ThingsThe next post in my IoT Series on IoT Device Security Considerations and Security Layers is on Access Control and Authentication.

Security around access is always a hot topic for people and systems and the IoT should be no different. From user interfaces to devices communicating with each other Access Control and Authentication are key to maintaining a secure solution/system.

There are lots of information and posts appearing about this subject, however in the larger stack its only one part of securing the IoT, so should be used in conjunction with other solutions to create and end to end secure stack. (See IoT Device Security Considerations and Security Layers  for the full stack).

To keep this blog post simple I have outlined four main areas in IoT that will use Access Control and Authentication.


Each of these areas can leverage or use their own Access Control and Authentication solution.

The good news is that you don’t necessarily need a “New” thing to to achieve this and there are a number of good standards and best practices currently available to follow. If however you are developing something specialised this may need to be customised.

Most solutions will employ a central Access Control and Authentication solution that can be updated, patched and maintained rather than a point solution that will require more effort to look after properly.

Examples of a centralised solution are Azure IoT Hub and Active Directory for a Cloud or On-Premise solution. Other solutions are available.

Areas that you may consider when looking at Access Control and Authentication could include:

Access Control Considerations

  • Access Control Lists
  • Permissions (Add, Change, Delete)
  • Policies

Authentication Considerations

  • LDAP/Active Directory Authentication
  • Certificates
  • Trusted Platform Modules (TPM)
  • Two Factor Authentication
  • Biometrics
  • Tokens
  • PKI
  • Mobile Authentication
  • Username Policy
  • Password Policy


Further Reading: