Billions of IoT Devices Need Authentication Without Keys

1. Regulatory and Compliance Framework

The regulatory baseline for IoT authentication has hardened across three converging regimes since 2022. The EU Cyber Resilience Act (Regulation (EU) 2024/2847), entered into force December 10, 2024 with main obligations applying December 11, 2027, imposes essential cybersecurity requirements on every "product with digital elements" placed on the Union market. Annex I, Part I, point (3)(d) requires that products "protect the confidentiality of stored, transmitted or otherwise processed data" and point (3)(e) requires "protect the integrity of stored, transmitted or otherwise processed data… against any manipulation or modification not authorised by the user." Point (3)(j) requires products to "be designed, developed and produced to limit attack surfaces, including external interfaces." Annex I, Part II requires manufacturers to handle vulnerabilities including provision of security updates throughout the support period (typically five years). The CRA presupposes a manufacturer-controlled credential lifecycle that for commodity sensors shipping in millions is operationally impossible at the unit economics that make those products viable.

In parallel, the EU Radio Equipment Directive Delegated Regulation (EU) 2022/30 — applicable from August 1, 2025 — activates Articles 3(3)(d), (e), and (f) of the RED for any radio equipment that processes personal data, communicates over the internet, or has features specific to children, requiring network protection, personal-data protection, and fraud prevention as essential requirements with harmonized standards EN 18031-1, EN 18031-2, and EN 18031-3. In the United States, the FCC's Cyber Trust Mark voluntary labeling program (FCC 24-26, adopted March 2024) references NIST IR 8425 baseline criteria, which itself derives from NIST IR 8259A device cybersecurity capability core baseline and SP 800-213A federal-profile baseline. NIST IR 8259A enumerates six device-capability baselines including device identification (DI-1: a logical identifier; DI-2: a physical identifier capable of being uniquely identified), data protection, software update, cybersecurity state awareness, and access control with explicit treatment of cryptographic key management as in scope.

NIST SP 800-213A federal-profile capabilities for IoT extend the baseline with explicit identifier-management requirements and reference SP 800-63-4 digital-identity guidelines for assurance levels. UK Product Security and Telecommunications Infrastructure Act 2022 (PSTI), in force April 29, 2024, prohibits universal default passwords and mandates security update transparency. Singapore CSA's Cybersecurity Labelling Scheme, Japan METI's IoT Security Guidelines, and Australia's voluntary Code of Practice converge on the same evidentiary expectations: each device must have a unique, manageable identity whose authentication can be independently verified, whose lifecycle the manufacturer can attest to, and whose compromise can be detected and contained. Compounding the architectural challenge, NIST SP 800-208 stateful hash-based signatures and the post-quantum migration roadmap under SP 1800-38 require credential agility that most fielded IoT devices cannot achieve through firmware updates.

2. Architectural Requirement

The architectural shape implied by this convergence is not a bigger PKI or a smaller TLS; it is a substrate in which every device's authentication is a credentialed observation traversing a closed five-property chain. Five properties follow. First, every authentication event must arrive as an authority-credentialed observation — but the credential must be derivable from the device's own operational behavior rather than from a stored secret, because constrained devices cannot maintain stored secrets across a five-to-fifteen-year deployment lifetime. Second, evidential weighting must compose continuity (how long has this device's behavioral signature held), corroboration (do peer devices and gateways observe it consistently), context (does the operating context match the device's policy), and authority class (what trust zone). Third, admissibility must be graduated — a device with low continuity operates in a restricted scope, a device with deep continuity earns broader access, a device whose continuity diverges is challenged or quarantined — rather than binary admit/reject. Fourth, every authentication outcome must be a governed actuation distinguishing intent (the device's claim of identity) from execution (the privilege granted), with reversibility for compromised devices. Fifth, the lineage must be a chain of credentialed observations, supporting CRA Article 14 vulnerability handling, RED EN 18031 conformity assessment, and NIST IR 8425 cybersecurity-state-awareness reporting from a single substrate.

3. Why Procedural Compliance Fails

The dominant procedural posture is to retrofit conventional PKI onto IoT: factory-provisioned X.509 certificates, EST/SCEP enrollment for renewal, hardware-rooted keys via a TPM or secure element, OCSP or CRL revocation. This posture has failed at scale, and the failures are documented. Mirai (2016) and its derivatives propagated through devices with hard-coded default credentials that no procedural rotation policy ever reached; the 600,000-node Reaper botnet (2017) compromised devices whose certificates had been issued at manufacture and never rotated. Verkada's 2021 breach exposed cameras whose root-credentials were shared across the customer base. Ubiquiti's 2022 breach involved fleet-management credentials that procedural rotation had never reached the fielded devices. Each demonstrates that the operational gap between PKI's design assumptions and IoT's deployment reality is not closeable by tightening procedure.

The economic constraint is unforgiving. A commodity environmental sensor at a $30 BOM cannot absorb a $4 secure element; a soil moisture probe operating on a 5-year battery cannot afford the wakeup cost of TLS 1.3 handshakes; a pressure transducer on a remote pipeline cannot rely on the connectivity that EST renewal presupposes. Lightweight protocols — DTLS, EDHOC, OSCORE, LAKE — reduce per-handshake cost but preserve the architectural dependency on a stored secret whose lifecycle the device cannot manage. Manufacturer-anchored attestation schemes (FIDO Device Onboard, IEEE 802.1AR DevID, ARM PSA) move the credential into hardware roots-of-trust but transfer the lifecycle problem to the manufacturer, who in practice cannot maintain per-device key material across five-to-fifteen-year support obligations. Post-quantum migration compounds the problem: SP 800-208 stateful-hash signatures require state synchronization that fielded constrained devices cannot achieve. CRA Annex I point (3)(j) attack-surface limitation is in tension with the network exposure that EST and OCSP both require. Procedural compliance therefore produces a CRA conformity declaration whose underlying assumptions the deployment will violate within the support window.

