Next Article in Journal
Tri-Phase Implementation of an Innovative Fuzzy Logic Approach for Decision-Making
Previous Article in Journal
Maximum and Minimum Results for the Green’s Functions in Delta Fractional Difference Settings
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Symmetry
Volume 16
Issue 8
10.3390/sym16080993
symmetry-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Emerging Authentication Technologies for Zero Trust on the Internet of Things

by
Chanapha Bast
1 and
Kuo-Hui Yeh
2,3,*
1
Information System and Business Computer Department, Management Science Faculty, Udon Thani Rajabhat University, Udon Thani 41000, Thailand
2
Institute of Artificial Intelligence Innovation, National Yang Ming Chiao Tung University, Hsinchu 300, Taiwan
3
Department of Information Management, National Dong Hwa University, Hualien 974, Taiwan
*
Author to whom correspondence should be addressed.
Symmetry 2024, 16(8), 993; https://doi.org/10.3390/sym16080993
Submission received: 30 June 2024 / Revised: 29 July 2024 / Accepted: 31 July 2024 / Published: 5 August 2024
(This article belongs to the Special Issue Emerging Technologies with Symmetry for Zero Trust)
Browse Figures
Versions Notes

Abstract

:
The large and interconnected nature of the Internet of Things (IoT) presents unique security challenges, even as it revolutionizes various sectors. With numerous devices, often limited in resources, traditional perimeter-based security methods struggle to keep pace. The “never trust, always verify” principle of zero trust security offers a viable solution. Zero trust security is a concept that has become increasingly popular, using key exchange techniques to ensure secure and authenticated communication within the network, especially in managing risks in critical infrastructure. Authentication is a process to identify an entity, a prerequisite for authorization, and essential for granting access control. It fundamentally relies on trust management and various methods to generate and manage cryptographic keys for authentication. The aim of this study is to enhance zero trust security in the context of the Internet of Things by investigating authentication methods and discussing several potential solutions for successful implementation. This study also presents the performance evaluation criteria for authentication in IoT and introduces advanced approaches for different scenarios, including lightweight cryptography, mutual authentication, and blockchain technology. Finally, we address challenges related to implementation and future directions for research.

1. Introduction

The Internet of Things (IoT) has transformed numerous industries, but ensuring the security of its expanding network offerings has presented significant challenges. Traditional security methods that rely on firewalls and predefined access controls (ACLs) are inadequate for the IoT due to several factors: (1) scalability; (2) limited resources; (3) heterogeneity; and so forth, as noted in [1]. The IoT analytics market, predicted to grow at an annual rate of 60% over the next five years, will drive the adoption of technologies for continuously analyzing event streams. According to [2], through 2025, decision management systems will experience a 745% compound annual growth rate (CAGR) due to increased demands for decision consistency and knowledge retention. By 2025, 75% of the users will interact regularly with services based on cognitive computing. Although big data is not a new concept, its importance has reached a tipping point as more people digitize their lives, effectively turning themselves into “walking sensors”. However, as the number of connected devices continues to multiply, so does the attack surface for malicious actors, raising serious security concerns.
In the IoT environment, traditional authentication methods are often inadequate, leaving systems more vulnerable to phishing, brute-force, and man-in-the-middle attacks. The cybersecurity model known as “zero trust security” poses a significant opportunity for advancement to the perimeter-based approach. A critical component of zero trust security is the implementation of robust authentication procedures to ensure that only authorized individuals can access resources, thereby preventing unauthorized access. However, traditional authentication methods are hampered by the unique characteristics of the IoT ecosystem, which include heterogeneity, limited resources, and scaling requirements. On the other hand, cryptographic authentication methods enhance security by utilizing encryption and precise algorithms. By enabling continuous authentication on IoT devices, Federated Identity and Access Management (FIdAM) solutions promote interoperability across systems. Furthermore, researchers are looking into how tamper-resistant IoT authentication processes can be in light of new technologies that have the potential to further enhance security and trust. These technologies include blockchain-based authentication and physical unclonable functions (PUFs) [3]. In addition, the authors presented the advantages of zero-knowledge proofs (ZKPs) and discussed the application of zero-knowledge authentication across various IoT networks. Additionally, they provided an overview of the properties of zero-knowledge authentication in the IoT environment. These state-of-the-art technologies provide innovative solutions to the unique challenges posed by the IoT environment, paving the way for more reliable and secure authentication systems. Furthermore, the National Institute of Standards and Technology (NIST) has introduced the concept of zero trust architecture (ZTA) to address these issues. Trust in an object can only be established through identity verification and trust assessment. Once the system grants the necessary permissions, the object can perform relevant tasks. In [4], He et al. describe the adoption and migration to ZTA as facing various hurdles, including the complexity of security management, risk assessments, configurations, and life-cycle change management. Authority is obtained by providing the access agent with authorization data through the access control engine, which integrates outcomes (people and devices) at varying security levels. Users must adhere to applicable security policies to access resources across domains. The technological pillars of ZTA include identity authentication, access control, and trust evaluation algorithms. Particularly, authentication in IoT with zero trust security involves sensitive data, such as passwords, personal identification numbers (PINs), facial recognition, and fingerprints. The fingerprinting addresses the technical aspects of device identification in a heterogeneous IoT environment, which is crucial to zero trust implementation. On the other hand, cybersecurity is aware of the factors of human element in security. In the context of IoT and zero trust, they become particularly relevant as users interact with a wide range of devices. Soewito et al. [5] present a data transmission system combining data encryption and authentication. Their experiments involved thirty text data samples, each measured for performance in both encryption and authentication processes. The proposed method showed a speed of processing suitable for the security of data transmission systems, with authentication performance around 5 ms from the client–server side.
Security assurance is increasingly crucial for the IoT, which has become pervasive in our lives. Using passwords, token keys, systems, and other authentication techniques on IoT devices and networks introduces numerous risks and concerns. Recognizing and evaluating conventional authentication methods within IoT ecosystems is essential when exploring new authentication solutions with zero trust security. Patel et al. [6] provided a comprehensive review of the zero-trust security architecture, emphasizing its essential ideas, real-world applications, and its impact on cybersecurity as a paradigm shift in information systems. ZTA not only revisits previous concepts but also integrates additional foundations such as data, device, user, network, environment, visibility, analytics, application, workload, automation, and orchestration. Ahmadi et al. [7] introduced the concept of zero trust micro-segmentation, which manages traffic entering or leaving a network, enhancing security through detailed segmentation.
As a result, zero trust is a security model in which all the measures within a network are constantly verified. To consider emerging authentication technologies such as IoT devices, embedded systems, resilience against attacks, device diversity, physical security, the lack of standardization, cryptographic protocols, network security, resource constraints, quantum-resistant algorithms, privacy preservation, and blockchain technology is especially challenging for the development of scalable and context-aware authentication that can integrate with the existing IoT infrastructures, while to address these technologies, authentication frameworks that are secure with zero trust principles and deployable in real-world IoT systems, among other things, would need to be developed.
However, it also has a specific aspect of IoT authentication or zero trust concerns that represent where additional research and annotation are required to improve the security and practicality of authentication in a zero trust IoT environment. Addressing these gaps could lead to robust security and efficient, widely applicable authentication for the diverse and constantly evolving IoT environment.
This study aims to evaluate the efficacy of the latest advancements in biometrics, blockchain, artificial intelligence (AI), and other cutting-edge techniques in authentication, enhancing IoT security and resilience. It also explores how zero trust security and authentication methods interrelate within the IoT and examines the integration of zero trust security principles into IoT authentication frameworks. We will discuss how a robust security paradigm can be employed to mitigate cyber threats and enhance IoT ecosystems. By thoroughly examining recent research, case studies, and real-world implementations, this study also provides significant insights into the evolution of IoT security and authentication.
The organization of this study is as follows: Section 2 delves into new authentication methods designed for the IoT, focusing on their integration with zero trust security and providing a comprehensive overview of how authentication is evolving in IoT settings. In Section 3, we will examine implementation challenges, security issues, and real-world deployment scenarios to help inform decisions and promote the adoption of reliable and secure IoT authentication solutions. Section 4 outlines future research directions, aiming to contribute to the ongoing discourse on enhancing the security posture and resilience of IoT systems.

