Content uploaded by Mahesh Joshi
Author content
All content in this area was uploaded by Mahesh Joshi on May 17, 2024
Content may be subject to copyright.
Chapter 9: Biometric-based Secure Authentication for IoT Enabled
Devices and Applications
Author(s):
* J. Mahesh (Indian Institute of Technology Indore, India, phd1701101004@iiti.ac.in)
M. Bodhisatwa (Indian Institute of Technology Indore, India, bodhisatwa@iiti.ac.in)
D. Somnath (Indian Institute of Technology Indore, India, somnathd@iiti.ac.in)
Abstract
Smart connected consumer devices employing IoT as the backbone are becoming a
part of our day-to-day life. These products are fascinating to everyone but bear a dark side of
becoming a threat to the consumers and the vendors. The users and the smart devices
manufacturers are losing finances as well as confidential data to the adversary mainly due to
employing insecure authentication methods. There are several reported incidences of such
security breach in IoT enabled systems. The IoT industry finds it difficult to cope up with the
fast developments and innovations in lightweight protocols, hardware devices, and
authentication mechanisms proposed explicitly for IoT based products. Furthermore, they are
reluctant to embed the evolutions with a fear that the consumers may not find the new
product budget-friendly. Smart cities, smart homes, smart cars, smart grids, etc. are gaining
attention from various sections of the society without any knowledge of the vulnerabilities
that are associated with these revolutionary systems. The chapter considers the IoT system
from the perspectives of a consumer, the vendor, and a researcher to figure out the present
scenario, and give future directions to the authentication related security issues in IoT
subsystems.
The device-to-user authentication while accessing connected consumer devices are
the areas in IoT systems that need serious attention from the academia, biometric community,
and the biometric industry. Also, the automated-payment system implemented in smart
consumer products poses a threat from malicious attackers. Even though there are alliances to
brainstorm the specific problem and standardization of protocols for IoT infrastructure, there
is slow growth in incorporating the most secure, and cost-effective solution to the security
issues in IoT. We must understand the vulnerabilities and loopholes in IoT infrastructure and
correctly design mitigation techniques to build a robust system. The chapter provides a
precise investigation of the current scenario to integrate biometric authentication in IoT
applications and systems along with the required techniques to mitigate software and
hardware-level vulnerabilities in these systems. The study classifies the IoT systems and
applications into seven. The chapter reviews the current research outcomes in this direction
and pinpoints their pros and cons while implementing them into the future IoT products. It is
also required to decide the best biometric modality and its implementation mechanisms that
are convenient and pocket friendly to the consumers. In addition, the chapter also discusses
various biometric traits from IoT perspective and suggest the best modalities for such
systems.
Keywords: Internet-of-Things, Biometric systems, Authentication, Security, Threat model,
Vulnerabilities
9.1 Internet-of-Things (IoT) impacting our livelihood
The Internet has played a significant role in recent innovations and advancements in
information technology. Internet-of-Things are referred to as a network of smart hardware
devices (things) communicating with each other using the Internet to collectively provide
specific functionality for individuals, industries, and organizations. With the advent of
numerous IoT applications, human lives are more comfortable as such applications employ
intelligent programmable everyday objects to interact with people around them and amongst
themselves. A few years back, what seemed to be an electronic device has now become a
smart device by employing IoT as a backbone. The present-day world is witnessing the
impact of IoT products and systems on everyday life as humans are increasingly becoming
more reliant on the Internet for routine activities. Some sectors that employ IoT applications
comprise healthcare, infrastructure, agriculture, logistics, manufacturing, automation
industries and many others1.
The IoT applications employ smart hardware, such as smart sensors, and intelligent
software. The hardware things are capable of sensing their environment to collect data and
communicate the data to a local gateway (a device that enables communication over the
Internet to the cloud-based server). The gateway acts as a common medium of contact for the
local devices, and the remote software and hardware things get connected through the
Internet. The gateway can also perform local analytics on the received data and take informed
decisions. The server most often applies machine learning and data mining algorithms to the
incoming data from the gateways to extract essential information2. The analysis reports are
available for the stakeholders through web portals or smart phone apps, which can also act as
a controlling interface for the IoT infrastructure. The IoT system provides authentication
mechanisms for the administrators and consumers to avoid unauthorized access to any
component within the system.
A smart speaker wakes us up with our favorite music in the morning; a smart
wristband keeps the record of our health, and suggests a healthy diet; a smart assistant
reminds us about the daily schedule and appointments; the list continues to grow. With the
advent of smart cities, facilities, such as a smart home, smart grid, smart cars, smart street
lights and traffic signals, smart meters, and smart TVs, are influencing human lives in some
or the other way. The vendor provides a smart phone app for smart consumer appliances to
connect and control the device conveniently through the Internet. Such devices employ
sensors, whereas the smart phone app performs local analytics. In case the reports of the
analytics need to be shared with multiple parties, the system uses a cloud-based server for
analytics. A smart wristband gives health updates using different sensors to the smart phone
applications. In such cases, local analytics in the application is sufficient. A health monitoring
system for an older person living alone may require the data processing at the cloud server
since a physician, a caretaker, or a relative may be sharing the reports.
Existing IoT systems, such as smart home, smart grid, smart cities, smart car, smart
farming etc. employ several different types of sensors. These systems have multiple goals to
achieve, which comprise security, smooth functioning, load balancing, handling emergencies,
dynamic decision making, etc. IoT systems most often require user authentication to
authorize a user. An IoT-based smart home includes entry and exit locking systems for family
members and relatives, fire and burglar alarms, switching lights and fans on or off based on
the presence or absence of an individual etc. A smart grid may employ sensors for monitoring
and distributing power based on domestic and industrial usage, predicting future demand,
locating fault in the grid etc. The smart city project, already a reality in developed countries,
makes use of IoT for controlling traffic signals and street lights, monitoring criminal
activities, managing vehicle parking, etc3. Many tech giants have come up with their smart
self-driving cars equipped with sensors and GPS to be available for commercial sale in the
upcoming years. Farmers now have the technology at their doorsteps for maintaining and
watering crops based on environmental conditions.
The automation and transportation industry extensively uses Radio-frequency
identification (RFID) tags. The tracking of assets, paying toll charges, and managing
inventory are some more application areas of these tags. These tags contain digital
information and require a reader device to collect this information through radio waves. Near-
Field-Communication (NFC) tags have also found their place in IoT infrastructure. These
tags offer low-range communication over a low-speed channel. The vendors employ NFC
tags for labeling and electronic payment. The application of IoT to the specific field is named
accordingly. For instance, industrial IoT (IIoT)4, Internet of Medical Things (IoMT)5, Internet
of Battlefield Things (IoBT)6, Environmental Internet of Things (EIoT)7 are some examples
of explicit IoT applications. The IoT based home and consumer appliances include HomePod,
HomeKit, Siri, Apple Watch from Apple Inc., Amazon’s Echo and Alexa, Google’s Nest and
Google Home.
The advancement and innovations in information and communication technologies
(ICT) have influenced hugely in the development of IoT and similar technologies. Since most
of the IoT devices are battery operated and require continuous communication, the standard
protocols and encryption algorithm are optimized for IoT infrastructure. There is a growing
need for embedding multiple functionalities in a single device. As IoT systems are inherently
resource-constrained, lightweight ciphers, low power consuming electronic circuits, and
short-range and secure communication protocols and gateways are employed in IoT devices
and systems. There exist a plethora of machine learning, artificial intelligence, and deep
learning-based algorithms, which are extensively studied by the research community to
render them more suitable for the IoT environment. Cloud computing and fog computing
technologies are evolving continuously to fulfill IoT requirements. Data mining, big data
analytics techniques deployed on server systems, also gained significant attention from the
IoT industry. Cyber-Physical Systems (CPS) is also closely related to IoT8. Figure 1 depicts a
glimpse of IoT-enabled applications and services in the present-day world.
Figure 1: IoT-enabled applications and services
9.2 IoT ecosystem
Smart connected consumer devices employing IoT as the backbone are
becoming a part of day-to-day human life. These products are fascinating to everyone but
bear a dark side of becoming tools of threat to the consumers and the vendors. With
enormous expanse of reachability over the Internet, users and smart devices manufacturers
are losing finances as well as confidential data to the adversary mainly due to employing
insecure authentication methods. Even though there are alliances to brainstorm the specific
problem and standardization of protocols for IoT infrastructure, there is a slow growth in
incorporating the most secure and cost-effective solution to the security issues in IoT. We
must understand the vulnerabilities and loopholes in IoT infrastructure and correctly design
mitigation techniques to build a robust system.
We should be aware of the functioning inside a typical IoT system to figure
out the vulnerabilities and threats associated with it. Figure 2 shows major components in the
IoT ecosystem. We can roughly classify the elements and communication channels in the IoT
system into six categories, namely the environment, the things directly sensing and
responding to the environment. Furthermore, the low-range LAN communication protocols
employed for intranet data transfer, the local control centre cum the IoT gateways, the
Internet, and lastly the remote servers and user interfaces.
A system or a device that can sense and respond to the environment promptly and accurately
is indeed desirable. Most IoT systems listen to their environment in one or the other way; a
voice assistant sense the voice commands, a smart car employs several sensors to sense the
climate, the traffic and obstacles on the way, a smoke detector categorizes harmful gases in
the surrounding, etc. The significant achievement of the IoT system and smart consumer
devices lies in automation. The manufacturers and service providers for IoT devices and
applications develop convenient, comfortable, and alert solutions for their customers.