4. What the AQ Primitive Provides

The AQ keyless-identity primitive (USPTO provisional 64/050,895) realizes authentication as the closed five-property chain over a behavioral-continuity construction. Property one — authority-credentialed observation — is satisfied by a per-event hash derived from locally available entropy at the device (sensor readings, timing jitter, environmental conditions, internal state, peer-observed signals), signed by an ephemeral key derived from the device's continuity history rather than from persistent storage. Property two — evidential weighting — composes the device's trust slope (the cryptographically chained trajectory of authenticated interactions, which deepens monotonically with operational history and becomes computationally expensive to forge), corroborating observations from gateways and peer devices, the device's certified operating profile, and the operational context of the requesting transaction. Property three — composite admissibility — emits a graduated outcome from a defined mode set: admitted to full scope, admitted to restricted scope pending continuity deepening, admitted with elevated monitoring, deferred for corroboration, or refused with reason. Property four — governed actuator execution — produces the privilege grant with reversibility evaluation (a trust-slope divergence detected post-grant triggers structural revocation), harm minimization, and post-actuation verification. Property five — lineage-recorded provenance — records every authentication event, weighting, decision, and outcome as a credentialed observation in append-only memory, supporting cybersecurity-state-awareness reporting under NIST IR 8425 and vulnerability-handling evidence under CRA Article 14.

The construction has three concrete properties that stored-credential models do not. There is no persistent secret to extract, so device-physical compromise does not yield a forgeable credential. There is no certificate authority to compromise, so a fleet-wide forgery requires reconstructing the entire fleet's continuity history. There is no rotation schedule to enforce, so the operational dependency on connectivity for renewal disappears; a device that goes offline and reconnects re-establishes identity by demonstrating continuity with its previous trust slope, with the dormancy period evaluated as part of property-three admissibility. The construction is post-quantum-native because it depends on hash-chained continuity rather than asymmetric secrets vulnerable to Shor's algorithm, satisfying SP 800-208 migration intent without requiring stateful-signature scheme management on the device.

5. Compliance Mapping

The mapping to the regimes of section one is direct. CRA Annex I point (3)(d) confidentiality of stored data is satisfied trivially because there is no stored credential to protect. Point (3)(e) integrity of processed data is satisfied by property-five lineage as the integrity substrate. Point (3)(j) attack-surface limitation is satisfied because no inbound network exposure for credential renewal is required. Annex I Part II vulnerability handling maps to property-four reversibility — a CVE-disclosed compromise pattern becomes a property-three admissibility input that quarantines affected devices structurally. RED Delegated Regulation (EU) 2022/30 Article 3(3)(d) network protection is satisfied by trust-slope continuity; EN 18031-1 access-control essential requirements map to property-three graduated admissibility. NIST IR 8259A DI-1 logical-identifier and DI-2 physical-identifier requirements are satisfied by the device's continuity signature, which is both logical (the chain) and physically rooted (in local entropy unique to that unit). NIST IR 8425 cybersecurity-state-awareness baseline is satisfied by property-five lineage as the primary state record. SP 800-213A federal-profile capabilities and SP 800-63-4 authentication-assurance levels gain an evidentiary substrate that scales to AAL2 and AAL3 without secure-element BOM cost. UK PSTI universal-default-password prohibition is satisfied trivially. The chain belongs to the operator's authority taxonomy, so fleet portability across manufacturer changes, regulatory-jurisdiction transitions, and post-quantum migration is structural rather than ceremonial.

6. Adoption Pathway

Adoption follows three deployment patterns that compose. Pattern one is greenfield deployment: new IoT product lines ship without provisioned credentials and begin building trust slopes from first power-on. Initial trust is low and the device operates in a restricted scope; as the trust slope deepens through consistent authenticated interactions, scope broadens automatically. There is no provisioning bottleneck, no credential database to maintain, no rotation schedule, no bulk revocation mechanism — a compromised batch is detected by trust-slope divergence rather than by a vendor advisory. Pattern two is brownfield overlay: existing certificate-based deployments retain their PKI as a property-one authority class, but the certificate becomes one weighted observation among many in property-two evaluation rather than a binary precondition. The trust slope accumulates alongside the certificate; when the certificate expires or its CA is compromised, authentication continues uninterrupted under continuity. Pattern three is gateway-mediated retrofit: profoundly constrained devices that cannot run the on-device construction are paired with a local gateway that observes their behavior and accumulates the trust slope on their behalf, satisfying CRA conformity for the device-plus-gateway product unit.

Commercial drivers are concentrated in three segments. Operators of large industrial-IoT fleets — utilities, oil and gas, manufacturing, smart cities — face CRA conformity obligations against a fielded base whose PKI rotation has demonstrably failed; keyless identity provides a path to conformity without firmware-update campaigns the devices cannot reliably accept. Connected-vehicle and medical-device manufacturers face SBOM and vulnerability-handling obligations under CRA, FDA premarket cybersecurity guidance, and UN R155 that presuppose lifecycle credential management at scales that secure-element economics cannot bear. Smart-meter and grid-edge operators face quantum-migration timelines under NIST and ETSI roadmaps that fielded crypto cannot meet through software update alone. In each segment, the AQ primitive offers a substrate that satisfies the regulatory regime, scales to the deployment economics, survives the post-quantum transition without re-keying, and yields a forensic record that defends against the inevitable post-incident inquiry. The honest framing is that keyless identity does not replace PKI where PKI works; it replaces PKI where PKI was always a category error — at the scale, cost, and lifetime where IoT actually operates.