2. Emerging Authentication Technologies for Zero Trust in the IoT

As IoT grows more integrated into people’s lives and critical systems, the trustworthiness of these devices becomes increasingly important, and developing authentication technologies for zero confidence is not just preventing attacks but also sustaining confidence in the IoT environment. Then, in this section, we present the authentication methods in the IoT environment and also present authentication techniques for IoT in a zero-trust context. Zero trust is an emerging cybersecurity concept that adheres to the principle of “never trust, always verify”. It mandates the continuous identification and validation of access authorization, treating all the users, devices, and networks as potentially compromised, as elaborated in [2,8]. This is a core principle of zero trust that can be summarized as follows:
(1)
Every data source and computing service is regarded as a corporate asset that requires protection.
(2)
All communications are considered insecure, regardless of the network location specified in the access request. No entity seeking access is automatically trusted.
(3)
Resource access is granted on a session-by-session basis.
(4)
Device characteristics, along with behavioral and environmental factors, are considered in access decisions.
(5)
The principle of least privilege is applied.
(6)
Access is granted intermittently, not automatically.
(7)
Enhancements to security in communications, network infrastructure, and assets are continuously applied.
Thus, zero trust integrates the highest level of security into devices and assets, protecting against external threats. The elements of authentication offer enhanced security for data and resources against intrusions; access segmentation prevents malware and attackers; and DDoS attacks are thwarted before they can damage resources. This approach allows for more granular access control; suspicious activity and attacks can be identified and mitigated more swiftly. Furthermore, traditional authentication methods in IoT ecosystems are now being reevaluated for the integration of authentication technologies with zero trust security in the IoT, including device-to-device (D2D), device-to-gateway, multi-factor authentication (MFA) [9], and so forth.

2.1. Authentication Methods in IoT Environment

The authentication technologies in the IoT environment are crucial for ensuring trustworthy interactions between devices, users, and systems, as follows:
(1) Resource Restrictions enable the implementation of sophisticated authentication techniques and cryptography in IoT devices, which are often constrained by memory and energy capacities. Conventional authentication methods may impose a large overhead, potentially affecting the performance and battery life of these resource-limited devices. A significant portion of the IoT ecosystem is composed of devices with limited processing and memory capacities, complicating the implementation of secure authentication. The impracticality of traditional cryptographic protocols, which are often computationally expensive, further hampers secure authentication in these devices. This is similar to [9], which highlighted D2D authentication as more feasible compared to user authentication methods considering the memory and processing capacity limitations of the deployed IoT devices. These devices often focus on authentication systems that are computationally impractical for certain usage scenarios. Additionally, ref. [10] underscored the critical importance of resource security in cloud networks and examined the roles of authentication and access control within zero trust architectures. When applying distinct guidelines and standardized techniques to enforce access restrictions across a distributed network, the reliability of requests must be based on historical data. This involves establishing servers in the restricted visibility buffer zone as the outer layer of the primary network.
(2) “Heterogeneous” refers to a variety of devices, ranging from low-power IoT sensors to high-performance servers and gateways. Although unique requirements have been developed for the integration and compatibility of authentication, the heterogeneity in communications, software, and hardware makes it much more severe. The heterogeneity of IoT devices ranges from robust smart appliances to sensor nodes with limited computing capabilities. Due to the varied nature of this environment, different computational budgets and security requirements cannot be met by a single authentication method as presented in [11], who discussed the level of the granularity and complexity of the ZTA in an end-to-end infrastructure, security controls, heterogeneity, and legacy issues. The technology’s ability to promote unity and safeguard digital identities across numerous platforms and networks was also discussed in [12], including the use of blockchain technology and the issue of heterogeneous identity trust.
(3) Scalability refers to the ability to manage the login credentials of connected devices created by IoT deployments. Authentication technology often relies on centralized systems or physical provisioning processes due to the exponential growth in the number of devices, as in [13]. As they highlighted, this ensures that telemetry data, control directives, and sensitive information are protected from unauthorized access or alteration. Furthermore, certificate-based authentication enables scalable and manageable authentication for large-scale drone deployments. Potential attacks on the scheme’s security services were suggested by [14], who also examined both official and informal defenses against these threats. The Hypertext Transfer Protocol (HTTP) with internal authentication measures was identified, highlighting the protocol’s high load, limited capacity for storing requests on devices with constrained resources, and scalability challenges in the IoT.
(4) IoT devices are often placed in open or uncontrolled environments, facing issues such as safe update mechanisms and physical accessibility. If an attacker gains physical access to a device, the authentication, which relies on stored credentials, is compromised. It may be necessary to update authentication systems to maintain security and respond to breaches. Devices are vulnerable to hacking due to manufacturer-configured passwords or credentials. Conventional methods lack dynamic credential management and secure key rotation across many devices. Unfortunately, as shown in [15], several trusted and up-to-date IoT devices still use outdated login credentials. Zanasi et al. [15] unveiled a security architecture designed to meet the stringent specifications of IIoT systems, incorporating a software-defined network (SDN) and a centralized security management layer, which can be integrated publicly via the Internet to facilitate the initial enrollment process for new resources.
(5) Since IoT devices typically lack traditional user interfaces, it may be necessary to establish authentication methods for interactions with humans. As demonstrated in [16], these methods can operate without explicit user input. The trust algorithm used in this process makes decisions based on input from a policy database, user roles, and behavioral data. Another implementation is the integration of IoT devices in healthcare applications, as seen in [17]. In healthcare IoT systems, anticipatory risk mitigation and adaptive responses based on real-time data trends are crucial for identifying security measures and implementing proactive security. Additionally, risk assessments, user behavior, and access patterns are considered when tailoring security measures. Similarly, Butpheng et al. [18] integrated IoT technology into an e-health system to provide real-time, on-demand services. Network-connected devices communicate and share data through a unique user interface that collects information from sensors and equipment on the network. Saravanan et al. [19] developed and implemented a zero-trust framework paradigm that combines behavioral analysis, device health assessment, and MFA with user identity verification. Users must authenticate using credentials, such as their username and password, for their identity to be verified.
(6) IoT devices often use wireless networks for communication, making authentication techniques vulnerable to eavesdropping and man-in-the-middle attacks, among other threats. Ensuring the authenticity and security of authentication is challenging. To demonstrate zero trust security in IoT networks, Nawshin et al. [20] introduced AI-enabled Android malware detection, requiring apps to be validated and authorized before being distributed to networks. They also stated that identity verification is necessary for all communication networks, whether internal or external to network perimeters, in line with the zero-trust security concept.
(7) In IoT environments, where devices may operate autonomously and generate vast amounts of data, the lack of accountability and auditability in authentication methods makes it difficult to track and investigate security or unauthorized access. Security struggles to provide real-time visibility into devices and access, as well as granular control. Identifying and addressing potential security issues is challenging due to this lack of detailed oversight. Additionally, ref. [21] explored the role of trust, detailing trust algorithms. The method included certification, competency testing, and ensuring appropriate collaboration and accountability.
(8) Zero trust is an advanced form of network security that can be swiftly implemented to handle distrust. It requires requests, evaluations, and approvals each time to safeguard resources, as described in [8]. According to [22], the zero-trust security concept asserts that no implicit trust is placed in any network asset or user account; access to resources is only granted after a thorough authentication and authorization process has verified the identity of the user, device, asset, and workload. Similarly, ref. [23] based on the principle of zero trust architecture, also known as “never trust, always verify”, aims to defend the modern environment and facilitate digital transformation by utilizing robust authentication methods, employing network segmentation, preventing threats, and streamlining granular policy. It represents a comprehensive approach to information security that does not trust any user, transaction, or network traffic unless it has been validated.
Additionally, the importance of security measures is increasing with the use of IoT devices, networks, and authentication methods.