Figure 2: Major components in the IoT ecosystem
The things in an IoT ecosystem comprise the hardware-based embedded
systems, such as listeners and responders of the environment. The interface to the
environment comprises sensors (nerves), RFID tags, controllers, and actuators (muscles). In
general, sensors exist for capturing physical observables, such as temperature, ambient light,
humidity, dust, fire, motion, smoke, color, water, and many more3. These sensors
continuously collect the data for the desired parameter and, send it to the IoT gateway and the
local control system without any delay. Sensors, typically, use LAN protocols for
transmitting data. RFID tags use a similar approach to send smart barcodes embedded on
them through radio frequency technology. An RFID reader can sense, collect, and read the
information from the tag. In both these cases, the communication is one-way. Hence, these
devices are referred to as listeners and transmitters. Furthermore, certain things in the IoT
system intend to respond to the environment based on collected data or the instructions
received over the Internet. Such devices are termed actuators and controllers. They act by
following the preprogrammed actions based on the commands received. These devices can
only receive the data through the LAN protocols and usually do not respond to the source of
information. Such devices are, therefore termed actors. The communication within the local
IoT subsystem among things, gateways, and local control centers use low-range wireless
protocols. Some of these protocols include Bluetooth, ZigBee, Wi-Fi, BLE, NFC, etc. In
general, these technologies provide low-range communication.
IoT gateways provide the communication link between the local IoT
subsystem and the remote cloud-based servers, user interfaces, and data analytics. These
devices can also employ local data analysis for instant decision making on the incoming data
stream from the sensors. The data analysis and control capabilities of the IoT gateways can
sometimes be shared using an explicit local control centre. Local network management,
system diagnostics, device configuration management are some additional functions of IoT
gateways and local control centers. The Internet has been a boon to IoT like technologies and
services. In a typical IoT environment, the remote user authentication and data analytics
servers connect with the IoT infrastructure with the help of the TCP/IP based Internet. The
system usually provides a user interface in the form of a web portal, smart phone application,
and alert/alarm application for the customers and the system administrators to process the raw
data, and visualize the data analysis. A dedicated authentication server performs security
checks such as user authentication. Some IoT applications such as smart parking, food
ordering, paying toll charges, etc. and periodic subscription-based services also employ a
payment gateway.
Despite so many features and utilities of IoT systems, such systems also face
vulnerabilities and threats associated with various components and communication channels
in the entire IoT ecosystem. Experts in multiple applications have reported several incidences
of financial losses due to credit and debit card frauds in recent times9. In IoT systems too, as
we use the Internet for data transmission, users have faced threat to data confidentiality and
data integrity aspects of communication between devices themselves and IoT gateway.
Furthermore, security breaches in IoT other than financial frauds exist, which comprise
insecure mobile interface, privacy issues, insecure cloud and web interfaces, etc. Such threats
must be addressed and monitored closely to understand the risk intensity and accordingly
provide mitigation mechanisms against them.
9.3 Classification of IoT-powered applications and services
In the present-day world, a considerable number of IoT-enabled consumer products
and services are in use. With the emerging evolution of IoT technology, we can find several
types of such devices around us. We categorize these smart devices into seven categories
based on their working mechanism, as follows.
1. Sensing only: There exist a class of IoT devices wherein the sensors located at
different places collect data and send them to the server. The server stores the data and
a system administrator retrieves the data whenever needed and presents the data in its
original form. Smart cities that monitor temperature, oxygen, humidity, dust, CO, etc.
can use sensor-enabled infrastructure and display the same figures periodically to let
the citizens know the best and worst colonies in the city. Health monitoring
applications for a bed-ridden patient at home or hospital can also use sensors to record
various health parameters, such as pulse rate, blood pressure, temperature, and other
critical health parameters, and a display device shows variations in such parameters
per second.
2. Sensing and real-time local analysis: IoT systems wherein the sensors collect data
from the environment and perform real-time analysis of the data at the local gateway
fall under the second category. Weather prediction systems employ various sensors to
collect data about temperature, humidity, and other environmental factors, and
perform local data analysis to predict a rainfall, forecast temperature variations in the
locality. A vehicle maintenance system similarly uses sensors to monitor the condition
of critical spare parts and shares the analysis report of the respective vehicle with
driver and maintenance staff.
3. Sensing and cloud-based data analytics: Occasionally, data analysis can occur at a
centralized cloud server for sensors deployed in a geographically large area, such as a
state or a country. The train track monitoring system uses sensors at a short distance
over the entire tracks in a country. An unexpected event on the tracks may lead to a
major accident or interrupt the rail traffic for a longer duration until the damage gets
repaired. Hence, to divert the trains to an alternate route and stop trains approaching
the faults, cloud-analytics embedded in the system collect the data, and provide
reports to different authorities at the station and onboard train staff based on real-time
locations of trains.
4. Sensing and analysis of data with automated control: The IoT systems can use rule-
based automatic control mechanisms in case of an alarming situation. In smart
lighting and home systems, the actuators play a significant role in responding to the
environment based on rules and instructions according to the underlying algorithm.
The electrical appliances switch on and off based on the presence of an individual
sensed by the motion detectors. Consequently, the air conditioning system can adjust
the temperature based on the number of individuals present in a room perceived by the
CO2 level inside the room.
5. Sensing and analysis of data with manual control: It may not always be possible for
the system itself to deal with every unexpected situation and thus needs manual
interventions. The sensors and the analytics can show a damaged node within a
network that needs replacement or repairing urgently. In another scenario, a smart
phone app can also provide an interface to display a probable malicious node and
allow the consumer or administrator to either restart the node or stop transmitting the
sensed data. Suppose, the system detects unusual data collected at the gateway or
cloud-server, and the system cannot decide to identify the actual hacked sensor. In
such case, the network expects a manual intervention.
6. Sensing and analysis of data with automatic and manual control: We usually provide
intelligence to the smart devices so that they can respond quickly to certain situations.
But they are still not intelligent enough to differentiate and respond to a more severe
event that is within their capability. Smart cameras installed at the traffic signals can
automatically zoom at the registration numbers of the vehicles of the traffic rule
violators and send images to the server. But in case there is an accident, the traffic
police seating at the control room can control the camera to zoom in at the offender of
the incident than allowing the cameras to operate normally.
7. Smart devices (artificial intelligence (AI) + machine learning (ML) + rule-based and
manual control): The smart consumer appliance usually embeds the latest hardware
and software technology like intelligent sensors, artificial intelligence, machine
learning algorithm, etc. to provide state-of-the-art experience to the consumer. These
devices can learn by experience and perform better as the consumer interacts with
them. They can place orders and pay on behalf of the consumer, automatically sense
the consumer mood and play songs accordingly, read the news, receive calls, set
reminders, and many more.
9.4 IoT security breach
It is possible to mount a zero-day attack for compromising devices, such as smart TV,
printers, smart security cameras, etc.10. Bitdefender discovered that the Ring Doorbell
cameras from Amazon were allowing hackers to access a user's Wi-Fi as well as other
devices connected through the Wi-Fi. It was also possible to mount a distributed denial-of-
service (DDoS) attack via Blink XT2 security camera systems from Amazon10. Additionally,
the cameras provided access to footage from the camera and the audio output. Check Point
researchers demonstrated that fax machines are vulnerable to hacking using the fax number
and the telephone line10. They also illustrated the exploitation of a security bug in HP all-in-
one printers during a conference10. The FBI stated that the camera and microphone integrated
into most of the smart TV manufacturers could be hacked to control volume and even
channels10. Researchers also illustrated the information leakage based attacks on smart light
controlled using infrared11.
A News channel in the US reported an incidence of hacking a smart home and a
thermostat of a couple10. Researchers from academic institutions developed malware to steal
confidential data from a smart phone via a hacked microphone from the device12. They also
demonstrated the acoustic side-channel attack on a touch-screen device which unveils
everything a user types. Smart coffee machines possess high-security risks as their vendors
give minimal efforts on its security aspects while designing. The apps for these machines are
vulnerable to reveal information about the consumer's bank and cards10. It is also observed
that LAN printers pose a risk for cyber attacks into the organizations10. Researchers hacked
the smart speaker, Amazon Echo, during a live demonstration at a security conference10. As
per Trend Micro researchers, IoT-based cyber attacks are possible via Internet-connected gas
stations10.
During a demonstration by the researchers from the University of Central Florida, a
Nest Learning thermostat was hacked within fifteen seconds when the hackers were allowed
to access the device physically13. The hacker then employed the thermostat to expose the Wi-
Fi credentials, spy the consumer, and attack other devices connected with the same wireless
network13. It was also possible to geographically track the movement of fitness trackers by
employing a customized Raspberry Pi13. Further, experts successfully managed to send spam
and phishing emails using an Internet-connected refrigerator13. There was also an incident of
the hacking in-flight entertainment system of an aeroplane13. A professor reported that a hi-
tech train signaling system was prone to hacking, prompting severe consequences in UK13. It
was also claimed that more than 0.45 million connected vehicles are vulnerable to intrusion
attacks if the attacker gets access to their IP addresses13.
The insurance firms employing IoT-enabled services and devices possess a high risk
of cyberattacks14. More than 34% of the present-day Internet traffic accounts for the cyber
threat. An average financial loss due to IoT related hacks crossed 8 million USD in 201914.
Most of the security breaches reported in the past are the consequences of some critical
misconceptions about IoT security. Some of them include constrained IoT things poses no
risk to the system as they transfer unimportant raw data; mere authentication and
authorization are sufficient for securing the entire system, and it is enough to employ threat
detection mechanism as a device reset can stop such attempt immediately, etc.14
There are several reported incidences of such security breach in IoT enabled systems.
