE update", "FACTORY reset"],
  {label: "Requested action", value: "READ temperature"}
)
viewof aaaAuthnEnabled = Inputs.checkbox(["Authentication enabled"], {value: ["Authentication enabled"]})
viewof aaaAuthzEnabled = Inputs.checkbox(["Authorization enabled"], {value: ["Authorization enabled"]})
viewof aaaAcctEnabled = Inputs.checkbox(["Accounting enabled"], {value: ["Accounting enabled"]})

Show code

{
  const devices = {
    "Sensor-042 (valid device)": {known: true, role: "sensor", perms: ["READ temperature"]},
    "Rogue-999 (unknown device)": {known: false, role: "none", perms: []},
    "Gateway-01 (admin device)": {known: true, role: "admin", perms: ["READ temperature", "WRITE config", "FIRMWARE update", "FACTORY reset"]}
  };
  const dev = devices[aaaDevice];
  const authnOn = aaaAuthnEnabled.includes("Authentication enabled");
  const authzOn = aaaAuthzEnabled.includes("Authorization enabled");
  const acctOn = aaaAcctEnabled.includes("Accounting enabled");

  const authnResult = authnOn ? dev.known : true;
  const authzResult = authzOn ? dev.perms.includes(aaaAction) : true;
  const accessGranted = authnResult && authzResult;

  const ts = new Date().toISOString().slice(0, 19).replace("T", " ");

  const warnings = [];
  if (!authnOn) warnings.push("Authentication DISABLED: Any device can claim any identity. Rogue devices will pass unchecked.");
  if (!authzOn) warnings.push("Authorization DISABLED: All authenticated devices get full access. A sensor could perform factory reset.");
  if (!acctOn) warnings.push("Accounting DISABLED: No audit trail. If a breach occurs, you cannot determine what happened or who did it.");

  const boxColor = (on) => on ? "#16A085" : "#E74C3C";

  return html`<div style="font-family:Arial,sans-serif;margin:8px 0;">
    <div style="display:flex;gap:12px;flex-wrap:wrap;margin-bottom:12px;">
      <div style="flex:1;min-width:180px;padding:12px;border-radius:6px;border:2px solid ${boxColor(authnOn)};background:${authnOn ? '#e8f8f5' : '#fdedec'};">
        <div style="font-weight:bold;color:#2C3E50;font-size:13px;">Authentication</div>
        <div style="font-size:12px;color:#7F8C8D;margin:4px 0;">"Who are you?"</div>
        <div style="font-size:14px;font-weight:bold;color:${boxColor(authnOn)};">${authnOn ? (dev.known ? "Identity verified" : "REJECTED: unknown device") : "SKIPPED (disabled)"}</div>
      </div>
      <div style="flex:1;min-width:180px;padding:12px;border-radius:6px;border:2px solid ${boxColor(authzOn)};background:${authzOn ? '#e8f8f5' : '#fdedec'};">
        <div style="font-weight:bold;color:#2C3E50;font-size:13px;">Authorization</div>
        <div style="font-size:12px;color:#7F8C8D;margin:4px 0;">"What can you do?"</div>
        <div style="font-size:14px;font-weight:bold;color:${boxColor(authzOn)};">${authzOn ? (dev.perms.includes(aaaAction) ? "Action permitted" : "DENIED: insufficient permissions") : "SKIPPED (disabled)"}</div>
      </div>
      <div style="flex:1;min-width:180px;padding:12px;border-radius:6px;border:2px solid ${boxColor(acctOn)};background:${acctOn ? '#e8f8f5' : '#fdedec'};">
        <div style="font-weight:bold;color:#2C3E50;font-size:13px;">Accounting</div>
        <div style="font-size:12px;color:#7F8C8D;margin:4px 0;">"What did you do?"</div>
        <div style="font-size:14px;font-weight:bold;color:${boxColor(acctOn)};">${acctOn ? "Event logged" : "NO RECORD (disabled)"}</div>
      </div>
    </div>
    <div style="padding:10px;background:${accessGranted ? '#e8f5e9' : '#fff3e0'};border-left:4px solid ${accessGranted ? '#16A085' : '#E74C3C'};border-radius:4px;margin-bottom:8px;">
      <strong>Outcome:</strong> ${aaaDevice} requested <strong>${aaaAction}</strong> — <span style="color:${accessGranted ? '#16A085' : '#E74C3C'};font-weight:bold;">${accessGranted ? "ACCESS GRANTED" : "ACCESS DENIED"}</span>
      ${acctOn ? html`<br/><span style="font-size:0.85em;color:#7F8C8D;">Audit log: [${ts}] device=${aaaDevice.split(" ")[0]} action=${aaaAction} result=${accessGranted ? "GRANTED" : "DENIED"}</span>` : ""}
    </div>
    ${warnings.length > 0 ? html`<div style="padding:10px;background:#fff8e1;border-left:4px solid #E67E22;border-radius:4px;font-size:0.9em;">
      <strong style="color:#E67E22;">Security Warnings:</strong><br/>
      ${warnings.map(w => html`<div style="margin:4px 0;color:#2C3E50;">- ${w}</div>`)}
    </div>` : html`<div style="padding:10px;background:#e8f5e9;border-left:4px solid #16A085;border-radius:4px;font-size:0.9em;color:#2C3E50;">All three AAA components active. Security posture is complete.</div>`}
  </div>`;
}

3.4 Common Authentication Methods for IoT

IoT devices use various authentication mechanisms depending on constraints:

3.4.1 Token-Based Authentication

Devices present tokens (RFID cards, API keys, JWT tokens) that prove identity:

Token Type	Use Case	Pros	Cons
RFID/NFC	Physical access control	Fast, contactless	Can be cloned
API Keys	Cloud service access	Simple to implement	Long-lived, hard to rotate
JWT Tokens	Session authentication	Short-lived, self-contained	Require refresh logic
X.509 Certificates	Device identity	Cryptographically strong	Requires PKI infrastructure

3.4.2 Challenge-Response Authentication

Instead of sending a password over the network (where it could be intercepted), challenge-response protocols work differently. The server sends a random value called a nonce (number used once), and the device must compute a cryptographic response using the nonce combined with its secret key. The server performs the same computation and compares results. If they match, the device proved it possesses the correct secret – without ever transmitting it.