2.2. Authentication Techniques for IoT in Zero Trust Context

It is crucial to recognize and address the inadequacies of authentication techniques, as outlined below:
(1) Vulnerabilities: Passwords are the primary means for confirming user identities and granting access to IoT devices under authentication methods. Alquwayzani et al. [13] listed seven criteria for evaluating zero trust: vulnerability, access control, security defects, network security, password detection, high-risk ports, and secured sensitive data. Moreover, IoT devices are particularly vulnerable to hacking and unauthorized access, as demonstrated in [3].
(2) Multi-Factor Authentication (MFA): MFA is a security feature for IoT devices and applications that combines several factors, such as passwords, biometrics, and token keys, to verify user identity before granting access to IoT resources. MFA-authorized solutions require an additional device and a high level of user involvement, as seen in [19]. Additionally, ref. [24] examined various MFA models in the context of the Industrial Internet of Things (IIoT), which necessitates strong identity verification for the users and devices accessing IIoT resources. The methods used included strong authentication techniques, biometric authentication, digital certificates, and secure device attestation to verify the security and integrity of network connections.
(3) Blockchain Technology: Currently immature for use due to its reliance on a consensus mechanism to generate identities and manage access control for all IoT devices, as presented in [1]. Furthermore, Rivera et al. [25] introduced distributed authentication as a network of authenticators to enhance the process’s reliability, integrating blockchain to mitigate single points of failure and centralized servers for authentication.
(4) Device Capabilities: The authentication systems manage a multitude of IoT devices with diverse identities and access requirements. Centralized management solutions can result in identity granularity issues, discrepancies, threat detection challenges, and potential security vulnerabilities, as demonstrated in [9].
(5) User Authorization and Access Control: Unauthorized users may gain advanced access to data and control devices in IoT environments due to the absence of fine-grained access restrictions and pre-established policies. IoT ecosystems face the risk of device breaches, unauthorized privilege escalation, and data manipulation. Moreover, issues such as access control, confidentiality, privacy, and security, along with protection limitations and device reliability in utilizing IoT authentication services, were also addressed in [26]. Additionally, Dhiman et al. [10] provided methods for biometric authentication that capitalize on the durability and uniqueness of physiological traits to verify user identities.
(6) Predisposition Attacks and Spoofing: The authentication protocols used in the IoT aim to prevent predisposition attacks. IoT devices may be vulnerable to identity spoofing attacks, where malicious actors mimic authentic devices to deceive authentication systems and infiltrate the network, compromising the data confidentiality of resources, as used in [11].
Importantly, Alsobeh et al. [27] presented the cybersecurity awareness perception model (CAPM) and discussed cybersecurity awareness in cyberspace. Their CAPM investigated cybersecurity characteristics connected with consumers’ views of cybersecurity awareness and devised measures to increase cybersecurity awareness among various populations, particularly Jordanian teens. They identified the variables that affect user behaviors, knowledge, attitudes, time, and expense. In particular, they emphasized how aware teenagers are of their social status and the negative effects of the internet on mental health issues like irritability, self-consciousness, cyber-anxiety, social disengagement, and eating disorders. Furthermore, they stated that the following criteria on the quality-of-life scale of cybersecurity awareness should be considered: (1) dejection, (2) cyber withdrawal, (3) addictive behavior, (4) sleep disturbance, and (5) lack of social skills. These are positive, substantial connections between the measures of cybersecurity awareness factors in various quality of life on the level of cybersecurity. For example, social engineering assaults rely largely on psychological manipulation and require advanced cybersecurity to identify and avoid. The quality of life is a significant mediator in determining cybersecurity awareness. People with a higher quality of life are more likely to be aware of cybersecurity and defend themselves against threats. Cybersecurity and zero trust can be implemented at various levels among users, with potential strategies for improving user awareness in the IoT environment, as well as well-known information and communication technology (ICT) that is representative of experiencing exceptionally rapid development with vulnerabilities. These are key cybersecurity awareness factors that we can summarize for the IoT environment, as shown below:
  • Device connection and device proliferation to connect devices in homes and workplaces.
  • Data sensitivity to collect personal or sensitive data.
  • Limited user interfaces to intuitive interfaces for security settings.
  • Diverse users based on technical knowledge.
  • Rapid technological evaluation and constantly changing.
  • Interconnectedness and vulnerabilities in one device.
As mentioned above, the emerging authentication technologies with zero trust security address these challenges and provide secure and reliable authentication for IoT environments. By utilizing authentication technologies such as blockchain, AI-driven anomaly detection, and continuous verification, security in IoT environments can be improved, and the risks related to authentication vulnerabilities can be reduced. In the next part, we will explore new authentication mechanisms in the context of the IoT and zero trust security, along with the cybersecurity of networked IoT. As shown in Figure 1, we categorize the essential elements of authentication technologies for zero trust in the IoT environment.
Despite the detailed “never trust, always verify” principle of zero trust security, it necessitates robust authentication to secure communication and access control in constrained IoT environments. We summarized the contributors to various emerging authentication technologies for zero trust in the IoT, along with their challenges, as shown in Table 1.
As shown in Table 1 and Figure 2, the FIdAM provides security access control. Emerging authentication technologies in IoT environments offer numerous benefits and trade-offs. The concepts of trust and interference resistance are enhanced by PUFs, blockchain technology, and authentication protocols. Consequently, the selection of an authentication combination will depend on specific components, feature requirements, limitations, and threat models. Therefore, robust authentication in an IoT environment should consider the device’s capabilities, scalability, and security. These synthesized ideas could improve the effectiveness of blockchain technology in IoT environments.
The robust authentication methods align well with zero trust security principles. Figure 3 illustrates key considerations for developing and implementing secure authentication solutions in an IoT environment. This framework offers a roadmap for integrating emerging authentication techniques with zero trust security to establish robust protection across IoT layers. It ensures the reliable operation of interconnected IoT devices through mutual device authentication and confidential network communications. The framework encompasses user authenticity checks to ensure that only authorized devices can access networks and employs encryption to secure service access while protecting against various attacks, such as DoS attacks, man-in-the-middle (MITM) attacks, and sniffing attacks.
The safeguarding of user authentication data is vital for protecting the user’s identity. Counterfeit attempts can lead to identity theft, spoof attacks, or situations where an attacker uses a counterfeit biometric to mimic a genuine user and gain unauthorized access. The framework advocates for user context recognition based on zero trust, fine-grained data access authentication control, and the comprehensive monitoring of network traffic to identify and prevent potentially dangerous data access. It calls for regular reviews and updates to adapt to emerging threats and evolving requirements.
Moreover, it emphasizes adopting a zero-trust strategy that involves rigorous user verification and authentication, inherently distrusting any user, and assigning minimal access privileges to each user. To ensure access control security, it integrates continuous identity authentication and multifactor authentication. Biometric data, such as fingerprints and voiceprints, are collected by sensors via IoT devices and retained within edge devices, reducing the risk of data interception by attackers during network transmission.
This framework provides a structured approach to deploying emerging authentication technologies in an IoT environment guided by zero trust security principles. It emphasizes asset identification, risk assessment, technology selection, secure communication, continuous monitoring, incident response, secure updates, compliance, and continuous improvement. By adhering to this framework, organizations can enhance the security posture of their IoT ecosystems, mitigate risks associated with authentication challenges, and align with the core principles of zero trust security.
These emerging authentication techniques are integrated with the core principles of zero trust security in the IoT environment. By combining effective authentication with access control, risks associated with unauthorized access and malicious activities can be mitigated. Zero trust security provides a robust approach to securing communication and access control in the resource-constrained world of IoT devices. Next, we will explore the evaluation and implementation considerations for deploying zero trust security in IoT environments. The above-mentioned significance of the increasing and distinct issue of IoT, as well as the special enhancements of new authentication methods for zero trust in the IoT environment, are expounded upon. For instance, enhanced cryptography and context-aware authentication represents a significant improvement in adaptive security by considering real-time factors like device location, network conditions, edge computing, decentralized management, AI-driven security, cross-platform interoperability, quantum, and so forth.
For new technologies that require zero trust in the IoT context, authentication methods can use zero trust knowledge proofs to confirm device identity with unique devices. Authorization makes use of device and environmental factors based on device identity. Access control is verified and aligned with zero trust principles, as well as encryption for granular control. The key exchange uses identity cryptography for key exchange distribution, with potentially zero trust knowledge proof for increased security key protocols. The zero-trust concept, often known as “never trust, always verify”, is used to prove and enforce always verification without implicit trust as well as continuous authentication with constraint constraints. Continuous verification aids in the detection and mitigation of ongoing threats, whereas the zero-knowledge method reduces them. Furthermore, authentication allows the explicit verification of device identity, zero-knowledge proofs, and strong explicit verification without disclosing secrets. In other words, authentication and access control are critical for safeguarding IoT setups with multiple devices. Key agreement is a protocol-based authentication method that addresses security and interoperability challenges in IoT networks. Then, integrating authentication, authorization, access control, and key agreement in an IoT context is critical because secure channels and cryptographic procedures are required to assure data confidentiality and integrity.
As previously indicated, this research analysis emphasizes the use of zero trust in the Internet of Things (IoT) environment based on cybersecurity awareness variables that influence zero trust in IoT, such as the following:
(1)
Developing authentication methods that could work across diverse IoT devices while respecting resource constraints.
(2)
Creating user interfaces and policies that secure behavior without overwhelming users.
(3)
Implementing to enhance user awareness of IoT security risks and best practices.
(4)
Considering personal factors in the design of security measures to improve adoption and effectiveness.
(5)
Integrating user behavior analysis to create more adaptive and personalized security measures.

