This disclosure describes techniques for user authentication and authorization for devices with support for manufacturer origin attestation. A client attestation certificate allows an authorization service to associate a device with its manufacturer (client). A unique client identifier is assigned by the authorization service to the client. The client assigns a unique instance certificate to each device. During initial authorization, each device uses a trusted local channel to establish identification before the authorization service and obtain an authorization code. The authorization code, the device instance attestation certificate chain, and a proof of possession of the instance key, in the form of a signed message that includes the authorization code, are supplied by the device for verification. Upon verification of the supplied code and the signed message, the authorization service returns user credentials for the device.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.