The security of this approach depends entirely on nonces being unique and unpredictable. The following question explores what happens when this requirement is violated:

3.4.3 Multi-Factor Authentication (MFA)

Combining multiple authentication factors provides defense in depth:

Factor Type	Example	IoT Application
Something you have	Badge, phone, hardware token	Device certificate in secure element
Something you know	Password, PIN	Admin override codes
Something you are	Fingerprint, face scan	Biometric access control

Try It: Multi-Factor Authentication Strength Calculator

Select which authentication factors are active and see how the combined security strength changes. Each factor category reduces the probability of unauthorized access by orders of magnitude.

Show code

viewof mfaHave = Inputs.checkbox(
  ["RFID Badge", "Hardware Token (TOTP)", "Device Certificate"],
  {label: "Something you HAVE", value: ["RFID Badge"]}
)
viewof mfaKnow = Inputs.checkbox(
  ["4-digit PIN", "8-char Password", "Passphrase (20+ chars)"],
  {label: "Something you KNOW", value: []}
)
viewof mfaAre = Inputs.checkbox(
  ["Fingerprint", "Face Recognition", "Iris Scan"],
  {label: "Something you ARE", value: []}
)

Show code

{
  const factorStrength = {
    "RFID Badge": {bits: 32, bypass: "Clone card (~$50 equipment)", category: "have"},
    "Hardware Token (TOTP)": {bits: 20, bypass: "Steal device + time window", category: "have"},
    "Device Certificate": {bits: 256, bypass: "Extract private key from secure element", category: "have"},
    "4-digit PIN": {bits: 13.3, bypass: "10,000 combinations; shoulder surfing", category: "know"},
    "8-char Password": {bits: 52.6, bypass: "Dictionary attack; phishing", category: "know"},
    "Passphrase (20+ chars)": {bits: 95, bypass: "Extremely difficult brute force", category: "know"},
    "Fingerprint": {bits: 20, bypass: "Lifted prints + mold (~$500)", category: "are"},
    "Face Recognition": {bits: 15, bypass: "Photo or 3D mask attack", category: "are"},
    "Iris Scan": {bits: 30, bypass: "Very difficult; high-res photo needed", category: "are"}
  };

  const allSelected = [...mfaHave, ...mfaKnow, ...mfaAre];
  const categories = new Set(allSelected.map(f => factorStrength[f].category));
  const numCategories = categories.size;
  const totalBits = allSelected.reduce((sum, f) => sum + factorStrength[f].bits, 0);

  const levelColor = numCategories === 0 ? "#E74C3C" : numCategories === 1 ? "#E67E22" : numCategories === 2 ? "#3498DB" : "#16A085";
  const levelLabel = numCategories === 0 ? "No Authentication" : numCategories === 1 ? "Single-Factor (Weak)" : numCategories === 2 ? "Two-Factor (Strong)" : "Three-Factor (Very Strong)";

  const barMax = 300;
  const barWidth = Math.min(barMax, (totalBits / 350) * barMax);

  return html`<div style="font-family:Arial,sans-serif;margin:8px 0;">
    <div style="padding:14px;background:linear-gradient(135deg,${levelColor}11,${levelColor}22);border-left:4px solid ${levelColor};border-radius:4px;margin-bottom:12px;">
      <div style="font-size:18px;font-weight:bold;color:${levelColor};">${levelLabel}</div>
      <div style="font-size:13px;color:#2C3E50;margin-top:4px;">${numCategories} factor categor${numCategories === 1 ? "y" : "ies"} | ${allSelected.length} method${allSelected.length === 1 ? "" : "s"} selected | ~${totalBits.toFixed(0)} bits combined entropy</div>
    </div>
    <div style="margin-bottom:12px;">
      <div style="font-size:12px;color:#7F8C8D;margin-bottom:4px;">Combined strength (bits of entropy):</div>
      <div style="background:#ecf0f1;border-radius:4px;height:24px;position:relative;overflow:hidden;max-width:${barMax}px;">
        <div style="background:${levelColor};height:100%;width:${barWidth}px;border-radius:4px;transition:width 0.3s;"></div>
        <span style="position:absolute;left:8px;top:3px;font-size:12px;font-weight:bold;color:#fff;">${totalBits.toFixed(0)} bits</span>
      </div>
    </div>
    ${allSelected.length > 0 ? html`<table style="width:100%;border-collapse:collapse;font-size:0.85em;">
      <tr style="background:#2C3E50;color:#fff;"><th style="padding:6px 8px;text-align:left;">Factor</th><th style="padding:6px 8px;text-align:left;">Category</th><th style="padding:6px 8px;text-align:left;">Strength</th><th style="padding:6px 8px;text-align:left;">Attack Vector</th></tr>
      ${allSelected.map((f, i) => {
        const s = factorStrength[f];
        const catColor = s.category === "have" ? "#3498DB" : s.category === "know" ? "#9B59B6" : "#E67E22";
        return html`<tr style="background:${i % 2 === 0 ? '#f8f9fa' : '#fff'};">
          <td style="padding:6px 8px;font-weight:bold;color:#2C3E50;">${f}</td>
          <td style="padding:6px 8px;"><span style="background:${catColor};color:#fff;padding:2px 8px;border-radius:10px;font-size:11px;">${s.category}</span></td>
          <td style="padding:6px 8px;">${s.bits.toFixed(1)} bits</td>
          <td style="padding:6px 8px;color:#7F8C8D;">${s.bypass}</td>
        </tr>`;
      })}
    </table>` : html`<div style="padding:12px;background:#fdedec;border-radius:4px;color:#E74C3C;font-size:0.9em;">No factors selected. The system has zero authentication — any entity can claim any identity.</div>`}
    ${numCategories === 1 ? html`<div style="margin-top:10px;padding:8px;background:#fff3e0;border-radius:4px;font-size:0.85em;color:#E67E22;">
      <strong>Tip:</strong> Add a factor from a different category to enable true multi-factor authentication. Combining two factors from the same category (e.g., two passwords) is NOT MFA.
    </div>` : ""}
  </div>`;
}

3.5 Role-Based Access Control (RBAC)

RBAC assigns permissions to roles, and roles to users:

RBAC architecture diagram with three layers: Users layer showing Alice, Bob, and Carol; Roles layer showing Admin Role, Engineer Role, and Operator Role; Permissions layer showing Read/Write All, Read Sensors Write Logs, and Read Only, with arrows showing users assigned to roles and roles assigned to permissions — Role-Based Access Control diagram showing three users (Alice Admin, Bob Engineer, Carol Operator) assigned to roles (Admin Role, Engineer Role, Operator Role) which are then assigned permissions (Read/Write All, Read Sensors Write Logs, Read Only), demonstrating indirect permission assignment through roles

3.6 Security Anti-Patterns to Avoid

3.6.1 Hardcoded Credentials

Embedding credentials in firmware creates fleet-wide vulnerabilities:

3.6.2 Authentication Without Authorization

Try It: MQTT Broker Authentication

Objective: Demonstrate how IoT devices authenticate with an MQTT broker using username/password credentials versus certificate-based TLS mutual authentication. This shows why certificate-based auth is preferred for production IoT.

import hashlib
import hmac
import os
import time

# ── Scenario 1: Username/Password MQTT Authentication ──
# This simulates what happens inside an MQTT broker when a device connects
# with CONNECT packet containing username and password fields.

# Broker's credential store (in production, use salted hashes in a database)
BROKER_CREDENTIALS = {
    "sensor_floor1": hashlib.sha256(b"s3cur3_p@ss_f1").hexdigest(),
    "sensor_floor2": hashlib.sha256(b"s3cur3_p@ss_f2").hexdigest(),
    "gateway_main":  hashlib.sha256(b"gw_m@st3r_k3y").hexdigest(),
}

def mqtt_authenticate(username, password):
    """Simulate MQTT CONNECT authentication at the broker.

    MQTT 3.1.1 return codes:
      RC=0: Connection Accepted
      RC=4: Connection Refused, bad user name or password
      RC=5: Connection Refused, not authorized (valid credentials but lacks permission)
    """
    if username not in BROKER_CREDENTIALS:
        return False, "CONNACK: Bad User Name or Password (RC=4)"
    password_hash = hashlib.sha256(password.encode()).hexdigest()
    if password_hash != BROKER_CREDENTIALS[username]:
        return False, "CONNACK: Bad User Name or Password (RC=4)"
    return True, "CONNACK: Connection Accepted (RC=0)"

# Test authentication scenarios
test_cases = [
    ("sensor_floor1", "s3cur3_p@ss_f1", "Valid credentials"),
    ("sensor_floor1", "wrong_password",  "Wrong password"),
    ("unknown_device", "any_password",   "Unknown device"),
]

print("=== MQTT Username/Password Authentication ===")
for username, password, description in test_cases:
    success, response = mqtt_authenticate(username, password)
    status = "OK" if success else "FAIL"
    print(f"  [{status}] {description}: {response}")

# ── Scenario 2: Why Certificates Are Better ──
# Compare security properties of each method

print("\n=== Authentication Method Comparison ===")
comparison = [
    ("Property",               "Username/Password",      "X.509 Certificate"),
    ("Credential per device",  "Often shared (bad)",     "Unique per device"),
    ("Revocation",             "Change all passwords",   "Revoke single cert (CRL)"),
    ("Replay protection",      "Requires TLS transport", "Built-in (TLS handshake)"),
    ("Brute-force risk",       "Yes (dictionary attack)","No (private key never sent)"),
    ("Rotation complexity",    "High (fleet-wide)",      "Low (auto-renew via EST)"),
]
for row in comparison:
    print(f"  {row[0]:<25} {row[1]:<25} {row[2]}")

What to Observe:

Username/password auth is simple but shares credentials across device classes – compromising one device exposes others
The broker returns standardized MQTT CONNACK return codes (RC=0 success, RC=4/5 failure)
Certificate-based auth avoids transmitting secrets entirely – the private key never leaves the device
For fleets of 10,000+ devices, certificate revocation (CRL/OCSP) is far more practical than rotating shared passwords

Try It: JWT Token-Based Authentication for IoT

Objective: Create and verify JSON Web Tokens (JWTs) to authenticate IoT device requests, demonstrating how token-based auth works in practice.

import hmac
import hashlib
import json
import base64
import time

def base64url_encode(data):
    """URL-safe base64 encoding without padding"""
    return base64.urlsafe_b64encode(data).rstrip(b'=').decode()

def base64url_decode(s):
    """URL-safe base64 decoding with padding restoration"""
    s += '=' * (4 - len(s) % 4)
    return base64.urlsafe_b64decode(s)

def create_jwt(device_id, role, secret_key, expires_in=3600):
    """Create a JWT for an IoT device"""
    header = {"alg": "HS256", "typ": "JWT"}
    payload = {
        "device_id": device_id,
        "role": role,
        "iat": int(time.time()),
        "exp": int(time.time()) + expires_in
    }

    header_b64 = base64url_encode(json.dumps(header).encode())
    payload_b64 = base64url_encode(json.dumps(payload).encode())
    signing_input = f"{header_b64}.{payload_b64}"

    signature = hmac.new(
        secret_key.encode(), signing_input.encode(), hashlib.sha256
    ).digest()
    signature_b64 = base64url_encode(signature)

    return f"{header_b64}.{payload_b64}.{signature_b64}"

def verify_jwt(token, secret_key):
    """Verify a JWT and return the payload if valid"""
    parts = token.split(".")
    if len(parts) != 3:
        return None, "Invalid token format"

    signing_input = f"{parts[0]}.{parts[1]}"
    expected_sig = hmac.new(
        secret_key.encode(), signing_input.encode(), hashlib.sha256
    ).digest()
    actual_sig = base64url_decode(parts[2])

    if not hmac.compare_digest(expected_sig, actual_sig):
        return None, "Invalid signature"

    payload = json.loads(base64url_decode(parts[1]))
    if payload.get("exp", 0) < time.time():
        return None, "Token expired"

    return payload, "Valid"

# Gateway's secret key (shared with auth server)
SERVER_SECRET = "iot_gateway_secret_2024"

# Device authenticates and receives a token
token = create_jwt("ESP32_SENSOR_001", "sensor", SERVER_SECRET)
print(f"JWT Token: {token[:60]}...")

# Gateway verifies the token on each request
payload, status = verify_jwt(token, SERVER_SECRET)
print(f"\nVerification: {status}")
print(f"Device ID: {payload['device_id']}")
print(f"Role: {payload['role']}")

# Test with tampered token (attacker changes role to admin)
parts = token.split(".")
fake_payload = json.loads(base64url_decode(parts[1]))
fake_payload["role"] = "admin"
fake_b64 = base64url_encode(json.dumps(fake_payload).encode())
tampered_token = f"{parts[0]}.{fake_b64}.{parts[2]}"

_, tamper_status = verify_jwt(tampered_token, SERVER_SECRET)
print(f"\nTampered token: {tamper_status}")

# Test with wrong secret (rogue gateway)
_, wrong_key_status = verify_jwt(token, "wrong_secret")
print(f"Wrong key: {wrong_key_status}")

What to Observe:

The JWT contains three parts: header, payload, and signature (separated by dots)
The payload is base64-encoded (readable) but the signature prevents modification
Changing even one character in the payload invalidates the signature
Only gateways with the correct secret can issue or verify tokens

Try It: Role-Based Access Control (RBAC) Simulator

Objective: Implement a simple RBAC system demonstrating how different device roles get different permissions.

# Role-Based Access Control for IoT
ROLES = {
    "sensor": {"permissions": ["READ_TEMP", "READ_HUMIDITY", "STATUS"],
               "description": "Read-only sensor device"},
    "actuator": {"permissions": ["READ_TEMP", "STATUS", "SET_THRESHOLD", "ACTIVATE"],
                 "description": "Can read and control outputs"},
    "gateway": {"permissions": ["READ_TEMP", "READ_HUMIDITY", "STATUS",
                                "SET_THRESHOLD", "ACTIVATE", "CONFIG_UPDATE"],
                "description": "Full device management"},
    "admin": {"permissions": ["READ_TEMP", "READ_HUMIDITY", "STATUS",
                              "SET_THRESHOLD", "ACTIVATE", "CONFIG_UPDATE",
                              "FIRMWARE_UPDATE", "FACTORY_RESET"],
              "description": "Full system control"}
}

def check_authorization(device_role, requested_action):
    """Check if a role has permission to perform an action"""
    if device_role not in ROLES:
        return False, f"Unknown role: {device_role}"
    if requested_action in ROLES[device_role]["permissions"]:
        return True, f"AUTHORIZED: {device_role} can {requested_action}"
    return False, f"DENIED: {device_role} cannot {requested_action}"

# Simulate different devices requesting actions
test_cases = [
    ("sensor",   "READ_TEMP",       "Sensor reads temperature"),
    ("sensor",   "FIRMWARE_UPDATE",  "Sensor tries firmware update"),
    ("actuator", "ACTIVATE",         "Actuator triggers output"),
    ("actuator", "FACTORY_RESET",    "Actuator tries factory reset"),
    ("gateway",  "CONFIG_UPDATE",    "Gateway updates config"),
    ("admin",    "FACTORY_RESET",    "Admin resets device"),
]

print("RBAC Authorization Tests:")
print("-" * 55)
for role, action, description in test_cases:
    authorized, message = check_authorization(role, action)
    icon = "PASS" if authorized else "DENY"
    print(f"  [{icon}] {description}")
    print(f"         {message}")

What to Observe:

Sensors can only read data – they cannot control outputs or update firmware
Each role has the minimum permissions needed for its function (least privilege)
Even if a sensor’s credentials are stolen, the attacker can only read data
Only admins can perform destructive operations like factory reset

Try It: ESP32 TLS Client Authentication (Arduino)

Objective: This Arduino sketch shows how an ESP32 establishes a TLS connection to an MQTT broker using a client certificate for mutual authentication. This is the production-grade approach for IoT device identity.

// ESP32 TLS Mutual Authentication - MQTT Client
// Requires: PubSubClient + WiFiClientSecure libraries
#include <WiFi.h>
#include <WiFiClientSecure.h>
#include <PubSubClient.h>

// WiFi credentials
const char* ssid = "IoT-Network";
const char* password = "wifi_password";

// MQTT Broker (TLS on port 8883)
const char* mqtt_server = "broker.example.com";
const int   mqtt_port = 8883;

// Root CA certificate (verify broker identity)
const char* ca_cert = R"EOF(
-----BEGIN CERTIFICATE-----
MIIBxTCCAWugAwIBAgIUd3Y...  // Your CA cert here
-----END CERTIFICATE-----
)EOF";

// Device client certificate (device identity)
const char* client_cert = R"EOF(
-----BEGIN CERTIFICATE-----
MIIBpDCCAUqgAwIBAgIUa7F...  // Unique per device
-----END CERTIFICATE-----
)EOF";

// Device private key (NEVER share -- stored in secure element)
const char* client_key = R"EOF(
-----BEGIN EC PRIVATE KEY-----
MHQCAQEEIKz8P9M3...          // Unique per device
-----END EC PRIVATE KEY-----
)EOF";

WiFiClientSecure espClient;
PubSubClient mqtt(espClient);

void setup() {
    Serial.begin(115200);
    WiFi.begin(ssid, password);
    while (WiFi.status() != WL_CONNECTED) delay(500);

    // Configure TLS mutual authentication
    espClient.setCACert(ca_cert);        // Verify broker
    espClient.setCertificate(client_cert); // Prove device identity
    espClient.setPrivateKey(client_key);   // Sign TLS handshake

    mqtt.setServer(mqtt_server, mqtt_port);
}

void loop() {
    if (!mqtt.connected()) {
        // TLS handshake: broker verifies our cert, we verify broker's cert
        if (mqtt.connect("ESP32_SENSOR_001")) {
            Serial.println("Connected with mutual TLS auth");
            mqtt.publish("sensors/floor1/temp", "23.5");
        } else {
            Serial.print("TLS auth failed, rc=");
            Serial.println(mqtt.state());
        }
    }
    mqtt.loop();
    delay(5000);
}

What to Observe:

Three credentials: CA cert (trust anchor), client cert (device identity), private key (proof of possession)
The broker verifies the device’s certificate during TLS handshake – no username/password needed
Each device gets a unique certificate provisioned during manufacturing
If a device is compromised, revoke only its certificate via CRL – other devices are unaffected
The private key should ideally be stored in a hardware secure element (ATECC608A) rather than flash