3. The Performance Evaluation Criteria for Authentication Zero Trust in the IoT

The “never trust, always verify” philosophy is personified in zero trust security, which addresses the lack of trustworthiness and enduring evaluation. Communication security and access control in IoT environments require securing authentication, which is a required strategy. Thus, zero trust security and emerging authentication are essential elements of the IoT ecosystem’s security.
Analysis and evaluation are required to identify any security in IoT environment, this requires combining risk assessments with zero trust security. Therefore, we evaluate the potential of the identified threats by using threat modeling to identify critical assets such as IoT devices, authentication, unauthorized access, and denial-of-service attacks. The progression of the system’s ability to identify security is guided by the principle of zero trust security. Previously, continuous improvement in threat detection enhanced overall security and potential risks effectively. Nevertheless, cryptographic methods and blockchain authentication are adolescents for using a consensus mechanism, making them less attractive than centralized systems. The evaluation techniques should consider several factors that we can conclude, such as (1) security requirements: the security needed for protection and reserved data; (2) device capabilities: processing, memory constraints, and devices; (3) scalability: as long as a number of devices and the anticipated growth of IoT devices exist; (4) management: managing credentials with unique techniques; and (5) privacy concerns: sort of user privacy, data collection, and storage requirements. Additionally, ref. [31] tested and simulated zero trust and perimeter-based IoT security systems. By applying a modeling and simulation tool to evaluate the effects of the zero-trust policy decision point (PDP) and policy enforcement point (PEP) functions on the overall networks, improved cybersecurity is the result of zero trust and security on networks.
The evaluation of emerging authentication zero trust security on IoT has different emerging authentications such as authentication, multifactor authentication, and blockchain authentication based on security features as presented in Table 2. At that point, consider the specific requirements of the IoT environment, such as low battery life, resource constraints, and selecting suitable devices. Consequently, the testing of proof-of-concept is necessary to assess the performance and security effectiveness of authentication in a controlled environment. As presented by [19], Saravanan et al. presented a measure and analyzed the authentication process in enforcing stringent access control with user identity verification and the integration of MFA.
These assessments of developing authentication methods, which can be successfully applied in IoT environments while adhering to zero trust security principles, encompass security analysis and evaluation. This method ensures authentication, risk mitigation, confidentiality, integrity, and availability. Zero trust security can be tailored and integrated with authentication to specify access control, user identity, and verification requirements within the IoT environment.
Implementing zero trust authentication for IoT involves careful planning and consideration as presented in Table 3, including:
(1)
Uniformity: Establish newly developed authentication protocols.
(2)
Provisioning Devices: Distribute credential keys.
(3)
Monitoring: Identify inconsistencies and categorize threats.
(4)
Automatic: Utilize pre-established security measures.
(5)
Control and Management Access: Oversee and regulate access.
(6)
Cryptography: Explore cryptographic algorithms to provide sustained security.
(7)
User Experience: Enhance acceptability and usability.
Table 3. The implementation benefits of emerging authentications.
Table 3. The implementation benefits of emerging authentications.
Implementation AspectsBenefitsRefs.
Device-level Implementation
  • Integrating lightweight cryptography into IoT devices.
[32,33]
Network-level Implementation
  • Implemented to ensure authenticated and encrypted data.
[10,34]
Cloud/Edge Integration
  • Implemented for authentication services, cloud computing, and scalability.
[30]
Identity and Access Management (IAM)
  • Implemented to manage device identities throughout their lifecycle including initial provisioning, ongoing management, and decommissioning.
[14]
Security Information
  • Implemented to identify potential security, real-time monitoring, and the logging of authentication.
[20,31]
The comprehensive implementation of zero trust security can effectively mitigate cybersecurity risks and enhance data protection, including ensuring the integrity of the IoT environment. As illustrated in Table 4, we present a comparison of the evaluation and implementation of zero trust in the IoT environment. The methods involve collaboration between IoT devices, communication networks, zero trust security, and others to ensure a comprehensive and effective zero trust security strategy for IoT environments. This includes the following:
(1)
Establishing strict access control for IoT devices, users, and applications.
(2)
Implementing network segmentation strategies to isolate IoT devices within networks.
(3)
Utilizing threat detection systems to identify potential incidents in real-time.
(4)
Applying data encryption to secure communication protocols for data transmission between IoT devices and authentication elements.
(5)
Integrating IoT security into the existing zero trust security framework and principles.
Next, we may sum up the category of the existing authentication technology and performance evaluation as indicated in Table 4. Correspondingly, Yeoh et al. [31] introduced multifactor authentication, which can safeguard applications by confirming identity and validity prior to granting access, and others as follows:
Table 4. The category of the existing authentication technology and performance evaluation.
Table 4. The category of the existing authentication technology and performance evaluation.
FeatureMutual
Authentication		Cryptographic
Authentication		Multi-Factor
Authentication (MFA)		Blockchain-Based
Authentication		Refs.
Security HighModerateHighHigh[2,25,31]
Processing Low, ModerateLowLow, ModerateModerate, High[32,37]
ScalabilityModerateHighHighScalability limitations[29,30,38,39]
Resource ModerateLowLow, ModerateModerate, High[31,40]
ComplexityModerateLowModerateHigh[21,30,38]
SuitabilityModerateHighModerateLimited[2,29,41]
Authentication technology provides robust security by verifying devices, managing keys such as token keys, and creating digital certificates that can be scaled significantly. However, cryptography might not offer the same level of security in resource-constrained IoT devices. Nevertheless, MFA can enhance security by combining user verification with rigorous security checks. Blockchain technology provides robust mechanisms for identity verification and access control policies, though its implementation can be complex and challenging due to limited scalability on a large scale. As shown in Table 5, we compare the evaluation and implementation of zero trust in the IoT environment based on the research findings. We may select the best authentication technique and implement strong security measures by taking into account security needs, device capabilities, and potential problems.
The evaluation and implementation of zero trust security in IoT environments entail assessing the appropriateness and practicability of protecting IoT devices and deploying the necessary techniques, security models, and mechanisms to enforce zero trust principles. These evaluations are critical for the successful implementation of zero trust security in IoT settings. By considering security requirements, device capabilities, and potential challenges, we can select the most suitable authentication technology and establish robust security measures. Specially, Irfan Simsek [45] introduced a novel approach integrating authentication, authorization, access control, and key agreement in the IoT environment and network communications. He pointed out and emphasized the physical level, secure channels, and cryptographic methods to ensure data confidentiality and integrity.
This is a comprehensive evaluation of the effectiveness of new authentication solution for zero trust in IoT environment. This covers several important factors that are necessary to assess the efficiency and suitability of those technologies. Researchers and developers employed a combination of these strategies. The relative importance of these criteria would vary depending on the IoT ecosystem, as well as whether they were expanded or applied to a single IoT authentication technology.