The IoT industry finds it difficult to cope up with fast development and innovation in
lightweight protocols, hardware devices, and authentication mechanisms proposed explicitly
for IoT based products. Furthermore, they are reluctant to embed the evolution with a fear
that the consumers may not find the new product budget-friendly. Smart cities, smart homes,
smart cars, smart grids, etc., are gaining attention from various sections of the society without
any knowledge about the vulnerabilities that are associated with these emerging systems.
A well-aware consumer sometimes complains publically (on social media platforms)
about the security and privacy invasions through an electronic device and sometimes ignores
or replaces the instrument considering it as a faulty. The casual approach towards minor
financial or data loss due to a smart product which provides a little comfort should change to
a more profound perspective. Data interception over an insecure LAN or the Internet is
mostly beyond the scope of the consumer as he's hardly aware of any such event over his
communication network. Consumer behavior plays a significant role in improving product
quality. If every consumer is overly concerned about the quality of products and services he
receives, and carefully points out the pros and cons associated with them, then the vendors
and manufacturers will be taking care of every minute details about the presumable issues
and deliver a robust, secure, and well-designed product and services.
The most severe, vulnerable, and easily targetable loophole into any system or device
forms the basis for the direction of research into a field. As IoT devices and services are
achieving new milestones every passing year with more innovative and creative solutions, the
adversaries and hackers have plenty of options to choose their probable target. Mostly the
startups become the victim as they lack sufficient expertise and background knowledge to
visualize all possibilities of their product or service glitches. Security experts, cryptanalysts,
researchers from various fields closely associated with the IoT-powered devices and services
to be launched by a company must play the lead role along with the core development team
to visualize and mitigate any attempt to break into the system.
9.5 Current scenario of security in IoT infrastructure
The device-to-user authentication while accessing connected consumer devices
is the area in IoT systems that need serious attention from academia and the biometric
industry. The evidence of IoT security breaches reveals that the incidences of financial frauds
are increasing every passing year due to security vulnerabilities associated with the payment
gateways and user authentication. The data loss through the communication channel and
leakage in the cloud-based servers is also common. Several issues need to be addressed
before the world of IoT smart devices and services is made free from all forms of threats and
vulnerabilities.
A standard TCP/IP protocol stack exists for the Internet. The security of the
protocols is well studied and researched before everyone could accept it for data transmission
over the globe. In the case of IoT systems, there exists no common standardization to which
every service provider and consumer product vendor agrees. Multiple versions of lightweight
protocols designed and developed explicitly for IoT infrastructure are mainly applicable to
the LAN environment. The cryptanalysts and researchers brainstorm these proposals to
pinpoint the flaws in them. For such systems, some proprietary security mechanisms
(hardware and software-based) do exist whose internals remain secret. Still, analysts claim
the robustness for all existing threats to generate revenue and increase their business.
Manufacturers of such systems need to ensure security features, such as device identification,
device configuration, data protection, logical access to interfaces, software and firmware
updates, and cyber security event logging. The manufacturers then use such proprietary
products to build their smart devices without much effort on verifying their security concerns.
As predicted by many global leading agencies, there is a vast demand for IoT-
based appliances and services in the coming years. So the market leaders keep regularly
launching new innovative solutions applicable to day-to-day problems employing IoT and
similar technologies. This competition has made a significant impact on increasing security
vulnerabilities. The product designers and developers heavily rely on third-party proprietary
software and hardware to meet the launching deadline for the new IoT product. Moreover,
due to existing security associated with the Internet protocols, there is minimal attention
given to securing data during transmission from a device to the server. The consumer is rarely
aware of the technical specifications of such a device and out of curiosity, comfort, or
security buys these products and enjoys it until they notice some security flaw.
The automated-payment system implemented in smart consumer products
possesses a threat from malicious attackers. A smart refrigerator that automatically places
orders for vegetables, eggs, ice creams, etc., and pays the amount through the credit or debit
card credentials of its owner can be one of the probable targets of the adversary. He can hack
the device through the Internet. In such a scenario, he can misuse the card details to order
unnecessarily for the owner or buy something for himself with the owner's money. The
consumer may be unaware of the payment gateway server leaking his bank details or card
information through a security flaw. And he would be surprised to see the debited amount
without his consent or knowledge. An authorized user becomes the victim of such incidents
due to the negligence of the service provider.
Public-key authentication can be used within the IoT infrastructure. In this
mechanism, the device securely stores a private key and announces a public key for
communicating with the device. The main hurdle again comes out to be the strength of
security at the device which assures that no intruder is allowed to access or modify the stored
key in any unauthorized way. One more problem with device-to-device communication lies
in identifying genuine components of the system once a request is received. A malicious
unknown source can also generate such a request and forward it to an IoT sensor through the
Internet. Hence, the problem to detect a genuine system component and to authenticate only
such devices to access and process the information remains the major challenge.
The local network of IoT sensors, actuators, and gateways are the best targets
to access the data for the adversary since there is a large possibility that such systems use
proprietary wireless LAN communication protocols. The hackers are intelligent and well
equipped to break into such protocols whose security is verified by a limited set of experts
within an organization. Once such a flaw opens the door for the attacker, he becomes an
integral part of the system and accesses, modifies, and deletes data from the devices without
any hint to the system administrators until they come across some significant evidence. The
smart home, smart grids, smart lighting, and smart traffic signaling system are a few
examples that may be the victim of unauthorized access to network communication.
There are multiple incidences of hacking IoT sensors and actuators. The
adversary targets the source of data into an IoT infrastructure. The smart home system, smart
healthcare system, smart farming are some of the most vulnerable systems falling under such
categories. Once the adversary gets access to the data generated by sensors within these
systems, he can trigger attacks on other IoT enabled devices and services connected to the
same LAN, and he can also mount an attack using Trojan horse to destroy the existing
network. The pre-installed Trojan horse can also harm the consumer and the infrastructure.
As there is no single vendor who designs, develops, manufactures, and performs security
analysis of every software and hardware component in an IoT system, we can expect some
flaw in these smart devices.
9.6 IoT threat model and mitigation approaches
Wireless Sensor Network (WSN) forms the basis, and the Internet provides the
backbone for any IoT-based smart devices and services. Hence, the vulnerabilities these
technologies exhibit may also apply to the IoT infrastructure. Denial-of-Service (DoS), Hello
flooding, Sybil, and Sinkhole are some attacks that likely target a WSN15. The wireless
network connecting the sensors, actuators, IoT gateways in an IoT infrastructure may possess
similar risk. The proprietary protocols employed in such systems may not be secure and
robust enough to resist all the probable existing attacks on the network. A bug in a smart
device such as a web camera, smart speaker, etc. may become a threat to the entire system
using the same infrastructure.
The incidences of IoT security breaches indicate that the IoT enabled consumer
appliances, smart devices, and services are still vulnerable to attacks, such as hacking, data
interception etc. As we have several components and communication channels connecting
them, the chances to get exposed to any attack attempt remains high. So, we should identify
all the possibilities for a probable attack and categorize them such that a set of mitigation
techniques can protect and secure the IoT infrastructure. Based on the major components
involved in an IoT ecosystem discussed in Figure 2, we propose an IoT threat model with ten
vulnerabilities. Figure 3 shows the proposed threat model, and the naming convention V1 to
V10 depicts the ten vulnerabilities.
Figure 3: IoT threat model
The class of threats associated with listeners and transmitters fall under vulnerability
V1. The adversaries hack these devices and divert the traffic to the fraudulent server. He may
also inject some malicious contents into the network to harm the infrastructure. A "hardware
Trojan" is a type of deliberate insertion into hardware design16. Usually, an act of a rogue
designer or vendor can lead to such a security breach in the system. He can also mount a
denial-of-service attack through the IoT nodes. These memory-constrained devices are also
vulnerable to side-channel attacks. The attacker analyses computation time, electric emission
etc. to collect confidential information such as encryption key or authentication secrets. As
these constrained devices are usually battery-powered, it is not feasible to provide additional
software or hardware just for security motives.
The possible attacks at nodes that directly interact with the IoT environment, such as
actuators and controllers, fall under vulnerabilities V2. The hacker can target devices such as
actuators, controllers, etc. responsible for acting on behalf of the user or the automated
control mechanism in the IoT system to perform an unintended activity. He often employs
tools such as oscilloscope, logic analyzer, and ChipWhisperer to figure out the vulnerabilities
in the target node. Such an incidence is often noticeable, and the attacker has very little to
achieve in the long term except destroying or damaging the components on the IoT
infrastructure. Hence, an intelligent adversary invests least time and effort on such attempts.
However, security experts must give necessary consideration to probable threats at such
nodes.
Typically, the nodes in the IoT infrastructure communicate via technologies, such as
Wi-Fi, fiber, Ethernet, ZigBee, 3G, 4G, Bluetooth LE, etc. We categorize the threats to these
communication media as V3. The adversary can retrieve secret information or perform traffic
analysis by eavesdropping over the communication medium. Once the attacker obtains some
confidential data, he uses it to mount a replay attack at a later time. Packet flooding in such
LAN is a form of denial-of-service attack. If the hacker succeeds in controlling the IoT
nodes, he can mount several other attacks, such as man-in-the-middle (MITM) and Sybil
attack, as the entire network will be at his fingertips17. Consequently, he can exploit the
vulnerabilities in the communication protocol and the nodes to destroy or damage the whole
system.