3.7 Choosing the Right Authentication Method

Different IoT scenarios call for different authentication approaches. This table maps device capabilities to appropriate methods:

If your device/scenario is…	Choose…	Because…
Severely constrained MCU (<32 KB RAM), private network	Pre-shared keys (PSK)	Minimal computation, no certificate parsing, pre-provisioned at factory
Constrained MCU (32-256 KB RAM), needs mutual auth	X.509 certificates (with hardware key storage)	Strong identity, revocable per-device, no shared secrets
Gateway or SBC running Linux	OAuth 2.0 + client certificates	Standard cloud integration, token refresh, fine-grained scopes
Consumer devices (phones, tablets) accessing IoT	OAuth 2.0 + OIDC	User-friendly flows, social login, token-based, no device certs
Industrial/enterprise with existing PKI	Mutual TLS (mTLS)	Leverages existing certificate infrastructure, strongest binding
Large fleet (>10K devices) needing zero-touch onboarding	Device Provisioning Service + certificates	Automated enrollment, no manual credential distribution
Brownfield devices, no crypto capability	API keys + IP allowlisting	Pragmatic fallback, but weakest option – plan to upgrade

Quick Decision Flowchart:

Can the device perform asymmetric cryptography (RSA/ECC)? No –> PSK (symmetric only)
Does the device have a hardware secure element (ATECC608, TPM)? Yes –> X.509 client certificates stored in secure element
Is this a human user accessing IoT via app/web? Yes –> OAuth 2.0 with OIDC
Do you have an existing PKI or certificate authority? Yes –> Mutual TLS
Is this a prototype or development environment? Yes –> Username/password is acceptable temporarily; never in production
Default: X.509 certificates for device-to-cloud; OAuth 2.0 for user-to-cloud

Never use hardcoded credentials in production. Even PSK should be unique per device, provisioned during manufacturing, and stored in non-volatile secure storage. Shared credentials across a fleet mean one compromised device exposes all devices.

Try It: IoT Authentication Method Selector

Answer questions about your IoT deployment to get a recommended authentication method. Adjust the parameters to see how device constraints, fleet size, and security requirements change the recommendation.

Show code

viewof deviceRam = Inputs.select(
  ["<32 KB (severely constrained MCU)", "32-256 KB (constrained MCU)", "256 KB - 1 MB (capable MCU)", ">1 MB (gateway/SBC with Linux)"],
  {label: "Device RAM", value: "32-256 KB (constrained MCU)"}
)
viewof hasSecureElement = Inputs.select(
  ["No secure element", "Has secure element (ATECC608, TPM)"],
  {label: "Hardware security", value: "No secure element"}
)
viewof fleetSize = Inputs.range([1, 100000], {value: 500, step: 100, label: "Fleet size (devices)"})
viewof humanAccess = Inputs.select(
  ["Device-to-cloud only", "Humans access via app/web", "Both devices and humans"],
  {label: "Access pattern", value: "Device-to-cloud only"}
)
viewof securityReq = Inputs.select(
  ["Prototype/development", "Standard commercial", "Regulated (HIPAA, PCI DSS)", "Critical infrastructure"],
  {label: "Security requirement", value: "Standard commercial"}
)

Show code

{
  const ramIdx = ["<32 KB (severely constrained MCU)", "32-256 KB (constrained MCU)", "256 KB - 1 MB (capable MCU)", ">1 MB (gateway/SBC with Linux)"].indexOf(deviceRam);
  const hasSE = hasSecureElement === "Has secure element (ATECC608, TPM)";
  const isHuman = humanAccess !== "Device-to-cloud only";
  const secIdx = ["Prototype/development", "Standard commercial", "Regulated (HIPAA, PCI DSS)", "Critical infrastructure"].indexOf(securityReq);

  let method, reason, color, extras;

  if (secIdx === 0) {
    method = "Username/Password (temporary)";
    reason = "Acceptable for prototyping, but never deploy to production. Plan migration to certificates before launch.";
    color = "#E67E22";
    extras = ["Simple setup", "No PKI needed", "MUST upgrade before production"];
  } else if (ramIdx === 0) {
    method = "Pre-Shared Keys (PSK)";
    reason = "Device too constrained for asymmetric crypto or certificate parsing. Use unique PSK per device provisioned at factory.";
    color = "#3498DB";
    extras = ["Minimal computation", "No certificate overhead", "Unique key per device", fleetSize > 1000 ? "Warning: key management at scale is complex" : "Manageable fleet size"];
  } else if (isHuman && secIdx <= 1) {
    method = "OAuth 2.0 + OIDC";
    reason = "Human users need user-friendly auth flows. OAuth provides token-based access with standard social login and refresh patterns.";
    color = "#9B59B6";
    extras = ["User-friendly flows", "Token refresh", "Social login support", "Fine-grained scopes"];
  } else if (isHuman && secIdx >= 2) {
    method = "OAuth 2.0 + Hardware MFA";
    reason = "Regulated/critical environments with human access require strong MFA. Hardware tokens (FIDO2/WebAuthn) plus OAuth provide both usability and compliance.";
    color = "#E74C3C";
    extras = ["FIDO2/WebAuthn", "Phishing-resistant", "Regulatory compliant", "Audit trail"];
  } else if (hasSE) {
    method = "X.509 Certificates (Secure Element)";
    reason = "Hardware secure element provides tamper-resistant key storage. Strongest device identity binding — private key never leaves the chip.";
    color = "#16A085";
    extras = ["Tamper-resistant", "Per-device identity", fleetSize > 10000 ? "Use Device Provisioning Service for zero-touch enrollment" : "Standard certificate enrollment", "Revoke individual devices via CRL"];
  } else if (ramIdx >= 2) {
    method = "Mutual TLS (mTLS) with X.509";
    reason = "Device capable of asymmetric crypto. Certificates provide strong per-device identity and mutual authentication with the server.";
    color = "#16A085";
    extras = ["Strong identity", "No shared secrets", "Per-device revocation", fleetSize > 5000 ? "Consider automated certificate lifecycle (EST/SCEP)" : "Manual provisioning feasible"];
  } else {
    method = "X.509 Certificates (Software Key)";
    reason = "Constrained but capable of certificate operations. Store keys in flash with encryption. Not as strong as secure element but much better than shared secrets.";
    color = "#3498DB";
    extras = ["Per-device identity", "Standard TLS", "Software key protection", "Plan secure element upgrade"];
  }

