Identity of Things: verifiable credentials are safer for IoT systems

You didn’t hear it here first, because LinkedIn, but the folks at Athens and Aalto universities were recognized for their “Capabilities-based access control for IoT devices using Verifiable Credentials” paper.

Abstract — Capabilities-based access control is a promising paradigm that can handle the particularities of IoT systems.

Nevertheless, existing systems are not interoperable and they have limitations, such as lack of proof of possession, inefficient revocation mechanisms, and reliance on trusted third parties.

In this paper we overcome these limitations by designing and implementing a system that leverages Verifiable Credentials (VCs) to encode the access rights. Our solution specifies protocols for requesting and using VCs that can be mapped to OAuth 2.0, includes an efficient and privacy preserving proof of possession mechanism, and it supports revocation. We implement and evaluate our solution and we show that it can be directly used even by constrained devices.

WiderPoV: The context for this is interesting.

  • First, we have some very IoT-specific challenges. Like teaching devices which humans to trust. And fitting more complex auth into a device’s tiny footprint.
  • And then you have interop challenges, like helping a cloud service manage diverse device fleets.
  • While Verifiable Credentials can do much more than access control, for many industries, IoT interop and access control seems to be the gateway drug.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at