In a distributed denial-of-service attack scenario, a set of geographically dispersed
computers target different nodes within a network infrastructure to ultimately deny any
services to the authorized users. During a Sybil attack in a WSN, the adversary employs the
compromised node to mislead a victim node by presenting multiple identities. The victim
node, in turn, executes the same instruction or operation redundantly. Sniffer instruments are
heavily employed to collect network-related information, communication patterns, physical
locations of various wireless access points, and the protocols used in the network17. A
Sinkhole attack is another way to target the network infrastructure in the IoT system. Here, a
malicious node gathers data from its nearby nodes and bypasses all other communication
links without any hint to the system17.
Usually, the IoT gateways possess high processing power compared to other nodes in
the LAN, which is sufficient enough to execute critical and intensive applications. This
empowerment on a darker side provides more opportunities for the attacker to succeed in
mounting an attack. IoT gateways located at the intersection of LAN and the Internet thus
become an entry point into the entire system if found vulnerable to any threat at software or
hardware level. IoT gateways are susceptible to data leakage and topology disclosure. In data
leakage, the adversary manages to collect the data from the local storage at a node or by
diverting the traffic from the victim node. As every sensor, actuator, and controller device
within the network communicates with the gateway, a malicious gateway can consequently
disclose the location and identity of these nodes. We label the attacks at IoT gateways as V4.
The attacks corresponding to a local control center within an IoT LAN fall under the category
of vulnerability V5. The threats to the IoT gateways also apply to the local center.
Additionally, they both can be a possible target of a Trojan horse attempt.
The communication to various remote servers, cloud-based services, and user
interfaces from the gateway occurs via the Internet. One must be concerned about the
possible threats to IoT infrastructure that can be mounted via the Internet. Even though we
have a well-established Internet service throughout the world, it is still vulnerable to specific
risks and so cannot be labeled as fully secure communication medium. An adversary can
execute a DoS attack, man-in-the-middle attack, eavesdropping, selective forwarding, Sybil
attack, channel congestion, and collision attack on Internet services18. We categorize all such
threats through the Internet traffic under V6.
The service provider and smart product vendor usually provide a user interface for the
consumer and various teams working at the cloud server. Web portals, smart phone apps, and
plug-in for alarm or alert mechanism are a few examples of such interfaces. The
vulnerabilities associated with them fall under category V7. The hacker can use another app
or operating system bug to capture the smart phone screen or read the app data from system
memory. An insecure web application portal or APIs can disclose secret user information or
delete some files.
Almost every IoT application requires data analytics, and the vendors prefer cloud-
based services for the same. But the application, in turn, draws in all the risks associated with
cloud servers to its environment. Several attacks have been mounted on cloud servers, which
comprise flooding attack, cloud malware injection, SQL injection attack, and signature
wrapping attack, etc.17. The adversary tries to control the cloud services by injecting malware,
a malicious service instance, or virtual machine on the cloud. He can also modify the XML
signature commonly employed by cloud servers for ensuring service integrity. A malicious
SQL query code for updating, deleting or reading the database contents also poses a potent
threat to cloud infrastructure. The adversary uses the Internet for mounting a DoS attack on
the cloud through flooding. Such risks to cloud-analytics servers are categorized as V8.
An authentication server in an IoT environment ensures that only authorized
individuals are allowed to access the system resources and services. Usually, these servers are
maintained separately away from the LAN for security issues. Such remote servers are
vulnerable to leaking the user credentials, false data injection, eavesdropping, record delete or
update, identity theft, password or key or session token disclosure, etc. These types of threats
to the remote authentication server fall under vulnerabilities V9.
Smart devices allow consumers to place orders and pay the merchant via stored card
credentials. The IoT service vendor of such consumer appliances also maintains a payment
gateway remotely for providing a secure payment process. The adversary targets these
gateways for performing financial frauds. He intercepts the traffic to such servers to collect
user credentials and utilizes them for his benefits or places unnecessary orders on behalf of
the smart device. He can also execute DoS, DDoS, false data injection attempts on the
gateway. We classify such threats to the payment gateways under the class of vulnerabilities
V10 in our threat model.
The security mechanisms at different levels in the IoT infrastructure ensure that the
system components and communication links connecting them are least vulnerable to known
threats. The possibility of building an IoT application or service free from all existing and
unforeseen risks cannot be guaranteed. However, the best consumer product or system should
be resistant to a large number of most common threats that incurs the least loss in terms of
finances, data, and user privacy. As we can broadly categorize the IoT components into three
categories, namely hardware, software, and communication medium, we present the
countermeasures for the IoT system in these categories to enhance the security and thus build
a robust application or service from scratch.
The hardware devices should be tamper-proof and employ code signing to avoid any
possibility of a Trojan horse attack. Hardware security features such as ARM TrustZone
ensures secure data flow within the devices19. Designing ICs with active shields protects them
from probable side-channel attacks. To provide identity to each node, an X.509 Digital
Certificate should be employed. Subsequently, the communication between the nodes will
use HTTPS or NTLS protocols; each node can verify the identity of every other trusted node.
Additional security measures include embedding a Trusted Platform Module (TPM) device,
usage of a PUF (Physical Unclonable Function); randomize instruction execution cycles,
using lightweight hardware implementation of a cipher, network segmentation, device
registry, etc.
The strategy to secure the communication channel includes encryption using a hash
function20. The authentication mechanism should use message authentication codes (MAC),
digital signatures, and hash functions. A pseudo-random number generator that satisfies a
majority of randomness tests can further enhance the security of communication by
generating asymmetric keys and lower the chance of a replay attack. We can reduce the risk
of most software-based threats by adapting lightweight intrusion detection methods,
software-defined networking (SDN), ensuring software integrity during updates, auditing (log
management for each update), etc. Cloud-based IoT systems should implement homomorphic
encryption and Cloud Access Security Broker (CASB) for providing security and privacy
protection in cloud-based services. Blockchain technology can also protect against replay
attack, ransomware, malware, etc.
The threats to various communication links, software modules, and hardware
components have different intensities in terms of financial and data loss to the consumer and
the service provider. Smart devices have touched almost every aspect of human life, and
subsequently, we are inviting their probable dangers into our lives, exposing everything we
own. Since not every consumer is technical savvy, they believe in every news and reviews
available online and form some misconceptions. We addressed the possible risks associated
with smart devices and also specified the ways to mitigate them. In today's digital world, a
consumer excited about smart devices must become smart enough to understand the know-
how about every such device in their possession.
9.7 Authentication using biometric systems
The conventional ways for user authentication include password, token,
patterns, security question, personal identification number (PIN), identity card (ID), etc. We
can see rapid growth in the usage of the Internet in recent times. So a large number of
services are available to everyone, and they require any of the conventional authentication
approaches to secure their accounts created for accessing these services. The main drawbacks
with these approaches are that a user has to remember them and a brute-force or dictionary
attack can crack them with minimal efforts. Additionally, for each attempt when a user opts
for “forgot password’’ or “reset PIN” option, the service provider incurs a financial loss.
Hence, we need an authentication mechanism for which the user incurs small effort overhead,
the service provider faces minimal expenses, and the authentication is less prone to attacks. A
biometric system has emerged as an alternative to these methods that provides more
convenient and secure authentication. A system employing biometric-based authentication
assures that only legitimate user control the smart device and access the system through the
user interface. It also guarantees that every transaction is signed using consumer biometric
data. Such a mechanism can mitigate vulnerabilities V7, V9, and V10 from Fig. 3.
The biometric system employs an individual's biological traits for user
recognition. These systems possess high accuracy and are available for commercial and
personal use. Several government and private organizations rely on a biometric system rather
than conventional token or password-based systems. Smart phones, home security
applications, university attendance system, cash dispenser machine, e-voting are a few
examples employing biometric user authentication in the current scenario. These systems are
easy to operate even for a layperson, and most importantly, the user is free from remembering
passwords or tokens for verifying his identity. In general, a system administrator enrolls a
new user to the biometric system database with two or more samples of his biometric trait.
The system uses these enrolled traits from the database to recognize him whenever he
submits his biometric data to the biometric system.
Most often, an administrator performs enrollment of a user to the biometric
system. There are two ways to provide access control using a biometric system. The device
can be an identification system or an authorization system. During identification, the system
compares the recently acquired biometric input to all the samples stored in the database. The
system identifies the input with the identity of the database entry that generates the highest
similarity. In this case, the unknown user does not reveal any other information about his
identity to the system other than his biometric data. The user claims his identity while
submitting his traits to a biometric authentication system. The system then compares his
feature with the database entries with the claimed user’s samples to conclude if the claimed
identity is true or false.
The biometric system employs the physiological and behavioral traits of an
individual. The physiological characteristics include fingerprint21, palmprint22, iris23, ear24,
voice (speech)25, face26, palm veins and hand geometry27, DNA28, electroencephalographic
(EEG) signals29, etc. The behavioral features capable of recognizing an individual include
signature, gait30, keystroke dynamics31, posture32, etc. A biometric system extracts unique
features from a submitted biometric data to create an encrypted biometric template33 for
storing into the database. A biometric system may employ more than one trait to improve
recognition accuracy. Such design fuses the features from the biometric data to create a
highly unique template. We term such systems as multimodal biometric34 recognition
systems. Due to advancement in technology, the biometric systems also evolved during the
past two decades. The traditional biometric systems store the user templates into a remote
database (i.e. match-in-database). Meanwhile, the advanced biometric application keeps an
individual's template into a smart card dedicated to the user. The card-based biometric
systems include template-on-card (ToC)35, match-on-card (MoC)36, and system-on-card
(SoC)35.
