What are some good solutions to authentication for IoT devices?<p>There's nothing wrong in principle with using a certificate (other than it being overly complicated...there's a reason we aren't all using client certificates to authenticate with our email server, Twitter, Facebook, etc). Just as there is nothing wrong in principle with using a user/password scheme.<p>Both certificates and user/passwords suffer from the same serious problem: how do you change them on the device? If you don't have a way to change them, all someone has to do is learn the factory default and game over. (Even if you provide a way to change them there is the issue of how to make sure people actually change them, which is a whole other problem).<p>IoT devices often do not have a good interface on the device itself that you could use to change a user/password (let alone enter a new certificate!).<p>You could include Bluetooth in the device, and provide a configuration application that the user runs on their phone. If the device does not otherwise need Bluetooth that is going to raise the cost a little, and if the device does not otherwise need a mobile app making people get one just to set the thing up is going to seriously annoy many.<p>What I would like to see is this:<p>1. Every IoT device (and every non-IoT device, for that matter, for reasons given below) should have at least one of: (A) A USB port that you can plug a thumb drive into, (B) A USB port that you can use to connect the device to a computer, or (C) some type of SD card port. I think that USB is cheap enough now that it would not cost much to add it.<p>2. If you plug a FAT or FAT32 formatted thumb drive or SD card into the device, it reads and applies configuration information from a file on the drive or card. There should be a convention established for the naming and location of configuration files so that multiple devices from multiple vendors can all have configuration files on the same drive.<p>3. If you plug the device into a computer via USB, the device shows up as a FAT or FAT32 formatted drive with its current configuration in files on that drive. You can edit them to change the configuration.<p>4. When you connect a thumb drive or insert an SD card and there is a "DOCS" directory on it, the device makes a subdirectory in that named after itself, and in that directory writes a copy of its user manual and other documentation. If there is a "LOGS" directory, it should do a similar thing, but with any logs it keeps. If there is an "INFO" directory, do a similar thing but with information about the device, such as model number, serial number, and other such stuff useful to have if you need to contact customer service.<p>5. This mechanism could also be used to provide firmware updates to the device.<p>(#4 and #5 are why I want this everywhere, not just IoT).<p>Another issue with IoT devices, once you have figured out how to change authentication information, is how to keep that safe? For instance, I'm making a motion detecting bird camera to take photos of the birds that stop by for the food I leave out. If I want it to use my home wifi to upload photos...it needs my home wifi credentials.<p>But it will be outside. If someone steals it, they have my credentials! (I'm currently using a Raspberry Pi, so they could just steal the SD card...or if they came prepared they could just borrow it, copy it, and put it back, and I might not even find out about it).<p>My current thoughts are to have the thing come up after boot offering its own wifi network. I can connect to that from my computer, and start the bird cam software, which can ask for my wifi credentials. It can then stop offering a wifi network and join mine, keeping the credentials only in RAM.<p>Still vulnerable, but it would then take an attack more sophisticated than simply stealing it, or cloning the SD card.