  return html`<div style="font-family:Arial,sans-serif;margin:8px 0;">
    <div style="padding:16px;background:linear-gradient(135deg,${color}11,${color}22);border-left:4px solid ${color};border-radius:6px;margin-bottom:12px;">
      <div style="font-size:11px;text-transform:uppercase;letter-spacing:1px;color:${color};margin-bottom:4px;">Recommended Method</div>
      <div style="font-size:20px;font-weight:bold;color:#2C3E50;">${method}</div>
      <div style="font-size:13px;color:#555;margin-top:8px;">${reason}</div>
    </div>
    <div style="display:flex;gap:8px;flex-wrap:wrap;margin-bottom:12px;">
      ${extras.map(e => {
        const isWarn = e.startsWith("Warning") || e.startsWith("MUST");
        return html`<span style="padding:4px 10px;border-radius:12px;font-size:11px;background:${isWarn ? '#fdedec' : '#eaf2f8'};color:${isWarn ? '#E74C3C' : '#2C3E50'};border:1px solid ${isWarn ? '#E74C3C' : '#3498DB'}33;">${e}</span>`;
      })}
    </div>
    <div style="padding:10px;background:#f8f9fa;border-radius:4px;font-size:0.85em;">
      <strong style="color:#2C3E50;">Your deployment:</strong> ${fleetSize.toLocaleString()} devices | ${deviceRam.split("(")[0].trim()} RAM | ${hasSE ? "Secure element" : "No secure element"} | ${securityReq}
    </div>
  </div>`;
}

Matching Quiz: Match Authentication Concepts

Ordering Quiz: Order the AAA Security Process

Label the Diagram

💻 Code Challenge

3.8 Summary

In this chapter, you learned:

Authentication verifies identity (“Who are you?”) while authorization verifies permissions (“What can you do?”)
The AAA framework (Authentication, Authorization, Accounting) provides the structure for enterprise security
Common authentication methods for IoT include tokens, certificates, challenge-response, and multi-factor authentication
Role-based access control assigns permissions to roles, simplifying management
Security anti-patterns like hardcoded credentials and missing authorization create catastrophic vulnerabilities

Key Takeaway

Authentication answers “Who are you?” while Authorization answers “What can you do?”

Always implement both. A system that only authenticates gives all authenticated users full access. A system that tries to authorize without authenticating cannot know whose permissions to check.

3.9 Knowledge Check

Quiz: Auth & Authorization Basics

Worked Example: Challenge-Response Authentication for IoT Sensors

A warehouse deploys 200 temperature sensors that must authenticate with the gateway every hour to prove they are genuine devices, not rogue sensors injecting false data.

Challenge-Response Protocol:

Sensor initiates connection: Sends device ID SENSOR_042
Gateway sends challenge: Random 128-bit nonce 0x8F2A...C1D3

Sensor computes response:

// Sensor has pre-shared secret KEY_042 (32 bytes)
uint8_t response[32];
hmac_sha256(KEY_042, nonce, response);
// Response = HMAC-SHA256(KEY_042, 0x8F2A...C1D3)

Gateway verifies:

// Gateway has database of all sensor keys
uint8_t expected[32];
hmac_sha256(lookup_key("SENSOR_042"), nonce, expected);
if (memcmp(response, expected, 32) == 0) {
    // Authentication success - sensor has correct key
}

Why this works:

Sensor proves possession of secret key WITHOUT transmitting the key
Nonce prevents replay attacks (each authentication uses unique challenge)
Attacker capturing network traffic sees different nonce/response every time

Timing Attack Protection:

// BAD: Returns early if first byte mismatches
bool verify_insecure(uint8_t* response, uint8_t* expected) {
    for (int i = 0; i < 32; i++) {
        if (response[i] != expected[i]) return false;  // Early return leaks timing
    }
    return true;
}

// GOOD: Constant-time comparison
bool verify_secure(uint8_t* response, uint8_t* expected) {
    uint8_t diff = 0;
    for (int i = 0; i < 32; i++) {
        diff |= (response[i] ^ expected[i]);  // XOR accumulates differences
    }
    return (diff == 0);  // Always checks all 32 bytes
}

Production Deployment: 200 sensors × 24 authentications/day = 4,800 auth/day. Zero unauthorized sensors detected over 18 months. Average authentication latency: 35ms.

Decision Framework: Multi-Factor Authentication (MFA) for IoT

MFA Combination	Security Level	User Friction	IoT Use Case
Password + SMS code	Medium	High (requires phone, delays)	Consumer IoT apps (rare admin actions)
RFID badge + PIN	Medium-High	Low (common workflow)	Physical access control (doors, lockers)
Device cert + biometric	High	Medium (fingerprint scan)	High-security facilities (data centers)
Hardware token + password	Very High	Medium-High (carry token)	Industrial SCADA, critical infrastructure
Push notification + biometric	High	Low (phone approval)	Modern enterprise IoT dashboards

Factor Categories:

Something you have: Badge, phone, hardware token, certificate in secure element
Something you know: Password, PIN, passphrase
Something you are: Fingerprint, face recognition, iris scan

Selection Criteria:

Regulatory requirement (PCI DSS, HIPAA) → Hardware token + PIN (strongest)
Consumer convenience → Push notification (low friction, high security)
Offline operation required → Badge + PIN (no network needed)
Critical infrastructure → 3-factor (cert + biometric + PIN)

IoT-Specific Considerations:

Device constraints: ESP32 can verify certificates but not generate TOTP codes (limited RTC)
Network reliability: SMS codes fail in poor coverage; prefer app-based TOTP
Biometrics: Fingerprint sensors cost $3-8, add physical security without network dependency

Common Mistake: Using Role Hierarchy for Non-Hierarchical Permissions

What practitioners do wrong: They assume access control is always hierarchical (ADMIN > USER > GUEST) and assign permissions accordingly. This fails when different roles need different non-overlapping permissions.