4. Future Direction and Suggestions

This section guides the researcher’s effort and helps to address key challenges, explore new possibilities in this domain, and cover a wide range of challenges in IoT zero trust authentication, from technical issues such as cryptography, interoperability, network security, machine learning, and human–computer interaction.
As previously stated, ref. [27] cybersecurity awareness has become the primary motivator for cyber criminals, which appears to be increasing, such as acquiring sensitive information and using it for blackmail, and hackers can exploit user behaviors on social networks (e.g., Facebook, TikTok, Instagram, YouTube, Twitter, etc.), making it a primary source of exposing their information to a wide range of security risks.
New authentication systems provide ways to improve IoT environments’ zero trust security. As ref. [46], presented an efficient and safe authentication and key agreement (AKA) system, examined its performance, and contrasted it with alternative protocols They suggested that improved security for smart devices is anticipated as IoT development progresses. In summary, the idea, tenets, and cutting-edge developments of zero trust in cybersecurity and important IoT contexts were put forth as presented by [47]. It has been observed that the implementing zero trust in the IoT environment will incorporate theoretical concepts to ensure data security and privacy, preventing illegal access and data leaks. Similarity: zero trust architecture is significant for fusion if it demonstrates a remarkable balance between strict security and user-friendliness, as suggested by [48]. Additionally, Chen et al. [49] presented the evaluating cross-chain trust, a software-defined zero trust architecture that was created for the developing security 6G networks, allowing cooperative defense against network threats. Wu et al. [50] analyzed the key connotation of zero trust and IoT security and evaluated and simulated the stochastic Petri net, the model that can effectively address network security problems. However, adoption and implementation will require the consideration of factors such as scalability, interoperability, performance evaluation, and the specific requirements and constraints of IoT devices and systems. Furthermore, by investigating future directions and implementing innovative authentication technologies, it can strengthen security, manage risk, and ensure the trustworthiness of IoT environments within a zero-trust principle and policy. Collaboration will be critical to addressing emerging threats and challenges in the evolving landscape of IoT security.
As shown in Table 6, there are various future directions and suggestions for emerging authentication technologies in zero trust and the IoT environment. For instance, behavioral biometrics utilizes keystroke dynamics and voice recognition to authenticate users based on their behavioral patterns. Secure Multi-Party Computation (SMPC) and homomorphic encryption are used to ensure authentication and data processing in the IoT environment. This technology enables the secure computation and processing of encrypted data without decryption. Quantum-resistant cryptography is a proactive approach to cryptographic algorithms and protocols for authentication and secure communication in IoT environments and long-term security against potential threats from quantum computing. Lastly, collaboration and standardization are needed to develop standardized authentication protocols and best practices for zero trust security, zero trust principles, and zero trust policies in IoT ecosystems. Interoperability in authentication is essential for seamless integration and security.
This table outlines future directions and suggestions for emerging authentication technologies, covering areas such as continuous trust assessment, decentralized authentication, quantum-resistant cryptography, federated identity management, machine learning, privacy techniques, lightweight protocols, trust security, theories, standardization, and user authentication methods. By following these guidelines, we can create a more secure and resilient framework for the interconnected IoT environment.
To develop this research, we have considered the following issues:
(1)
Integration that simulates a real-world IoT security environment for implementation and testing in a variety of authentication methods.
(2)
Incorporating data from various IoT domains, such as consumers and industries, highlights the variety of difficulties.
(3)
Encouraged cross-disciplinary collaboration in the fields of computer science, engineering, and cybersecurity.
(4)
Modules or developing technologies to prepare for future advancements in IoT security.
In the current circumstances, cybersecurity awareness should incorporate some of the following components for future research:
  • Education and training are critical components of any cybersecurity awareness plan, allowing for the creation of a curriculum that covers issues such as basics, online safety, data protection, and digital literacy. The curriculum should be interactive, interesting, and customized to the requirements of both genders.
  • Risk awareness: This is a series of awareness campaigns that should be developed to raise cybersecurity awareness, such as posters, videos, and other materials that explain the importance of cybersecurity and the hazards it poses.
  • Monitoring and evaluation aimed to follow the evolution of cybersecurity awareness. This system will allow us to assess the efficacy of any necessary improvements.
The outcome of this future research could significantly advance the enabling of a more secure, efficient, and user-friendly IoT environment by working on a variety of methodologies, including theoretical analysis and proof for cryptographic protocols, simulation for large-scale performance, prototype implementation, human–IoT interaction, and formal verification methods for security properties. Processing resources, network bandwidth, and operation are all key constraints on the application of establishing authentication systems for IoT devices. These limitations are critical for traditional authentication in the IoT environment, necessitating the development of novel alternatives. (1) Lightweight: due to computational constraints, these algorithms strive to provide appropriate security with low computational effort. (2) Edge computing: by addressing both computational and bandwidth constraints, this allows for more complicated processes that do not stress IoT devices. (3) Hardware security: to offload computational duties from the main processor, include security or physically unclonable features in IoT devices. (4) Energy-aware security as an authentication technique is achieved by energy efficiency, sporadic authentication, or the use of low-power modes in between authentications to conserve energy.

