Secure communication even over insecure networks.

Powerful Identity and Access Management for M2M networks. Implemented with FIDO2 standards, our IAM establishes the role of a Trusted Administrator who creates and manages perimeter-less applications involving an arbitrarily large number of devices communicating with other devices. Algemetric’s IAM is built upon the powerful combination of Authentication, Authorization, and Auditing, working together to ensure proper access to the right resources by suitable devices.

The Problem

In recent years, cybersecurity reports have highlighted a concerning trend: a majority of malware attacks are conducted through encrypted connections. Surprisingly, studies indicate that 9 out of 10 malware attacks can slip through unnoticed if the traffic over HTTPS isn’t thoroughly examined at the perimeter. These findings underscore that relying solely on channel-level security measures is not sufficient in combating malware threats.


Among the most pernicious forms of malware is ransomware—a malicious software that restricts access to data, servers, entire networks, or other critical resources until a ransom is paid. Ransomware attacks have seen a significant surge in frequency. The financial toll of these attacks has surpassed $500 million in just the past few years, with projections anticipating total costs exceeding $20 billion, with projections up to a staggering $6 trillion in losses in the mid-term future.

The top reasons for ransomware attacks:

  • Poor user practices
  • Weak passwords
  • Access management
  • The use of Open Remote
  • Desktop Protocol (RDP)
  • Lost/stolen user credentials

These issues suggest faulty human behaviour and a lack of proper policies, automation, and safeguards for compromising incidents. Secure networks alone fail to address the significant causes of malware attacks.

The Solution: M2M IAM

Algemetric provides Identity and Access Management, focusing on machine-to-machine communication. It combines the power of the triple-A: Authentication, Authorization, and Auditing, in a single, lightweight, and powerful IAM solution. It is plug-and-play, scalable and can work as a standalone solution.



Our IAM is designed for performance. The module’s lightweight nature allows it to operate in a wide variety of limited infrastructures, including those composed of resource-constrained devices such as IoT and edge computing.



The solution allows Trusted Administrators to create applications, control which machines are allowed to be onboarded, define the rules of machine onboarding, and define which access control policy should be in place. The Trusted Administrator also has complete visibility of how the application behaves via auditing features.

Plug and Play


Our IAM is designed for interoperability. Spectra can be easily integrated with applications involving communication and resource exchange between devices. Spectra can also support third-party identity services by offering M2M capabilities in H2M settings.



Device onboarding can easily become a bottleneck for large networks that contain hundreds or thousands of devices. Not for Algemetric. There is no direct correlation between the number of onboarded devices in our IAM  application and the overall performance of that application.

How Our M2M IAM Works

Our M2M IAM protects access to any resource in any given machine, including any shape or form of data, application and service. 


Machines typically communicate with a domain name or IP address associated with some port. Algemetric’s M2M IAM is conducted via digital authenticator exchanges in which information about machine identity and access privileges are specified. An API is invoked to verify the legitimacy and the constraints specified in any given token. Depending on what the API sees in each digital authenticator (that is encrypted at all times and can only be decrypted by the API), it returns an answer to the target machine that, in case the access request is legitimate, includes attributes that the target machine will use for authorization purposes.


All requests and responses between the Dashboard, API, and SKD are encrypted at all times with single-use ephemeral secret keys. 

Dashboard: The “control room” where trusted administrators can create applications, define how many machines are in the scope of those applications, and the rules for those machines to communicate with each other.


API: The “brain” where the configurations defined in the Dashboard are processed and consolidated in the form of digital authenticators, namely tokens, which are then used between machines for data exchange. The API does not store any information about these machines. Tokens are a form of signature of one machine’s identity and access privileges concerning one or more other machines according to constraints defined by administrators via the Dashboard.


SDK: Each machine is equipped with the “tool belt” for efficient machine onboarding and properly communicating with other machines and with the API.

FIDO2: Spectra implements the FIDO2 specifications for secure multifactor authentication for H2M from the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and the FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP). FIDO2 is used to authenticate Trusted Administrators on the Spectra Dashboard.


Application Management: Trusted Administrators can create and manage an arbitrary number of applications on Spectra Dashboard. On Spectra Dashboard, Trusted Administrators can manage as many platform and external hardware authenticators as they want. Trusted Administrators can also manage API Keys and their permissions, access model controls, and customize Spectra Tokens, all of which will take place under the scope of each application.


Access Control Models Management: With Spectra, Trusted Administrators can decide which access control model makes sense for each application. Spectra supports the following access control models: mandatory access control (MAC), discretionary access control (DAC), role-based access control (RBAC), and attribute-based access control (ABAC). Each of these access control models has its advantages and disadvantages. Therefore it is imperative that the Trusted Administrator can choose the one that works best on a case-by-case basis.


Machine Onboarding: Spectra provides an interface for proper machine onboarding within an application under Spectra’s control, with which a Trusted Administrator determines what devices can participate in communications within an application. The Trusted Administrator also defines each machine’s access privileges during onboarding. This process can be automated for batched onboarding, always under the control of the Trusted Administrator.


Auditing Management: Trusted Administrators can choose the events they want to closely monitor and how they want to be alerted about specific incidents. Active monitoring is a crucial part of incident response, and Spectra provides quick visualization for meaningful transactions to support effective auditing monitoring.