Example that fails:

enum Role { GUEST=0, USER=1, ADMIN=2 };

// Assumes: ADMIN has all USER permissions + more
bool authorize(Role userRole, Role requiredRole) {
    return (userRole >= requiredRole);  // WRONG for non-hierarchical permissions
}

Why it fails:

Hospital: DOCTOR and NURSE are parallel roles, not hierarchical
- DOCTOR can prescribe medication (NURSE cannot)
- NURSE can administer medication (DOCTOR typically doesn’t)
- Neither role is “higher” than the other
Manufacturing: OPERATOR and MAINTENANCE are parallel
- OPERATOR controls production line
- MAINTENANCE accesses mechanical systems
- Neither should have full access to both

Correct approach (capability-based):

const uint16_t CAP_PRESCRIBE_MEDS = 0x01;
const uint16_t CAP_ADMINISTER_MEDS = 0x02;
const uint16_t CAP_ACCESS_MEDICAL_RECORDS = 0x04;

struct User {
    const char* name;
    uint16_t capabilities;
};

User users[] = {
    {"Dr. Smith",  CAP_PRESCRIBE_MEDS | CAP_ACCESS_MEDICAL_RECORDS},
    {"Nurse Jane", CAP_ADMINISTER_MEDS | CAP_ACCESS_MEDICAL_RECORDS},
};

bool authorize(uint16_t userCaps, uint16_t requiredCaps) {
    return (userCaps & requiredCaps) == requiredCaps;
}

Real-world consequence: A 2017 hospital IoT deployment used hierarchical roles where “Physician” > “Nurse” > “Technician”. This gave physicians access to medical equipment calibration controls (technician permission), leading to 3 incidents of accidental re-calibration causing incorrect readings. Post-incident audit mandated capability-based access where equipment calibration is a separate permission bit, not tied to role hierarchy.

Putting Numbers to It: HMAC Challenge-Response Security

HMAC-based challenge-response authentication uses a cryptographic hash function $H$ with a shared secret key $K$ to prove possession of $K$ without transmitting it.

\[\text{Response} = \text{HMAC}(K, \text{Nonce}) = H((K \oplus \text{opad}) \,||\, H((K \oplus \text{ipad}) \,||\, \text{Nonce}))\]

where $\text{opad} = 0x5c5c...5c$ and $\text{ipad} = 0x3636...36$ are padding constants.

Working through an example:

Given: IoT sensor authenticates to gateway using HMAC-SHA256 - Shared secret: $K = \text{32-byte device-specific key}$ - Gateway sends nonce: $N = \text{0x8F2AC1D3...}$ (16 bytes random) - Hash function: SHA-256 (256-bit output) - Attacker’s computing power: $10^{12}$ hash operations/second

Step 1: Calculate sensor’s response (simplified)

\[R = \text{HMAC-SHA256}(K, N)\]

Result: 32-byte (256-bit) authentication tag sent to gateway

Step 2: Calculate security against brute force attack

Attacker must guess the 256-bit secret key $K$. Number of possible keys:

\[\text{Key Space} = 2^{256}\]

Time to brute force with $10^{12}$ attempts/second:

\[T_{\text{brute force}} = \frac{2^{256}}{10^{12} \text{ attempts/s}}\]

\[T_{\text{brute force}} = \frac{1.16 \times 10^{77}}{10^{12}} = 1.16 \times 10^{65} \text{ seconds}\]

Converting to years ($3.15 \times 10^7$ seconds/year):

\[T_{\text{years}} = \frac{1.16 \times 10^{65}}{3.15 \times 10^7} \approx 3.7 \times 10^{57} \text{ years}\]

Step 3: Calculate collision probability for nonce reuse

If the same nonce $N$ is used twice, the attacker can replay the previous valid response. Probability of nonce collision with 128-bit nonces after $n$ authentications (birthday paradox):

\[P(\text{collision}) \approx \frac{n^2}{2^{129}}\]

For $n = 1,000,000$ authentications:

\[P(\text{collision}) \approx \frac{(10^6)^2}{2^{129}} = \frac{10^{12}}{6.8 \times 10^{38}} \approx 1.5 \times 10^{-27}\]

Result: HMAC-SHA256 with a 256-bit key is computationally infeasible to brute force ($3.7 \times 10^{57}$ years). With proper nonce generation (128-bit random), collision probability is negligible ($1.5 \times 10^{-27}$ for 1 million authentications).

In practice: Challenge-response with HMAC provides strong authentication without transmitting the secret key. Each authentication uses a unique nonce, preventing replay attacks. For IoT devices with pre-provisioned keys, HMAC-SHA256 offers 256-bit security with minimal computational overhead (SHA-256 is hardware-accelerated on most modern MCUs). Never reuse nonces – implement cryptographically secure random number generation for nonce creation.

3.9.1 Interactive: HMAC Security Explorer

Adjust the parameters below to see how key length, attacker speed, and nonce size affect the security of HMAC-based challenge-response authentication.

Show code

viewof keyBits = Inputs.range([64, 512], {value: 256, step: 32, label: "Key length (bits)"})
viewof attackerSpeed = Inputs.range([9, 18], {value: 12, step: 1, label: "Attacker speed (10^x hashes/sec)"})
viewof nonceBits = Inputs.range([32, 256], {value: 128, step: 16, label: "Nonce length (bits)"})
viewof numAuths = Inputs.range([3, 9], {value: 6, step: 1, label: "Authentications (10^x)"})

Show code

{
  const keySpace = Math.pow(2, keyBits);
  const speed = Math.pow(10, attackerSpeed);
  const bruteForceSec = keySpace / speed;
  const secPerYear = 3.15e7;
  const bruteForceYears = bruteForceSec / secPerYear;

  const n = Math.pow(10, numAuths);
  const nonceSpace = Math.pow(2, nonceBits + 1);
  const collisionProb = (n * n) / nonceSpace;

  const logBF = Math.log10(bruteForceYears);
  const logCP = Math.log10(collisionProb);

  const bfStr = logBF > 100 ? `10^${logBF.toFixed(0)}` :
                logBF > 6 ? `${(bruteForceYears / Math.pow(10, Math.floor(logBF))).toFixed(1)} x 10^${Math.floor(logBF)}` :
                bruteForceYears.toFixed(1);

  const cpStr = collisionProb < 1e-6 ? `${(collisionProb / Math.pow(10, Math.floor(logCP))).toFixed(1)} x 10^${Math.floor(logCP)}` :
                collisionProb < 0.01 ? (collisionProb * 100).toFixed(4) + "%" :
                (collisionProb * 100).toFixed(2) + "%";

