How to provisioning tens of thousands of IOT devices to connect to MQTT Server?

Question

I am working on a project where I have a sensor connected to a WIFI module. Whenever the sensor is triggered, it will send a message to the cloud via MQTT. Eventually I tens of thousands of these devices deployed everywhere. These sensors will rarely be triggered, maybe only once a week randomly.

What is the best method for provisioning these devices? Assuming I have 10K users each with 1 sensor. Do I need to setup 10K MQTT user accounts or just 1 account and have 10K topics? I will want to be able to know which device has been triggered and also send back information to the device.

Users will use a mobile app to setup the IOT device. From the app, they can set the WiFi SSID and password for the IOT device to connect to their home WiFi. I presume users will also need to register for an account with our platform after which a MQTT server address, port number, user id and password will be created for them on the app and forwarded to the IOT device for connecting to the MQTT server.

How can this process of creating MQTT accounts be automated? Is there a way to do this on any of the Cloud IOT services out there (eg. AWS, Google Cloud, Microsoft Azure, IBM etc etc).

Answer 1

The cloud IoT providers all tend to use per device certificates to identify each device individually.

You have 2 choices here:

1. You flash the certificate to the device at manufacturing time.
2. You use the platforms HTTP interfaces to provision the certificate to the device at the point it is connected to the wifi and registered to a user.

Both of these approaches work well, but the first means you need to flash a unique image to each device which can add overhead to the manufacturing.

A certificate per device means you can revoke that certificate should it become compromised.

One downside of using certificates is that the hardware you choose probably needs to support a secure element to store the private key in so it can not be easily compromised which may add cost.

The devices should publish to topics based on either the CN of the certificate or the serial number and you can then associate that with the users account.