5. Conclusions

This study explores evolving authentication methods in the IoT through zero trust security. We have delved into emerging technologies such as cryptography and multi-factor authentication, highlighting their integration with zero trust principles. Our research has provided a comprehensive understanding of the transformative changes within IoT authentication, transitioning from perimeter-based models to a continuous verification approach that is better suited for the IoT environment. The study critically examines implementation challenges, security considerations, device limitations, potential privacy concerns, and deployment scenarios. Additionally, we have provided insights that can guide decision making for the adoption of reliable and secure IoT authentication solutions. Recognizing the importance of enhanced IoT security, we have identified its contributions to robust security. This includes the efficient and scalable application of authentication technology, the adoption of standardized network protocols, and the exploration of cryptography for long-term security. In conclusion, by integrating emerging authentication methods with zero trust principles, we aim to move toward a more secure future, underscoring the importance of robust authentication capable of effectively addressing emerging threats and vulnerabilities. This study also offers a framework for understanding these advancements and promotes a more secure and trustworthy IoT environment in our increasingly connected world.

Author Contributions

Conceptualization, C.B. and K.-H.Y.; methodology, C.B. and K.-H.Y.; investigation, C.B.; writing—original draft preparation, C.B.; writing—review and editing, C.B. and K.-H.Y.; funding acquisition, K.-H.Y. All authors have read and agreed to the published version of the manuscript.