  const secure = logBF > 10 && collisionProb < 1e-6;

  return html`<div style="background: ${secure ? '#e8f5e9' : '#fff3e0'}; border-left: 4px solid ${secure ? '#16A085' : '#E67E22'}; padding: 16px; border-radius: 4px; font-family: sans-serif; margin: 8px 0;">
    <div style="font-weight: bold; margin-bottom: 12px; color: #2C3E50;">Security Analysis</div>
    <table style="width: 100%; border-collapse: collapse;">
      <tr><td style="padding: 4px 8px; color: #555;">Key space:</td><td style="padding: 4px 8px;"><strong>2^${keyBits}</strong> possible keys</td></tr>
      <tr><td style="padding: 4px 8px; color: #555;">Attacker speed:</td><td style="padding: 4px 8px;"><strong>10^${attackerSpeed}</strong> hashes/second</td></tr>
      <tr><td style="padding: 4px 8px; color: #555;">Brute-force time:</td><td style="padding: 4px 8px;"><strong>${bfStr} years</strong></td></tr>
      <tr style="border-top: 1px solid #ddd;"><td style="padding: 4px 8px; color: #555;">Nonce space:</td><td style="padding: 4px 8px;"><strong>2^${nonceBits}</strong> possible nonces</td></tr>
      <tr><td style="padding: 4px 8px; color: #555;">Authentications:</td><td style="padding: 4px 8px;"><strong>10^${numAuths}</strong> (${n.toLocaleString()})</td></tr>
      <tr><td style="padding: 4px 8px; color: #555;">Nonce collision probability:</td><td style="padding: 4px 8px;"><strong>${cpStr}</strong></td></tr>
    </table>
    <div style="margin-top: 12px; padding: 8px; background: ${secure ? '#c8e6c9' : '#ffe0b2'}; border-radius: 4px; font-size: 0.9em;">
      ${secure ? 'Both brute-force resistance and nonce collision probability are well within safe margins.' : 'Warning: one or more parameters may not provide adequate security. Increase key length or nonce size.'}
    </div>
  </div>`;
}

3.10 Concept Relationships

How Authentication Fundamentals Connect

Core Concept	Builds On	Enables	Common Confusion
Authentication (who)	Identity verification	Authorization decisions	“Is checking permissions authentication?” - No, that’s authorization. Authentication only proves identity
Authorization (what)	Successful authentication	Access control enforcement	“Can’t authentication alone secure a system?” - No. Proving identity doesn’t determine permissions
AAA framework	Separation of concerns	Complete security architecture	“Why three separate components?” - Each serves distinct function: verify (auth), permit (authz), record (accounting)
RBAC	Role hierarchies	Permission management via roles	“Are roles the only way?” - No. Capability-based and attribute-based are alternatives
Token-based auth	Credentials	Stateless authentication	“Are tokens the same as passwords?” - No. Tokens are issued AFTER password authentication

Key Insight: Authentication and authorization are separate security functions that must both be implemented. Knowing WHO someone is (authentication) does not determine WHAT they can do (authorization).

Common Pitfalls

1. Using Shared Credentials Across All IoT Devices

Using the same username/password for all 10,000 devices in a fleet means one compromised device exposes all devices. Each IoT device must have unique credentials, provisioned at manufacturing or first boot, enabling individual device revocation without affecting the fleet.

2. Implementing Authentication But Not Authorization

Many IoT systems verify that a device is who it claims to be (authentication) but then grant all authenticated devices full API access (no authorization). A compromised temperature sensor should not be able to actuate a valve. Always implement both layers.

3. Hardcoding API Keys or Certificates in Firmware

Credentials embedded in firmware are visible to anyone who extracts the binary with a flash reader or decompiles the firmware. Use secure element storage (ATECC608A, TPM), provisioning services, or at minimum store credentials in separate flash sectors with read protection enabled.

4. Not Planning for Credential Rotation

IoT devices deployed for 10 years with certificates that expire in 1 year will become unreachable when certificates expire. Plan for OTA certificate renewal from day one, including device-initiated renewal before expiry and a recovery mechanism for devices that miss the renewal window.

3.11 What’s Next

If you want to…	Read this
Start the hands-on lab	Lab: Basic Access Control Setup
Implement zero trust security architecture	Zero Trust Security
Learn cryptographic authentication and TLS	Cyber Security Methods
Understand attacker perspectives	Threat Modelling and Mitigation
Explore IoT-specific access control	IoT Security Access Control

Now that you understand the fundamentals, put them into practice:

Lab: Basic Access Control Setup: Build the circuit and learn the components for an IoT access control system
Lab: Access Control Implementation: Complete implementation with scenarios and testing
Advanced Access Control Concepts: Capability-based access, token lifecycle, session management
Advanced Lab Implementation: Enterprise-grade security patterns in code

For related security topics:

If you want to…	Read this
Implement zero trust security architecture	Zero Trust Security
Learn cryptographic authentication and TLS	Cyber Security Methods
Understand attacker perspectives	Threat Modelling and Mitigation
Explore IoT-specific access control	IoT Security Access Control
Practice with hands-on lab	Lab: Basic Access Control Setup

Key Concepts

Authentication: The process of verifying the claimed identity of a user, device, or service; answers “who are you?”
Authorization: The process of determining what an authenticated principal is permitted to do; answers “what are you allowed to do?”
Multi-Factor Authentication (MFA): Requiring two or more independent verification factors (something you know, have, or are) to authenticate
RBAC (Role-Based Access Control): Assigning permissions to roles and assigning roles to users/devices; simplifies permission management at scale
ABAC (Attribute-Based Access Control): Making access decisions based on attributes of the subject, resource, environment, and action; more flexible than RBAC for complex IoT policies
Principle of Least Privilege: Every component should have only the minimum permissions required for its function; fundamental to limiting damage from compromised credentials
Zero Trust: The security model that assumes no network location is inherently trusted and verifies every request explicitly regardless of origin

In 60 Seconds

Authentication verifies identity (“who are you?”) while authorization determines permissions (“what can you do?”) — in IoT, both must be enforced on every device, every request, and every service endpoint because a compromised device or API without authorization checks can cascade to full system compromise.