An IoT device has a public device identifier and a private device identifier, where the public device identifier is publicly available and the private device identifier is secret but kept in a secure device database as a correspondence. A registration request is sent from the IoT device to an association server in communication with the device database having an association between IoT public identifier and a corresponding IoT private identifier. The association server which receives the registration request responds with a registration acknowledgement containing, in encrypted form, the private device identifier of the original request and, optionally, the public device identifier associated with the registration request. The requesting IoT device receives the association acknowledgement, decrypts the private device identifier, compares it to its own device identifier, and if they match, sends one or more association requests.