FIDO2: Phishing-resistant authentication based on modern, possession-based credentialing. Unique credentials between Trusted Administrators and Spectra never leave the user’s device and are never stored in the server. Additionally, these credentials are easily integrated with fingerprint readers or cameras on users’ devices or by leveraging easy-to-use FIDO security keys. Support for multiple devices and authenticators. Cryptographic keys are unique for the link between a Trusted Administrator and Spectra. Biometric data, when used, never leaves the user’s device.


AES-GCM-256: Spectra uses the Advanced Encryption Standard (AES) with the Galois counter mode of operation (GCM) with 256-bit encryption schemes, a configuration many in the industry consider future-proof security since AES-128 is known to be secure considering all the practical threats currently available. AES-GCM-256 is used to uniquely encrypt all Spectra tokens and all payloads involved in communications in every direction between all components of Spectra.


ECDH P-256: Spectra uses Elliptic Curve Diffie-Hellman P-256 for securely exchanging symmetric secret keys between any two parties engaged in communication. That means that ECDH P-256 is used before any resource exchange between any communication combination between Spectra Dashboard, Spectra API, Spectra SDK, and machines within any given machines in Spectra applications.


Separation of Duties: Given tasks can be broken down into multiple sub-tasks, each of which is operated by different machines with different access privileges. Attackers must subvert various machines simultaneously to compromise a system that employs separation of duties, which happens with a probability much lower than subverting a single machine. The same protection goes against malfunction and any other type of non-malicious operational failure. It also protects against insider threats in case one machine is compromised.

Provisioning: The process of onboarding machines into Spectra. It includes everything from validating a machine’s need to access any given resource to assigning them the appropriate permissions. On Spectra, provisioning is 100% controlled by a trusted administrator, which verifies a machine’s identity and needs for accessing resources in other machines and assigns the proper privileges according to their assessment.


Administration: Spectra allows each application to be created according to some pre-defined system designs. This includes policy design and creation, maintenance, and updates. The application registered on Spectra works as a concrete instance of the actual IAM policies of an organization.


Enforcement: Spectra provides enforcement of IAM policies via the combined power of the “triple A”:


  • Authentication: Validate the legitimacy of the identity of machines requesting access to any resources within a Spectra application.
  • Authorization: Check the machine’s assigned permissions against access control policies and permit or deny access as appropriate.
  • Auditing: Monitor and review access control decisions for any anomalies that could require immediate remediation. Auditing is a critical component of Spectra for activity monitoring, analysis, and incident response. Every access denied and/or any activity that conflicts with pre-defined rules in the provisioning and administration process will raise red flags. The administrators will be alerted via email, SMS, and/or Dashboard messages.

Authentication, Authorization, and Auditing – All in One: Most solutions that promise authentication and authorization for M2M actually involve human intervention in critical steps of these procedures. Except for the Trusted Administrator required for managing applications on Spectra Dashboard, the entire operation of Spectra is done in the legitimate context of M2M: from machines to machines with no humans involved. Typically, multiple applications are required to cover authentication, authorization, and auditing for M2M. Spectra brings the triple A in a single lightweight yet robust IAM solution.


PKC, not PKI: The power and utility of public key cryptography (PKC) is indisputable. However, many people believed that PKC required an entire system of trust – based on a hierarchically-intensive model of certificate generation and verification for optimal results. This system is known as public key infrastructure (PKI), embodied with functional and financial complexities that inevitably result in penalties for performance and cost. Spectra’s efficient, flexible, scalable, secure and private design employs the best of PKC (such as asymmetric encryption, which is useful for secure peer-to-peer communication) without the worst of PKI (high cost, bureaucracy, and penalties in performance).


Flexibility and Power to Administrators: Spectra Token is a customizable digital authenticator that allows Trusted Administrators to specify arbitrary field-value pairs, which are particularly useful under the ABAC model.


Automated Machine Onboarding: Spectra allows for a rigorous onboarding procedure of thousands of machines, uniquely identified and operating under specs defined by the trusted administrator.


No Personal and/or Machine Credentials Stored: Distinct digital authenticators generated for each machine within a Spectra application are controlled by their respective machines. Spectra keep no database or similar record. Authentication and authorization between machines are supported by Spectra API using a digital authenticator on a case-by-case basis.


No Dependency on Network Security: As a sole communication security mechanism or as an additional communication security layer, Spectra is ready to provide end-to-end encryption for all exchanges between machines within the scope of Spectra applications with no impact from context-based security or lack thereof.

Data-Centric: Spectra is a type of data-centric technology (DCT), a technology that is enabled via specialized treatments of data as a construction. For example, Spectra provides the Spectra Token. This digital authenticator can be described as a signature of a prior agreement that establishes a machines’ identity and access privileges within a Spectra application. The Spectra token is encrypted with AES-GCM-256 for securely transmitting information about identity and access privileges between applications, services, and other accessible resources. Spectra provides a customized way to generate Spectra Tokens for M2M authentication and authorization, which can be programmed using custom parameters defined by the Trusted Administrator, allowing organizations to use Spectra as an efficient and flexible framework for IAM.


Infrastructure-Agnostic: Spectra works in the cloud, corporate intranet, private networks, and open insecure WIFIs while offering the same functionalities, flexibility, and security. Onboard-able devices can be personal computers, servers, terminals, IoT, and edge computing devices.


Least Privilege: Permissions associated with any given machine are limited to the minimum required to perform a particular task. This helps to decrease cybersecurity risks related to relaxed permission grants.


Want more details? Contact us.

Fill in the form on the side, we will get back to you shortly.

Men talking wight someone on a notebook
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.