Figure 4: Block diagram for match-in-database fingerprint biometric system35
Figure 4 shows various components of a typical match-in-database fingerprint
biometric system. The sensor in the input device accepts the user's finger and generates a
grayscale or RGB image. The feature extraction module tries to find out specific patterns in
these images. During the enrollment phase, the template protection techniques module uses
these patterns to generate an encrypted template for storing in the remote database. However,
while identifying or authenticating an individual through his fingerprint, the template
protection techniques module communicates the template to the comparison module. The
comparison module then fetches the templates from the database to compare with the newly
generated template. It forwards the score for each comparison to the matcher module. The
matcher module uses these scores to conclude either the identity of the unknown user or
verify his claim.
The biometric field has evolved into diverse applications over the past fifty
years. The system that initially gained popularity as a mere verification or identification
system found suitable for various problems. Present day use cases comprising, border
security, access control, forensic investigations, controlling child trafficking, monitoring
infant vaccination, channelizing government schemes for the underprivileged citizens, home
security, university attendance system, banking services such as cash dispenser machines
employ biometric systems. These systems found scope in security and privacy applications
along with identity management. Present day smart phones, laptops and other handheld
devices, smart homes are few recent examples that incorporate biometric recognition. The
researchers are now looking forward to figuring out the possibility of integrating biometric
into IoT-based devices and systems.
The recent research outcomes prove that the biometric field is marching in
diverse directions. The researchers are focusing on multimodal biometric-based
authentication, wearable biometrics37, poor quality data, post-mortem biometrics37, human-
computer interaction, scalability37, template protection, personal privacy, data integrity, etc.
Also, there is a scope in detecting and mitigating presentation attack, soft biometrics37,
improving the accuracy and response time for modalities that use 3D images. The
manufacturers of the biometric system employing face, gait, high-resolution 3D images, iris,
etc. are targeting developing pocket-friendly devices that have high precision even with noisy
data. Figure 5 depicts a glimpse of the biometric-enabled applications.
In the case of IoT infrastructure, we can provide access to raw IoT data and
system components via biometric user authentication. We can replace the traditional
authentication server from Fig. 3 with a biometric cancellable template database. A
multimodal biometric authentication would further enhance the security of the system. The
system becomes more trustworthy and acceptable by a large community. We can even add
smart phone-based biometric authentication and associate the hardware identity to further
lower the chances of replay attacks. In addition, there exists minimal chances of vulnerability
V6 occurring at the authentication server.
Figure 5: Applications areas of biometric systems
9.8 Authentication in IoT system
We can provide secure user authentication within an IoT infrastructure at user
interfaces, individual recognition, and ensuring the authenticity of a payment process. User
authentication and authorization received significant attention from the researchers across
academia and industry. When it comes to commercial IoT products, the vendors still prefer to
stick with the traditional user authentication methods. But the academic research efforts try to
figure out more innovative and IoT-enabled product and system-specific solutions.
Multifactor remote user authentication is shown to be secure from existing threats to the
system38,39. IoT medical applications can be secured using mutual authentication achieved by
elliptic curves cryptosystem (ECC)40. An Efficient Anonymous User Authentication (E-
AUA) protocol that reduces the computation and communication cost for mobile IoT devices
using multiple servers proves to address the network congestion issue in the system41.
FlexPass42 employs a one-time text and graphical secret chosen by the user for
authentication into the IoT system. In this paradigm, the user has the flexibility to select the
kind of secret he wishes to use for authentication, which can be changed if he finds it
inconvenient. The WSN and IoT powered greenhouse monitoring system that utilizes a two-
factor user authentication mechanism including a confirmation code demonstrated useful for
practical application43. It is also possible to secure an IoT enabled Farm Management
Information Systems (FMIS) using RFID technology44. An innovative authentication protocol
based on hashing and XOR-ing operations that is free from time stamping is suitable for the
Industrial IoT (IIoT) technology45. A light-weight key agreement and user authentication
protocol facilitate session key negotiation to ensure mutual authentication between the
communicating parties for WNS within IoT infrastructure46. The approach implements simple
operations such as hashing and XOR-ing.
The way users interact with IoT devices within the system may also help in user
authentication with above 85% accuracy47. The approach performed with 97% accuracy for
classifying five users interacting with the IoT devices and nodes. The use of smartcards for
multi-factor remote user authentication proves to be secure against several existing threats to
IoT and cloud infrastructure48,49,50,51. Recent research has also focused on user authentication
into IoMT. It is possible to use three-factor authentication, including password and smartcard,
to allow medical practitioners to assess a patient's health updates securely52. There is evidence
of using Blockchain technology for secure and safe user authentication in the IoT system53.
The cryptographic notion of elliptic curve cryptography (ECC) can also be employd to
provide session key security as well as user anonymity54.
Level-Dependent Authentication (LDA) is a resource-efficient key sharing
mechanism employing the organizational hierarchy for allowing the user to sensor
communication55. A signature scheme requiring no certificate and performs unidirectional
communication for anonymous authentication during mobile payments in IoT-enabled smart
devices proves to be lightweight, efficient, and practical56. A hardware fingerprint from the
sensor can be obtained within an IoT infrastructure and further use it to compare against
reference measurements collected before deployment for a secret-free authentication57. It is
also feasible to generate strong keys dynamically to provide secure communication and
authentication between IoT gateways and the edge nodes within an IoT system58. User
privacy preservation under the IoT environment requires an anonymous user authentication
approach59.
Smart phone's SMS facility can act as a means of device authentication for
constrained nodes in IoT systems60. A novel approach employing ZigBee technology
proposes node-to-node anonymous and mutual authentication suitable for smart home
systems61. It is feasible to generate a unique ID for each IoT device from its SRAM to
authenticate the device securely62. An artificial intelligence-powered lightweight and fast
authentication approach can reduce communication latency between the IoT devices63.
CirclePIN is a mechanism for authorizing a user to IoT nodes via a smartwatch64. It is
possible to mitigate data extraction and similar attacks on communication channels within an
IoMT using random numbers and session keys for hashing and to encrypt the data65. The IoT-
powered WSN (Wireless Sensor Network) is vulnerable to DoS attack, and stolen verifier as
well as user traceability attempts. An approach to authenticating a remote user via symmetric
key protocol secures the communication channel against such attempts66.
Device to device authentication will be more promising if it is feasible to exploit
specific unique properties from the hardware device. The uniqueness, unclonability, and
tamper-evidence characteristics of Physical Unclonable Functions (PUFs) can play a vital
role in securing communication between two IoT nodes67. Advancements in software
technologies also open new doors for providing security and privacy features to communicate
over different mediums. The algorithms that evolve on their own and can adapt to the
variable condition can make the most suitable choice for the IoT environment. A combination
of deep neural network and machine learning algorithms at communicating nodes within an
IoT environment enhances security while authentication68.
Most existing approaches rely on traditional user authentication approaches for user
authentication to assure that only legitimate individuals can use IoT powered smart devices
and systems. However, the data sensing devices and intermediate nodes within the IoT
infrastructure are also equally at the risk of being hacked by an adversary. The researchers
unimportantly overlooked this domain in their work. It is not enough to have a centralized
authentication server to maintain the database of legitimate users and assure that the system
in its entirety is free from all sorts of external risks. The more and more secure a system
becomes the attackers try to figure out some new loophole to access the services illegally.
We can link an authentication mechanism to a user interface, authentication server,
and payment gateway to thwart vulnerabilities V7, V9, and V10, respectively in the threat
model shown in Fig. 3. Thus, biometric authentication will be required to approve automated
financial transactions within the IoT environment. Also, the mechanism will guarantee access
to resources by legitimate users and authorities. We are in the initial stage for approving
banking services using the consumer biometric data. But it will be a massive achievement
once we cross this milestone in most countries across the globe.
9.9 Biometrics for IoT security
The advantage of biometric-based user authentication to the IoT system lies in its
uniqueness. The user gets relieved from worries of forgetting his credentials for
authentication for almost a lifetime. In case his biometrics is stolen by some means we have
cancellable biometrics which regenerates another authentication data from the same
biometric. Since there are multiple traits that an individual poses, the system can be made
more secure by employing a combination of these traits. Also, the template protection
mechanisms for storing the encrypted biometric data on the server assure that the information
about the biometric features or patterns of a user is entirely confidential. Hence, even if the
attacker gets access to the template, he will find it infeasible to know the biometric details of
the owner.
There exists a high possibility to employ biometric-based user authentication for IoT
devices and systems. However, as we have multiple characteristics of an individual for
unique identification and authentication, we must decide the most feasible trait for a specific
application. Facial recognition systems may not differentiate identical twins or in some
incidences even face masks can fool such systems9,69. Since social media has entered into our
everyday life, we are becoming less hesitant to post our and family photos on such platforms.
Hence, we should avoid facial authentication for financial transactions or critical
applications. Voice-based authentication may not distinguish a recorded voice and thus fail to
provide the expected level of security. We have modalities such as voice, ear, gait, etc. which
are still in the experimental stage9.
The fingerprint of an individual is unique, and till date, no record exists for two
individuals with similar fingerprint patterns. Moreover, the research in this domain already
crossed fifty years recently, and we have highly accurate fingerprint biometric systems
available in the market70. Additionally, compared to other modalities, the fingerprint
biometric system requires the least assistance from the user, and it is comfortable to operate
even for a layperson. Hence, being completely mature, efficient, and convenient among all
the characteristics, these systems are employed for user identification and authentication
systems at various government, private, and even high-security applications. Fingerprint-
based biometric authentication thus wins the race for being the most suitable and practical
option for the IoT environment.
