Best Practices & Common Pitfalls

Best Practices Checklist

• Use hardware-protected keys whenever possible.
• Prefer mTLS or DTLS for device-to-cloud authentication.
• Enforce certificate rotation every 3–12 months.
• Implement secure boot with verified firmware signatures.
• Store private keys in SE/TPM, not flash memory.
• Use unique per-device certificates (never shared keys).
• Automate certificate issuance and renewal using PKI.

Pitfalls to Avoid

• Shipping devices with factory default credentials.
• Using single pre-shared keys for an entire fleet.
• Hardcoding secrets in firmware repositories.
• Failing to plan for offline provisioning.
• Ignoring how to revoke certificates after compromise.

Performance, Cost & Security Considerations

Performance

• mTLS handshake is computationally expensive; requires tuning.
• Constrained devices may need session resumption or DTLS.
• Hardware accelerators improve crypto performance by 3–10×.

Cost

• Secure Element: ~$0.40–$1.50
• TPM: ~$3–$7
• PKI management: depends on automation/tooling
• Cloud authentication is typically per-device or per-call

Security

• Hardware RoT yields strongest protection.
• Software-only keys are only safe for low-risk deployments.
• Certificate pinning prevents attacker-in-the-middle.

Real-World Use Cases & Mini Case Study

1. Smart Metering (Utility Sector)

Utilities use PKI and secure boot to ensure:

• Each meter is authenticated
• Firmware updates are verified
• Billing data cannot be spoofed

2. Industrial IoT Sensors

Devices must support:

• Hardware-based identity
• Signed telemetry
• Mutual TLS
• Machine-level certificate rotation
  This prevents rogue devices from injecting false readings.

3. Consumer Smart Home

A major weakness in early IoT was weak identity:

• Shared keys
• Hardcoded credentials

Modern systems use:

• QR-based identity bootstrapping
• On-device certificates
• Secure mobile-app-assisted onboarding

Mini Case Study: Manufacturing Fleet of 100,000 Devices

A robotics manufacturer deployed:

• Secure Element (ATECC608A) for device IDs
• PKI-based provisioning during manufacturing
• Automated certificate rotation via cloud
• mTLS authentication to AWS IoT

Outcome:
Attack surface reduced dramatically—prevented device spoofing, unauthorized firmware updates, and unauthorized cloud access.

‍

FAQs

1. How do IoT devices authenticate?

Typically using certificates, cryptographic keys, and protocols like mTLS, DTLS, or COSE-based signing.

2. Why is identity important in IoT?

It prevents spoofing, unauthorized access, rogue devices, and data tampering.

3. What is PKI in IoT?

A Public Key Infrastructure issues and manages certificates that verify device identity.

4. What is the difference between device identity and user identity?

Device identity authenticates machines; user identity authenticates people.

5. How does secure onboarding work?

A device presents its unique certificate or key to prove authenticity during first connection.

6. What is hardware root of trust?

A dedicated chip that stores keys in tamper-resistant hardware.

7. What is mutual TLS in IoT?

Both the device and the server present certificates to authenticate each other.

8. How do you store cryptographic keys on IoT devices?

Ideally inside a secure element, TPM, or trusted execution environment.

9. What are common IoT authentication protocols?

mTLS, DTLS, SAS Token (Azure), AWS SigV4, COSE/CBOR signatures.

10. How do you rotate IoT device keys?

Through cloud-triggered certificate renewal, secure bootloader updates, or manufacturing-linked PKI workflows.

‍