Avoguard Avoguard Avoguard


Device Identity

Give all your devices a unique, trusted, verifiable identity.
By the time they leave the factory.

A secure connected product starts with a secure identity.
Avoguard Device Identity is a complete solution for managing device identities,
from the factory to the field.


For humans, identity is a given. We are born with our unique face, irises, and fingerprints. They are all hard to copy.

For devices, identity is not a given. Devices are built to be identical. They are assigned a unique serial number. But that is just a number - it is easy to copy. A serial number is not enough to prove a unique device identity.

Avoguard Device Identity gives all your devices an equivalent of a unique fingerprint along with an ID card. A unique, trusted, verifiable identity, managed through the device's entire lifecycle.

It is a PKI along with complementary device libraries, designed to manage the keys of edge and IoT devices. It runs on hardware, on-premise servers, or private cloud. But it works with cloud hyper-scalers, too.



Hyper-scaler Cloud Integration

Avoguard Device Identity service can run on top of IoT cloud services of large cloud providers, such as AWS IoT Core or Azure IoT Hub. Get all the benefits of Avoguard Device Identity service, along with all the benefits of seamless integration with the AWS or Azure IoT ecosystem.

Zero-touch provisioning

We worked with hardware vendors such as Microchip, STMicroelectronics, Nordic Semiconductor, Espressif, and Infineon to integrate Avoguard Device Identity service with their secure elements and secure domains (e.g. TrustZone) within their microcontrollers. With selected hardware of these vendors, you can get zero-touch provisioning with Avoguard Device Identity out-of-the-box.

Security and authenticity

With a secure root of trust provided by Avoguard Device Identity, you can be sure that your devices are not counterfeited, cloned, or tampered with. You can rest assured that your devices are running the software that you have authorized, are connecting only to your genuine cloud services, and that the data they are sending is authentic.

Process flexibility

We understand that every organization has its own processes and workflows. Avoguard Device Identity service is designed to be flexible, so that it can be integrated into your existing device manufacturing, provisioning, and installation processes. You define who you trust with giving devices identity, and our services will adapt to it.

Vendor Independence

Avoguard Device Identity service is designed to be hardware and cloud vendor independent. It can be deployed on any hardware, on-premise servers, or private cloud. It can be integrated with any cloud hyper-scaler, such as AWS IoT Core or Azure IoT Hub. You are not locked into any hardware or cloud vendor.

Full life-cycle coverage

Avoguard Device Identity does not end the moment your device leaves the factory. It is designed to provide identity to your devices throughout their entire life-cycle, from the factory to the field, through the supply chain, distribution, installation, RMA, servicing, replacement, and eventual decommissioning.



Avoguard Device Identity service can be deployed on a dedicated hardware appliance supplied by Avoguard, or a software application on a compatible edge hardware. Contact us for more information.

Deploy on hardware


With no cloud dependencies, Avoguard Device Identity can be easily deployed on-premise. It can run as a VM in your own data center, or as a Docker container.

Deploy on-premise

Cloud native

If you already have a Kubernetes cluster, you can deploy Avoguard Device Identity as a cloud native application. It can be deployed on any Kubernetes cluster, including public cloud providers.

Deploy cloud native


PSK and Certificates

Avoguard Device Identity service supports both pre-shared keys (PSK) and X.509 certificates. You can choose which one to use for each device, or even use both at the same time.


In edge systems, one size does not fit all. Whether your protocol is TCP or UDP, Avoguard Device Identity supports both TLS and DTLS. Even if you are on the cutting edge with QUIC / HTTP 3, we have you covered.

Non-IP protocols

Avoguard Device Identity service supports security primitives of non-IP protocols, such as LoRaWAN, Sigfox, and NB-IoT. It can also be used with any other non-IP protocol, such as CAN bus, RS-485, or RS-232.

Key rotation

Avoguard Device Identity service supports key rotation, so that you can change the keys used by your devices at any time. This is useful for security, as well as for compliance with regulations such as GDPR.

Key renewal and distribution

One of the most inconvenient aspects of using X.509 certificates is the need to renew them periodically. Avoguard Device Identity service automates this process, and distributes the new certificates to your devices.

Key revocation

Compromised devices are a risk to be taken seriously, especially if your devices are in the field. To manage this risk, Avoguard Device Identity service supports key revocation, so that you can disable compromised devices individually, or in batches.

Device Libraries

Avoguard Device Identity service provides libraries for your devices, so that you can easily integrate them with the service. The libraries are portable, and have been pre-integrated with selected hardware vendors, RTOSes, and embedded operating systems. Open-source licenses are available.

PKI integration

Avoguard Device Identity service can be integrated with your existing PKI infrastructure, so that you can use your existing certificates, or issue new certificates from your own CA. This is useful if you already have a PKI infrastructure, or if you need to comply with regulations such as eIDAS.

Ready to get started with Avoguard Device Identity?

Contact Avoguard

Contact us to get a quote or book a demo.