A cancelable biometric authentication can help in preserving security and privacy for
IoT-based applications71. Similarly, the multimodal biometric system proved to render
enhanced security and improved accuracy while authorizing an individual for accessing IoT
network72. The biometric-powered anonymous user authentication scheme performing
lightweight operations in IoT infrastructure proves to be efficient73. The mechanism is best
suited for smart homes, and it assures that the rest of smart devices inside the house remain
unaffected even if the hacker breaks into the security of the smart home. The user may
choose to use ECG (electrocardiography) as a biometric trait for authentication into the IoT
system74,75. The face recognition approach can provide user authentication on smart phone
devices76.
A novel combination of system-level obfuscation method along with
electrocardiogram (ECG) and photoplethysmograph (PPG) biometrics solves the issue of
unauthorized access to IoT nodes77. The approach also helps in preventing any possibility of
tampering and reverse engineering. The research also shows the use of behavioral biometrics
to provide secure and authorized access to the IoT system components78,79. Also, the
keystroke biometrics has demonstrated promising results when targeted for user
authentication80. We can employ these approaches, especially for smart phone authentication.
Smart health care system also needs authorized access exclusively by medical practitioners
and family members. The biometric-based system can be a feasible solution in such
scenarios81. A bimodal biometric authentication provides enhanced security on smart phone
devices82.
The use of the smart card for storing the biometric template mitigates several attacks
associated with the templates and requires no additional remote template database server. A
similar approach can also help in secure and authorized access to the IoT resources83,84.
Additionally, if the system employs a SoC, then most of the vulnerabilities associated with
the biometric system will be eliminated. The consumer would find it convenient to carry his
smartcard and get rid of the several issues related to traditional authentication mechanisms.
Biometric-based access control systems would benefit the vendors and buyers in multiple
folds. Hence, sooner or later, IoT enabled smart devices and services would offer such
solutions to the consumers.
The Fast Identity Online (FIDO) Alliance provides solutions for replacing
conventional approaches of identity management (IM) in a more secure, convenient, and
feasible manner85. The alliance includes more than 200 industry leaders in software and
hardware sectors. Their first framework provides smart devices with a password-free
authentication. In another protocol, the coalition presents a small hardware token for
implementing two-factor authentication. An asymmetric encryption method forms the base
for authentication under both approaches. The Verifiable Credentials (VC) data model
proposed by the World Wide Web Consortium (W3C) is also a similar initiative to identify
better user-centric solutions for the identity ecosystem86. These solutions are decentralized
digital identity systems and are presently available for real-time use in smart devices and IoT-
based user authentication. As there is a profound demand for a standard protocol across
various consumer products and services, different market leaders are collaborating with the
alliance and incorporating the strong authentication standards as a security mechanism for
multiple products and services offered by them.
We can employ a fingerprint-based biometric system over other modalities to solve
the problem of user-to-device authentication as well as allowing only authorized individuals
to access the data and services concerning vulnerability V9 from the threat model proposed in
Fig. 3. It is also possible that the consumers appreciate such a move as most of them might
have already used a fingerprint-based biometric system in the past. We are living in a rapidly
progressing world where privacy and security need utmost attention to ensure that the future
generation finds it safe to use any smart devices and services. A fingerprint biometric system
would meet the requirement of the time and become a solution to authentication-related
queries of the industry innovations.
9.10 Conclusion
We are living in a world of information and communication technology (ICT). The
advancements and innovations powered by ICT have made a significant impact on our daily
routine. We are so connected with this new Internet world that people feel uncomfortable if
their Internet goes down even for a few minutes. Hence, Internet service providers (ISP)
worldwide are exercising every possible step to provide uninterrupted and high-speed
connectivity to their consumers, even in a remote area. The notion of Internet-of-Things is the
outcome of a sufficiently mature ICT. The chapter provides a broad review of the current
scenario of Internet-of-Things technology. It covers various types of IoT devices, and
services and presents difference between them in terms of their functionalities. The chapter
also talks about the security issues in these devices and suggests various corrective and
mitigation steps against any probable threats to such system. The study also addresses the
need for a highly secure authentication mechanism like a biometric system to authorize and
authenticate an individual. We emphasize the benefits of employing a fingerprint-based
biometric system in an IoT infrastructure. We tuned the contents such that the readers
understand the significance of every term specific to IoT and biometric systems. In a nutshell,
the chapter introduces the reader with IoT and biometric system from a security perspective
and encourages them to address various threats to them.
References
[1].Dimitrios P. Glaroudis and Athanasios C. Iossifides and Periklis Chatzimisios, .
"Survey, comparison and research challenges of IoT application protocols for smart
farming".Comput. Networks 168 (2020).
[2].Soraya Sinche and Duarte M. G. Raposo and Ngombo Armando and André Rodrigues
and Fernando Boavida and Vasco Pereira and Jorge Sá Silva, . "A Survey of IoT
Management Protocols and Frameworks".IEEE Commun. Surv. Tutorials 22, no.2
(2020): 1168–1190.
[3].Arun Ross, , Sudipta Banerjee, and Anurag Chowdhury. "Security in smart cities: A
brief review of digital forensic schemes for biometric data".Pattern Recognition
Letters 138 (2020): 346 - 354.
[4].Sathyan Munirathinam, “Chapter Six - Industry 4.0: Industrial Internet of Things
(IIOT),” Adv. Comput. 117 (2020): 129–164, doi:10.1016/bs.adcom.2019.10.010,
https://doi.org/10.1016/bs.adcom.2019.10.010.
[5].Gulraiz J. Joyia et al., “Internet of Medical Things (IOMT): Applications, Benefits
and Future Challenges in Healthcare Domain,” J. Commun. 12, no. 4 (2017): 240–
247, doi:10. 12720/jcm.12.4.240-247, https://doi.org/10.12720/jcm.12.4.240-247.
[6].Muhammad Junaid Farooq and Quanyan Zhu, “On the Secure and Reconfigurable
Multi-Layer Network Design for Critical Information Dissemination in the Internet of
Battlefield Things (IoBT),” IEEE Trans. Wireless Communications 17, no. 4 (2018):
2618–2632, doi:10.1109/TWC.2018.2799860,
https://doi.org/10.1109/TWC.2018.2799860.
[7].Rubin Zheng, Haowei Wang, and Jingzhu Zhao, “A Unified Management Framework
for EIoT Systems Based on Metadata and Event Detection,” IEEE Access 7 (2019):
112629–112638, doi:10.1109/ACCESS.2019.2930290,
https://doi.org/10.1109/ACCESS.2019.2930290.
[8].Sobin C. C., . "A Survey on Architecture, Protocols and Challenges in IoT".Wirel.
Pers. Commun. 112, no.3 (2020): 1383–1429.
[9].David Orme, . "Can biometrics secure the Internet of Things?".Biometric Technology
Today 2019, no.5 (2019): 5 – 7.
[10]. Rudra Srinivas, 2020. 10 IoT Security Incidents That Make You Feel Less
Secure, CISO MAG. https://cisomag.eccouncil.org/10-iot-security-incidents-that-
make-you-feel-less-secure/ (accessed January 10, 2020).
[11]. Anindya Maiti and Murtuza Jadliwala, . "Smart Light-based Information
Leakage Attacks".GetMobile Mob. Comput. Commun. 24, no.1 (2020): 28–32.
[12]. Ilia Shumailov and Laurent Simon and Jeff Yan and Ross Anderson, .
"Hearing your touch: A new acoustic side channel on smartphones".CoRR
abs/1903.11137 (2019).
[13]. Gemalto, 2016, A Safer Internet of Things : Gemalto’s Guide To Making the
Internet of Things A Safe Place To Connect,
https://www.thalesgroup.com/sites/default/files/gemalto/iot-security-ebook.PDF ,
(accessed January, 2016).
[14]. Leong, Y., Chen, Y., 2020, Cyber risk cost and management in IoT devices-
linked health insurance. Geneva Pap Risk Insur Issues Pract (2020).
https://doi.org/10.1057/s41288-020-00169-4
[15]. Peter Aufner, . "The IoT security gap: a look down into the valley between
threat models and their implementation".Int. J. Inf. Sec. 19, no.1 (2020): 3–14.
[16]. Anirban Sengupta and Sandip Kundu, . "Guest Editorial Securing IoT
Hardware: Threat Models and Reliable, Low-Power Design Solutions".IEEE Trans.
Very Large Scale Integr. Syst. 25, no.12 (2017): 3265–3267.
[17]. Kejun Chen and Shuai Zhang and Zhikun Li and Yi Zhang and Qingxu Deng
and Sandip Ray and Yier Jin, . "Internet-of-Things Security and Vulnerabilities:
Taxonomy, Challenges, and Practice".J. Hardw. Syst. Secur. 2, no.2 (2018): 97–110.
[18]. Imran Makhdoom and Mehran Abolhasan and Justin Lipman and Ren Ping
Liu and Wei Ni, . "Anatomy of Threats to the Internet of Things".IEEE Commun.
Surv. Tutorials 21, no.2 (2019): 1636–1675.
[19]. Amit Kumar Sikder and Giuseppe Petracca and Hidayet Aksu and Trent Jaeger
and A. Selcuk Uluagac, . "A Survey on Sensor-based Threats to Internet-of-Things
(IoT) Devices and Applications".CoRR abs/1802.02041 (2018).
[20]. Francesca Meneghello and Matteo Calore and Daniel Zucchetto and Michele
Polese and Andrea Zanella, . "IoT: Internet of Threats? A Survey of Practical Security
Vulnerabilities in Real IoT Devices".IEEE Internet Things J. 6, no.5 (2019): 8182–
8201.
