Zero-touch provisioning of IOT devices with multi-factor authentication

What is claimed is: 1. A non-transitory computer-readable storage medium storing instructions executable to perform an operation for provisioning identifying credentials to an Internet of Things (loT) device, based on generic credentials provided by the loT device, the operation comprising: receiving, from the loT device of a plurality of loT devices, a request to provision the loT device with identifying credentials for registering the loT device with a first loT service, wherein the first loT service is accessible via generic credentials, wherein the request is received by the first loT service, wherein the request specifies the generic credentials, which include a provisioning certificate stored in memory of each of the plurality of loT devices, wherein the request further specifies additional credentials for the loT device; upon validating the request, authenticating the request via multi-factor authentication based at least in part on the generic credentials and the additional credentials specified in the request; granting, to the loT device, access to a second loT service that is accessible via the identifying credentials, by generating the identifying credentials for the loT device based at least in part on the generic credentials and the additional credentials and by operation of one or more computer processors when executing the instructions, the identifying credentials comprising device-specific credentials uniquely identifying the loT device in the plurality of loT devices; sending the identifying credentials to the loT device, wherein the loT device installs and activates the identifying credentials; and associating the identifying credentials with the loT device in a registry of the first loT service, whereafter the loT device accesses the second loT service based on the identifying credentials. 2. The non-transitory computer-readable storage medium of claim 1 , wherein the provisioning certificate is registered with the first loT service by a manufacturer of the plurality of loT devices. 3. The non-transitory computer-readable storage medium of claim 2 , wherein the additional credentials are provided by the manufacturer. 4. The non-transitory computer-readable storage medium of claim 1 , wherein the device-specific credentials include at least a digital certificate. 5. The non-transitory computer-readable storage medium of claim 1 , wherein: the device-specific credentials include at least a digital certificate; the provisioning certificate and digital certificate comprise distinct certificates; the additional credentials for the loT device include at least one of a hardware identifier, a media access control (MAC) address, geolocation information, and user account credentials; the provisioning certificate is pre-registered with the first loT service without requiring end-user intervention; and the provisioning certificate is pre-registered with the first loT service by a manufacturer of the plurality of loT devices. 6. The non-transitory computer-readable storage medium of claim 5 , wherein: the first loT service comprises a plurality of components, the plurality of components including a rules engine component, a registry component, and an identity manager component; the registry component comprises the registry; the identity manager component includes a plurality of subcomponents including a provisioning service subcomponent, an authentication service subcomponent, a certificate authority subcomponent, and an authorization service subcomponent; and the rules engine component is configured to evaluate inbound messages published to the first loT service, transform the inbound messages, and route the transformed messages to a plurality of endpoint services of a networked computing environment, the plurality of endpoint services including an event-driven computing service, a database service, and a storage service. 7. The non-transitory computer-readable storage medium of claim 6 , wherein: associating the identifying credentials with the loT device comprises associating the digital certificate with the loT device in the registry; the loT device accesses the second loT service based on the digital certificate; the provisioning service subcomponent is configured to receive the request to provision the loT device with the identifying credentials; the authentication service subcomponent is configured to authenticate the provisioning certificate by evaluating the information identifying the plurality of loT devices with the expected information; the certificate authority subcomponent is configured to generate the digital certificate based, at least in part, on the generic credentials; and the authorization service subcomponent is configured to associate the identifying credentials with the loT device in the registry component of the first loT service. 8. The non-transitory computer-readable storage medium of claim 7 , wherein: the provisioning certificate is authenticated by initiating a first workflow comprising an authentication workflow; the identifying credentials are generated by initiating a second workflow comprising a provisioning workflow; the request further includes information identifying the loT device; the authentication workflow includes: validating the information identifying the plurality of loT devices; and authenticating the loT device based on the provisioning certificate and based further on the information identifying the loT device; the information identifying the loT device includes a geolocation of the loT device, a hardware device identifier, and a data source name; the authentication workflow comprises a custom authentication workflow defined by the manufacturer; and the provisioning workflow comprises a custom provisioning workflow defined by the manufacturer. 9. The non-transitory computer-readable storage medium of claim 8 , wherein: the provisioning workflow includes: validating the digital certificate; registering the digital certificate with the loT device in the registry; generating a confirmation of the registration of the digital certificate, wherein the confirmation is output; obtaining a profile for the loT device, wherein the profile includes one or more attributes defining permissions for the loT device; generating a device policy from the one or more attributes; and associating the device policy with the device-specific credentials; and upon determining that the provisioning certificate is compromised, a plurality of digital certificates generated for the provisioning certificate is added to a certificate revocation list maintained by a certificate authority, in order to cause any subsequent authentication attempts based on any of the plurality of digital certificates to fail due to being recognized as being from an attacker spoofing information in the provisioning certificate. 10. The non-transitory computer-readable storage medium of claim 9 , wherein: generating the identifying credentials comprises: generating a certificate signing request (CSR) based, at least in part, on the generic credentials; and generating the digital certificate based on the CSR; associating the device policy with the device-specific credentials comprises attaching the device policy to the digital certificate; the operation further comprises receiving, from the manufacturer of the loT device, an indication of the provisioning certificate; the request is validated by determining that a count of provisioning digital certificates previously claimed for the provisioning certificate is less than a count of digital certificates to be provided for the provisioning certificate; and the additional credentials for the loT device include