Devices must be authenticated before connecting to IoT Platform. Supported methods include device secrets, ID², and X.509 certificates.
Device secret-based authentication
When you create a product, set Authentication Method to Device Secret, then add a device to obtain keys such as ProductSecret and DeviceSecret from IoT Platform. The device uses these keys to authenticate when connecting to IoT Platform.
IoT Platform provides four authentication methods for different environments.
-
Device-specific secret: Each device is programmed with its own device certificate (ProductKey, DeviceName, and DeviceSecret).
-
Product-specific secret with pre-registration: All devices in a product share the same product certificate (ProductKey and ProductSecret). Dynamic registration must be enabled. The device obtains a DeviceSecret through dynamic registration.
-
Product-specific secret without pre-registration: All devices in a product share the same product certificate (ProductKey and ProductSecret). Dynamic registration must be enabled. Instead of a DeviceSecret, the device obtains a ClientID and DeviceToken.
-
Dynamic registration for sub-devices: Sub-devices obtain a DeviceSecret through dynamic registration after the gateway connects.
Choose a method based on your security requirements and production line conditions.
|
Comparison item |
Device-specific secret |
Product-specific secret with pre-registration |
Product-specific secret without pre-registration |
Dynamic registration for sub-devices |
|
Information programmed on the device |
ProductKey, DeviceName, DeviceSecret |
ProductKey, ProductSecret |
ProductKey, ProductSecret |
ProductKey |
|
Is dynamic registration required on the cloud? |
Not required. Supported by default. |
Dynamic registration must be enabled. |
Dynamic registration must be enabled. |
Dynamic registration must be enabled. |
|
Pre-registration required? |
Yes. The DeviceName must be unique under the product. |
Yes. The DeviceName must be unique under the product. |
No. |
Yes. The DeviceName must be unique under the product. |
|
Production line programming requirements |
Program each device with its own certificate. Ensure device certificate security. |
Batch-program devices with the same product certificate. Ensure secure storage of the product certificate. |
Batch-program devices with the same product certificate. Ensure secure storage of the product certificate. |
|
|
Security |
High |
General |
General |
General |
|
Are there quota limits? |
Yes. Quotas apply per product, instance, and Alibaba Cloud account. Limits on device connections. |
Yes. A single gateway can register a maximum of 1,500 sub-devices. |
||
|
Other external dependencies |
None. |
Depends on the security of the gateway. |
||
X.509 certificate-based authentication
X.509, a digital certificate standard from the ITU-T, authenticates communication entities. Currently, X.509 certificate authentication on IoT Platform is available only through the cloud gateway feature of premium Enterprise instances.
ID²-based authentication
Alibaba Cloud IoT Internet Device ID (ID²) provides a trusted, tamper-proof, unforgeable, and globally unique identity for IoT devices.
When you create a product, set Authentication Method to ID². The device then uses ID² identity authentication when it connects to IoT Platform.
ID²-based authentication requires purchasing the ID² service.
ID² certificate-based authentication is supported only for Enterprise instances in the Japan (Tokyo) region.
-
Products that use LoRaWAN as the connection method do not support ID²-based authentication.
Authentication using MQTT signature parameters
Devices connecting through a self-developed MQTT client must authenticate using the signature parameters `username`, `passwd`, and `mqttClientId`, calculated from the device secret. How to calculate MQTT signature parameters.