Skip to main content

Device Authentication

To connect to a project, devices need to authenticate with the following three factors:

  1. A valid deployment token for the project.
  2. A device certificate via mTLS which has been marked as accepted.
  3. A correct device fingerprint.

Deployment tokens can be programmed into device images and are not considered secret as an attacker may extract them from devices or updates. They may be shared between devices and are merely a first line of defense against attackers.

Upon provisioning, a device will locally generate a private key and a self-signed certificate for the purpose of mutual TLS (mTLS). This private key together with the certificate is the primary means of authentication and is used to establish a trusted end-to-end connection between Nexigon Agent and Nexigon Hub. The private key of the certificate should never leave the device, however, if extracted by an attacker, the attacker may at worst be able to impersonate the device from which the key has been extracted.

note

We are working on support for trusted platform modules (TPMs) to securely store the private key.

In addition, each device is required to have a unique (per project) fingerprint. This fingerprint is used to track the identity of a device, even when certificates and deployment tokens change or are rotated over time. Only a part of the fingerprint is stored in Nexigon. The full fingerprint is used as an additional authentication factor. A typical fingerprint might be based on a serial number programmed into one-time-programmable memory of a device or some other hardware-specific ID. A great way to obtain a fingerprint is also to use a secure key derivation function to derive the fingerprint from a per-device secret, e.g., fused into OTP memory.

Deployment Tokens​

Deployment tokens allow devices to connect to a specific project. They have the following form:

deployment_rKg4phta76ec5JBMmZFF2ja1M5xbar9WUPgD2t7KiwYdQUakxzcrKdpNkDAUgfE4VL

Deployment tokens can be generated through Nexigon's UI at Project → Tokens → Deployment Tokens.

Deployment tokens come with flags that allow for fine-grained control over specific behaviors:

  • Auto Accept: If enabled, the first certificate presented by a new device is accepted automatically.
tip

For maximal security, we recommend using a different deployment token for seamless provisioning (with the Auto Accept flag enabled) and for normal operation. This way, an attacker cannot inject new devices into a project.