The Cellular Internet of Things (CIoT) is a new radio technology that is able to provide extended coverage for harsh environments, for example, basements. It is designed to be able to serve a large number of user equipments, for example over 50,000 per base station using a limited bandwidth, for example, 160 bps. The current assumption in 3GPP standardization is that the security mechanism for CIoT would be based on UMTS Authentication and Key Agreement (AKA), however, extending the security deeper into the core network remains as an open issue. The ITU-T Generic Bootstrapping Architecture (GBA) has been presented as one alternative solution. However, the limited available bandwidth and the number of terminals that may be served by one base station mean that the amount of signaling required for GBA presents difficulties in use.