A device on the bench looks finished. It powers up, it runs, it talks to the cloud. But ask it one question — who are you, and can you prove it — and most hardware falls silent. It has firmware but no self. It is a thing that works, not an identity you can trust.
Identity is not something you add later
A device that ships without a unique identity is a device you will spend the rest of its life guessing about. Fleets need to authenticate each unit, revoke a single compromised one, encrypt traffic per device, and bind a warranty or a subscription to a specific serial. None of that works if every unit is interchangeable. Identity is a birthright, minted once, at the factory, before the device ever sees a network. Retrofitting it in the field means trusting a device you have no reason to trust yet.
Keys are minted on the line, not printed in a spreadsheet
The strongest identity lives in a secure element — a small tamper-resistant chip that generates its own private key and never lets it leave. The key is born inside the silicon and dies inside it. What comes out is only the public half and a certificate signed by your factory CA. Key injection on the line is a controlled ceremony: a provisioning station talks to the secure element, triggers on-chip key generation, records the public key and serial, and enrolls the device in your identity backend. The private key is never seen by a human, a log, or a hard drive.
Attestation turns a claim into proof
An identity you cannot verify is a sticker. Attestation is the device proving, cryptographically, that it is the unit it says it is and that it is running the firmware you signed. On first contact the device presents its certificate and signs a challenge with the key only it holds. The backend checks the signature against the enrolled public key and the chain up to your CA. Nothing shared, nothing guessable. And this is the rule that quietly saves companies: never ship a shared default secret. One password baked into a hundred thousand units is one leak away from owning the whole fleet. Per-device keys mean a compromise is a compromise of one.
When the factory is not fully trusted
You rarely own the line. It belongs to a contract manufacturer, in another country, staffed by people you will never meet. So design as if the factory is curious and occasionally hostile. The secure element generates keys itself, so the manufacturer never handles a private key. The provisioning station authenticates to your backend, so a cloned station cannot enroll ghost devices. You cap how many identities a line can mint, and you reconcile enrolled serials against units actually shipped — an overrun is a smuggled batch. Trust becomes measurable instead of assumed.
A device you cannot identify is a device you cannot trust, recall, or protect.— Protocore · Firmware engineering
On one connected-hardware program we built the provisioning path first — secure element, on-chip keys, an enrollment service, and a reconciliation report the customer read every morning — before a single feature shipped. When a later firmware bug forced a targeted recall, they revoked exactly the affected units and left the rest running. That is the whole point. Identity minted correctly at the factory is not paperwork; it is the difference between operating a fleet and merely hoping about it.
Have a system to build?
Tell us the problem. We'll come back with an architecture and a plan.
Start a project