[21]. Davide Maltoni and Raffaele Cappelli and Didier Meuwly, . Automated
Fingerprint Identification Systems: From Fingerprints to Fingermarks. Springer, 2017.
[22]. Andrew Beng Jin Teoh and Lu Leng, . Palmprint Matching.Springer US, 2015.
[23]. Christian Rathgeb and Andreas Uhl and Peter Wild, . Iris Biometrics - From
Segmentation to Template Security. Vol. 59. Springer, 2013.
[24]. Ayman Abaza and Arun Ross and Christina Hebert and Mary Ann F. Harrison
and Mark S. Nixon, . "A survey on ear biometrics".ACM Comput. Surv. 45, no.2
(2013): 22:1–22:35.
[25]. Tiago Duarte and Rafael Prikladnicki and Fabio Calefato and Filippo
Lanubile, . "Speech Recognition for Voice-Based Machine Translation".IEEE Softw.
31, no.1 (2014): 26–31.
[26]. Ravi Subban and Dattatreya P. Mankame, . "Human Face Recognition
Biometric Techniques: Analysis and Review." . In Recent Advances in Intelligent
Informatics - Proceedings of the Second International Symposium on Intelligent
Informatics, ISI 2013, August 23-24 2013, Mysore, India (pp. 455–463). Springer,
2013.
[27]. Luiz Eduardo de Christo, . "Multimodal Biometric System for Identity
Verification Based on Hand Geometry and Hand Palm's Veins." . In Communication
Papers of the 2017 Federated Conference on Computer Science and Information
Systems, FedCSIS 2017, Prague, Czech Republic, September 3-6, 2017 (pp. 207–
212).2017.
[28]. T. Hicks and R. Coquoz, . Forensic DNA Evidence.Springer US, 2015.
[29]. Victor Hugo C. de Albuquerque and Robertas Damasevicius and Jo\~ao
Manuel R. S. Tavares and Plácido Rogério Pinheiro, . "EEG-Based Biometrics:
Challenges And Applications".Comput. Intell. Neurosci. 2018 (2018): 5483921:1–
5483921:2.
[30]. Patrick Connor and Arun Ross, . "Biometric recognition by gait: A survey of
modalities and features".Comput. Vis. Image Underst. 167 (2018): 1–27.
[31]. Farhana Javed Zareen and Chirag Matta and Akshay Arora and Sarmod Singh
and Suraiya Jabin, . "An authentication system using keystroke dynamics".Int. J.
Biom. 10, no.1 (2018): 65–76.
[32]. Kamil Burda and Daniela Chudá, . "Influence of Body Postures on Touch-
Based Biometric User Authentication." . In SOFSEM 2018: Theory and Practice of
Computer Science - 44th International Conference on Current Trends in Theory and
Practice of Computer Science, Krems, Austria, January 29 - February 2, 2018,
Proceedings (pp. 459–468). Springer, 2018.
[33]. Anil K. Jain and Umut Uludag and Arun Ross, . "Biometric Template
Selection: A Case Study in Fingerprints." . In Audio-and Video-Based Biometrie
Person Authentication, 4th International Conference, AVBPA 2003, Guildford, UK,
June 9-11, 2003 Proceedings (pp. 335–342). Springer, 2003.
[34]. Christina-Angeliki Toli and Bart Preneel, . "A Survey on Multimodal
Biometrics and the Protection of Their Templates." . In Privacy and Identity
Management for the Future Internet in the Age of Globalisation - 9th IFIP WG 9.2,
9.5, 9.6/11.7, 11.4, 11.6/SIG 9.2.2 International Summer School, Patras, Greece,
September 7-12, 2014, Revised Selected Papers (pp. 169–184). Springer, 2014.
[35]. Joshi, Mahesh, Bodhisatwa Mazumdar, and Somnath Dey. “A comprehensive
security analysis of match-in-database fingerprint biometric system.” Pattern
Recognition Letters 138 (2020): 247–266. issn: 0167-8655.
doi:https://doi.org/10.1016/j.patrec.2020.07.024.
http://www.sciencedirect.com/science/article/pii/S0167865520302701.
[36]. Farid Benhammadi and Kadda Beghdad Bey, . "Embedded Fingerprint
Matching on Smart Card".Int. J. Pattern Recognit. Artif. Intell. 27, no.2 (2013).
[37]. Arun Ross and Sudipta Banerjee and Cunjian Chen and Anurag Chowdhury
and Vahid Mirjalili and Renu Sharma and Thomas Swearingen and Shivangi Yadav, .
"Some Research Problems in Biometrics: The Future Beckons." . In 2019
International Conference on Biometrics, ICB 2019, Crete, Greece, June 4-7, 2019 (pp.
1–8). IEEE, 2019.
[38]. Geeta Sharma and Sheetal Kalra, . "Advanced lightweight multi-factor remote
user authentication scheme for cloud-IoT applications".J. Ambient Intell. Humaniz.
Comput. 11, no.4 (2020): 1771–1794.
[39]. JoonYoung Lee and MyeongHyun Kim and SungJin Yu and KiSung Park and
Youngho Park, . "A Secure Multi-Factor Remote User Authentication Scheme for
Cloud-IoT Applications." . In 28th International Conference on Computer
Communication and Networks, ICCCN 2019, Valencia, Spain, July 29 - August 1,
2019 (pp. 1–2). IEEE, 2019.
[40]. Ahmed A. Elngar, . "An efficient user authentication model for IOT-based
healthcare environment".IJICS 11, no.4/5 (2019): 431–446.
[41]. Xianjiao Zeng and Guangquan Xu and Xi Zheng and Yang Xiang and Wanlei
Zhou, . "E-AUA: An Efficient Anonymous User Authentication Protocol for Mobile
IoT".IEEE Internet Things J. 6, no.2 (2019): 1506–1519.
[42]. Marios Belk and Christos Fidas and Andreas Pitsillides, . "FlexPass:
Symbiosis of Seamless User Authentication Schemes in IoT." . In Extended Abstracts
of the 2019 CHI Conference on Human Factors in Computing Systems, CHI 2019,
Glasgow, Scotland, UK, May 04-09, 2019. ACM, 2019.
[43]. Muhammad Akhtar and Majid Hussain and Jehangir Arshad and Mudassar
Ahmad, . "User Authentication Scheme for Greenhouse Remote Monitoring System
using WSNs/IOT." . In Proceedings of the 3rd International Conference on Future
Networks and Distributed Systems, ICFNDS 2019, Paris, France, July 01-02, 2019
(pp. 47:1–47:8). ACM, 2019.
[44]. Alexander Bothe and Jan Bauer and Nils Aschenbruck, . "RFID-assisted
Continuous User Authentication for IoT-based Smart Farming." . In IEEE
International Conference on RFID Technology and Applications, RFID-TA 2019,
Pisa, Italy, September 25-27, 2019 (pp. 505–510). IEEE, 2019.
[45]. Mohamed H. Eldefrawy and Nico Ferrari and Mikael Gidlund, . "Dynamic
User Authentication Protocol for Industrial IoT without Timestamping." . In 15th
IEEE International Workshop on Factory Communication Systems, WFCS 2019,
Sundsvall, Sweden, May 27-29, 2019 (pp. 1–7). IEEE, 2019.
[46]. Muhamed Turkanovic and Bostjan Brumen and Marko Hölbl, . "A novel user
authentication and key agreement scheme for heterogeneous ad hoc wireless sensor
networks, based on the Internet of Things notion".Ad Hoc Networks 20 (2014): 96–
112.
[47]. Talha Ongun and Oliver Spohngellert and Alina Oprea and Cristina Nita-
Rotaru and Mihai Christodorescu and Negin Salajegheh, . "The House That Knows
You: User Authentication Based on IoT Data".CoRR abs/1908.00592 (2019).
[48]. Geeta Sharma and Sheetal Kalra, . "A lightweight multi-factor secure smart
card based remote user authentication scheme for cloud-IoT applications".J. Inf.
Secur. Appl. 42 (2018): 95–106.
[49]. Ronggong Song, . "Advanced smart card based password authentication
protocol".Comput. Stand. Interfaces 32, no.5-6 (2010): 321–325.
[50]. Sandeep K. Sood and Anil Kumar Sarje and Kuldip Singh, . "An improvement
of Xu et al.'s authentication scheme using smart cards." . In Proceedings of the 3rd
Bangalore Annual Compute Conference, Compute 2010, Bangalore, India, January
22-23, 2010 (pp. 15:1–15:5). ACM, 2010.
[51]. Bae-Ling Chen and Wen-Chung Kuo and Lih-Chyau Wuu, . "Robust smart-
card-based remote user password authentication scheme".Int. J. Commun. Syst. 27,
no.2 (2014): 377–389.
[52]. Parwinder Kaur Dhillon and Sheetal Kalra, . "Multi-factor user authentication
scheme for IoT-based healthcare services".J. Reliab. Intell. Environ. 4, no.3 (2018):
141–160.
[53]. Randa Almadhoun and Maha Kadadha and Maya Alhemeiri and Maryam
Alshehhi and Khaled Salah, . "A User Authentication Scheme of IoT Devices using
Blockchain-Enabled Fog Nodes." . In 15th IEEE/ACS International Conference on
Computer Systems and Applications, AICCSA 2018, Aqaba, Jordan, October 28 -
Nov. 1, 2018 (pp. 1–8). IEEE Computer Society, 2018.
[54]. Chun-Ta Li and Tsu-Yang Wu and Chin-Ling Chen and Cheng-Chi Lee and
Chien-Ming Chen, . "An Efficient User Authentication and User Anonymity Scheme
with Provably Security for IoT-Based Medical Care System".Sensors 17, no.7 (2017):
1482.
[55]. Chintan Patel and Nishant Doshi, . "A Level Dependent Authentication for IoT
Paradigm".IACR Cryptol. ePrint Arch. 2020 (2020): 686.
[56]. Yanan Chen and Weixiang Xu and Li Peng and Hao Zhang, . "Light-Weight
and Privacy-Preserving Authentication Protocol for Mobile Payments in the Context
of IoT".IEEE Access 7 (2019): 15210–15221.
[57]. Felix Lorenz and Lauritz Thamsen and Andreas Wilke and Ilja Behnke and
Jens Waldmüller-Littke and Ilya Komarov and Odej Kao and Manfred Paeschke, .
"Fingerprinting Analog IoT Sensors for Secret-Free Authentication".CoRR
abs/2006.06296 (2020).
[58]. Shiju Sathyadevan and Krishnashree Achuthan and Robin Doss and Lei Pan, .
"Protean Authentication Scheme - A Time-Bound Dynamic KeyGen Authentication
Technique for IoT Edge Nodes in Outdoor Deployments".IEEE Access 7 (2019):
92419–92435.
[59]. Run Xie and Chanlian He and Chunxiang Xu and Chongzhi Gao, . "Lattice-
based dynamic group signature for anonymous authentication in IoT".Ann. des
Télécommunications 74, no.7-8 (2019): 531–542.
[60]. Toni Perkovic and Mario Cagalj and Tonko Kovacevic, . "LISA: Visible light
based initialization and SMS based authentication of constrained IoT devices".Future
Gener. Comput. Syst. 97 (2019): 105–118.
[61]. Mohammed Alshahrani and Issa Traoré and Isaac Woungang, . "Anonymous
mutual IoT inter device authentication and key agreement scheme based on the
ZigBee technique".Internet Things 7 (2019).
[62]. Md Jubayer al Mahmod and Ujjwal Guin (2020). A Robust, Low-Cost and
Secure Authentication Scheme for IoT ApplicationsCryptogr., 4(1), 8.
[63]. He Fang and Angie Qi and Xianbin Wang, . "Fast Authentication and
Progressive Authorization in Large-Scale IoT: How to Leverage AI for Security
Enhancement".IEEE Netw. 34, no.3 (2020): 24–29.
[64]. Meriem Guerar and Luca Verderame and Alessio Merlo and Francesco
Palmieri and Mauro Migliardi and Luca Vallerini, . "CirclePIN: A Novel
Authentication Mechanism for Smartwatches to Prevent Unauthorized Access to IoT
Devices".ACM Trans. Cyber Phys. Syst. 4, no.3 (2020): 34:1–34:19.
[65]. Woo-Sik Bae, . "Verifying a secure authentication protocol for IoT medical
devices".Cluster Computing 22, no.Suppl 1 (2019): 1985–1990.
[66]. Anwar Ghani and Khwaja Mansoor and Shahid Mehmood and Shehzad Ashraf
Chaudhry and Arif Ur Rahman and Malik Najmus Saqib, . "Security and key
management in IoT-based wireless sensor networks: An authentication protocol using
symmetric key".Int. J. Commun. Syst. 32, no.16 (2019).
[67]. Mario Barbareschi and Alessandra De Benedictis and Erasmo La Montagna
and Antonino Mazzeo and Nicola Mazzocca, . "A PUF-based mutual authentication
scheme for Cloud-Edges IoT systems".Future Gener. Comput. Syst. 101 (2019): 246–
261.
[68]. Baibhab Chatterjee and Debayan Das and Shovan Maity and Shreyas Sen, .
"RF-PUF: Enhancing IoT Security Through Authentication of Wireless Nodes Using
In-Situ Machine Learning".IEEE Internet Things J. 6, no.1 (2019): 388–398.
[69]. Brendan Klare and Alessandra A. Paulino and Anil K. Jain, . "Analysis of
facial features in identical twins." . In 2011 IEEE International Joint Conference on
Biometrics, IJCB 2011, Washington, DC, USA, October 11-13, 2011 (pp. 1–8). IEEE
Computer Society, 2011.
[70]. Anil K. Jain and Karthik Nandakumar and Arun Ross, . "50 years of biometric
research: Accomplishments, challenges, and opportunities".Pattern Recognit. Lett. 79
(2016): 80–105.
[71]. P. Punithavathi and S. Geetha, . "Partial DCT-based cancelable biometric
authentication with security and privacy preservation for IoT applications".Multim.
Tools Appl. 78, no.18 (2019): 25487–25514.
[72]. Oscar Olazabal and Mikhail I. Gofman and Yu Bai and Yoonsuk Choi and
Noel Sandico and Sinjini Mitra and Kevin Pham, . "Multimodal Biometrics for
Enhanced IoT Security." . In IEEE 9th Annual Computing and Communication
Workshop and Conference, CCWC 2019, Las Vegas, NV, USA, January 7-9, 2019
(pp. 886–893). IEEE, 2019.
[73]. Mehranpoor. Shayan and Mohammadzadeh. Naser and Gharaee. Hossein, .
"IoT-Based Anonymous Authentication Protocol Using Biometrics in Smart
Homes." . In 16th International ISC (Iranian Society of Cryptology) Conference on
Information Security and Cryptology, ISCISC 2019, Mashhad, Iran, August 28-29,
2019 (pp. 114–121). IEEE, 2019.
[74]. Alex Barros and Denis do Rosário and Paulo Resque and Eduardo Cerqueira, .
"Heart of IoT: ECG as biometric sign for authentication and identification." . In 15th
International Wireless Communications & Mobile Computing Conference, IWCMC
2019, Tangier, Morocco, June 24-28, 2019 (pp. 307–312). IEEE, 2019.
[75]. Qingxue Zhang, . "Deep Learning of Electrocardiography Dynamics for
Biometric Human Identification in era of IoT." . In 9th IEEE Annual Ubiquitous
Computing, Electronics & Mobile Communication Conference, UEMCON 2018,
New York City, NY, USA, November 8-10, 2018 (pp. 885–888). IEEE, 2018.
[76]. Sungju Lee and Jaewon Sa and Hyeonjoong Cho and Daihee Park, . "Energy-
Efficient Biometrics-Based Remote User Authentication for Mobile Multimedia IoT
Application".KSII Trans. Internet Inf. Syst. 11, no.12 (2017): 6152–6168.
[77]. Zimu Guo and Nima Karimian and Mark Mohammad Tehranipoor and
Domenic Forte, . "Hardware security meets biometrics for the age of IoT." . In IEEE
International Symposium on Circuits and Systems, ISCAS 2016, Montréal, QC,
Canada, May 22-25, 2016 (pp. 1318–1321). IEEE, 2016.
[78]. Lukas Janik and Daniela Chudá and Kamil Burda, . "SGFA: A Two-Factor
Smartphone Authentication Mechanism Using Touch Behavioral Biometrics." . In
Proceedings of the International Conference on Computer Systems and Technologies
2020, CompSysTech 2020, Ruse, Bulgaria, June 19-20, 2020 (pp. 35–42). ACM,
2020.
[79]. Mohammed Abuhamad and Ahmed Abusnaina and DaeHun Nyang and David
Mohaisen, . "Sensor-based Continuous Authentication of Smartphones' Users Using
Behavioral Biometrics: A Survey".CoRR abs/2001.08578 (2020).
[80]. Yuhua Wang and Chunhua Wu and Kangfeng Zheng and Xiujuan Wang, .
"Improving Reliability: User Authentication on Smartphones Using Keystroke
Biometrics".IEEE Access 7 (2019): 26218–26228.
[81]. Hodjat Hamidi, . "An approach to develop the smart health using Internet of
Things and authentication based on biometric technology".Future Gener. Comput.
Syst. 91 (2019): 434–449.
[82]. Attaullah Buriro and Bruno Crispo and Mauro Conti, . "AnswerAuth: A
bimodal behavioral biometric-based user authentication scheme for smartphones".J.
Inf. Secur. Appl. 44 (2019): 89–103.
[83]. Subhasish Banerjee and Chukhu Chunka and Srijon Sen and Rajat Subhra
Goswami, . "An Enhanced and Secure Biometric Based User Authentication Scheme
in Wireless Sensor Networks Using Smart Cards".Wirel. Pers. Commun. 107, no.1
(2019): 243–270.
[84]. Jianming Cui and Rongquan Sui and Xiaojun Zhang and Hengzhong Li and
Ning Cao, . "A Biometrics-Based Remote User Authentication Scheme Using Smart
Cards." . In Cloud Computing and Security - 4th International Conference, ICCCS
2018, Haikou, China, June 8-10, 2018, Revised Selected Papers, Part IV (pp. 531–
542). Springer, 2018.
[85]. David W. Chadwick and Romain Laborde and Arnaud Oglaza and Rémi
Venant and Ahmad Samer Wazan and Manreet Nijjar, . "Improved Identity
Management with Verifiable Credentials and FIDO".IEEE Commun. Stand. Mag. 3,
no.4 (2019): 14–20.
[86]. Romain Laborde and Arnaud Oglaza and Ahmad Samer Wazan and Fran\ccois
Barr\`ere and Abdelmalek Benzekri and David W. Chadwick and Rémi Venant, . "A
User-Centric Identity Management Framework based on the W3C Verifiable
Credentials and the FIDO Universal Authentication Framework." . In IEEE 17th
Annual Consumer Communications & Networking Conference, CCNC 2020, Las
Vegas, NV, USA, January 10-13, 2020 (pp. 1–8). IEEE, 2020.