Funding

This research was partially supported by the National Science and Technology Council, Taiwan, under grant numbers NSTC 111-2221-E-A49-202-MY3, NSTC 112-2634-F-011-002-MBK, and NSTC 113-2634-F-011-002-MBK.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Dhar, S.; Indranil, B. Securing IoT Devices Using Zero Trust and Blockchain. J. Organ. Comput. Electron. Commer. 2020, 31, 18–34. [Google Scholar] [CrossRef]
  2. Singhal, N.; Deepak, T. Cybersecurity in the Era of Emerging Technology. In Emerging Technology and Management Trends; Kumar, P., Kumar, S., Iqbal, W., Goyal, A., Eds.; Manglam: Delhi, India, 2023; pp. 98–124. [Google Scholar]
  3. Chen, Z.; Jiang, Y.; Song, X.; Chen, L. A Survey on Zero-Knowledge Authentication for Internet of Things. Electronics 2023, 12, 1145. [Google Scholar] [CrossRef]
  4. He, Y.; Huang, D.; Chen, L.; Ni, Y.; Ma, X. A Survey on Zero Trust Architecture: Challenges and Future Trends. Wirel. Commun. Mob. Comput. 2022, 2022, 6476274. [Google Scholar] [CrossRef]
  5. Soewito, B.; Marcellinus, Y. IoT security system with modified Zero Knowledge Proof algorithm for authentication. Egypt. Inform. J. 2020, 22, 269–276. [Google Scholar] [CrossRef]
  6. Patel, R.; Klaus, M.; Giorgi, K.; John, S.; Emily, W. Zero Trust Security Architecture Raises the Future Paradigm in Information Systems. Inform. Digit. Insight 2024, 1, 24–34. [Google Scholar]
  7. Ahmadi, S. Zero Trust Architecture in Cloud Networks: Application, Challenges and Future Opportunities. J. Eng. Res. Rep. 2024, 26, 215–228. [Google Scholar] [CrossRef]
  8. Buck, C.; Olenberger, C.; Schweizer, A.; Völter, F.; Eymann, T. Never trust, always verify: A multivocal literature review on current knowledge and research gaps of zero-trust. Comput. Secur. 2021, 110, 102436. [Google Scholar] [CrossRef]
  9. Shah, S.W.; Syed, N.F.; Shaghaghi, A.; Anwar, A.; Baig, Z.; Doss, R. LCDA: Lightweight Continuous Device-to-Device Authentication for a Zero Trust Architecture (ZTA). Comput. Secur. 2021, 108, 102351. [Google Scholar] [CrossRef]
  10. Dhiman, P.; Saini, N.; Gulzar, Y.; Turaev, S.; Kaur, A.; Nisa, K.U.; Hamid, Y. A Review and Comparative Analysis of Relevant Approaches of Zero Trust Network Model. Sensors 2024, 24, 1328. [Google Scholar] [CrossRef] [PubMed]
  11. Federici, F.; Martintoni, D.; Senni, V. A Zero-Trust Architecture for Remote Access in Industrial IoT Infrastructures. Electronics 2023, 12, 566. [Google Scholar] [CrossRef]
  12. Nita, S.L.; Mihailescu, M.I. A Novel Authentication Scheme Based on Verifiable Credentials Using Digital Identity in the Context of Web 3.0. Electronics 2024, 13, 1137. [Google Scholar] [CrossRef]
  13. Alquwayzani, A.A.; Abdullah, A.A. A systematic Literature Review of Zero Trust Architecture for UAV Security Systems in IoBT. Comput. Sci. Math. 2024, 1, 1–33. [Google Scholar]
  14. Hasan, M.K.; Weichen, Z.; Safie, N.; Ahmed, F.R.A.; Ghazal, T.M. A Survey on Key Agreement and Authentication Protocol for Internet of Things Application. IEEE Access 2024, 12, 61642–61666. [Google Scholar] [CrossRef]
  15. Zanasi, C.; Russo, S.; Colajanni, M. Flexible zero trust architecture for the cybersecurity of industrial IoT infrastructures. Ad Hoc Netw. 2024, 156, 103414. [Google Scholar] [CrossRef]
  16. Syed, N.F.; Shah, S.W.; Shaghaghi, A.; Anwar, A.; Baig, Z.; Doss, R. Zero Trust Architecture (ZTA): A Comprehensive Survey. IEEE Access 2022, 10, 57143–57179. [Google Scholar] [CrossRef]
  17. Elsayed, Z.; Nelly, E.; Sajjad, B. A Novel Zero Trust Machine Learning Green Architecture for Healthcare IoT Cybersecurity: Review. In Proceedings of the Analysis and Implementation in Southeast Conference 2024, Atlanta, GA, USA, 18–22 May 2024. [Google Scholar]
  18. Butpheng, C.; Yeh, K.-H.; Yeh, K.-H.; Hou, J.-L.; Hou, J.-L. A Secure IoT and Cloud Computing-Enabled e-Health Management System. Secur. Commun. Netw. 2022, 2022, 5300253. [Google Scholar] [CrossRef]
  19. Saravanan, K.R.; Anitha, P.K.; Thomas, P.R.A.; Sambath Kumar, K.; Hariharan, R. Design and Elevating Cloud Security Through a Comprehensive Integration of Zero Trust Framework. Intell. Syst. Appl. Eng. 2024, 12, 214–219. [Google Scholar]
  20. Nawshin, F.; Unal, D.; Hammoudeh, M.; Suganthan, P.N. AI-powered malware detection with Differential Privacy for zero trust security in Internet of Things networks. Ad Hoc Netw. 2024, 1, 161–178. [Google Scholar] [CrossRef]
  21. Neale, C.; Ian, K.; Blaine, P.; Yijun, Y.; Bashar, N. The case for Zero Trust Digital Forensics. Forensic Sci. Int. Digit. Investig. 2022, 40, 301352. [Google Scholar] [CrossRef]
  22. Liu, C.; Tan, R.; Wu, Y.; Feng, Y.; Jin, Z.; Zhang, F.; Liu, Y.; Liu, Q. Dissecting zero trust: Research landscape and its implementation in IoT. Cybersecurity 2024, 7, 20. [Google Scholar] [CrossRef]
  23. Raheman, F. From Standard Policy-Based Zero Trust to Absolute Zero Trust (AZT): A Quantum Leap to Q-Day Security. J. Comput. Commun. 2024, 12, 252–282. [Google Scholar] [CrossRef]
  24. Cena, J. Multi-Factor Authentication Paradigms for Securing Industrial Internet of Things (IIoT) Assets, in Electrical Energy and Power Systems Group (EEPS). Ph.D. Thesis, The University of Manchester, Manchester, UK, 2024; p. 12. [Google Scholar]
  25. Rivera, J.J.D.; Muhammad, A.; Song, W.-C. Securing Digital Identity in the Zero Trust Architecture: A Blockchain Approach to Privacy-Focused Multi-Factor Authentication. IEEE Open J. Commun. Soc. 2024, 5, 2792–2814. [Google Scholar] [CrossRef]
  26. Nandy, T.; Mohd, Y.I.B.I.; Rafidah, M.N.; Laiha, M.K.; Lau, S.L.; Nor, B.A.J.; Ismail, A.; Norjihan, A.G.; Sananda, B. Review on Security of Internet of Things Authentication Mechanism. IEEE Access 2019, 7, 151054–151089. [Google Scholar] [CrossRef]
  27. Alsobeh, A.; Alazzam, I.; Mohammad, A.; Shatnawi, J.; Khasawneh, I. Cybersecuirty awareness factors among adolescents in Jordan: Meiation effect of cyber scale and personal factors. J. Commun. Media Stud. 2023, 13, e202312. [Google Scholar]
  28. Kawalkar, S.A.; Dinesh, B.B. Design of an Efficient Cloud Security Model through Federated Learning, Blockchain, AI-Driven Policies, and Zero Trust Frameworks. Intell. Syst. Appl. Eng. 2023, 12, 378–388. [Google Scholar]
  29. Walshe, M.; Epiphaniou, G.; Al-Khateeb, H.; Hammoudeh, M.; Katos, V.; Dehghantanha, A. Non-interactive zero knowledge proofs for the authentication of IoT devices in reduced connectivity environments. Ad Hoc Netw. 2019, 95, 101988. [Google Scholar] [CrossRef]
  30. Ali, B.E.M.A. Efficient Trust-Aware Authentication and Task Offloading in Multi-Access Edge Computing Using a Dual Fuzzy Method Based Zero Trust Security Framework. Ph.D. Thesis, Royal Melbourne Institute of Technology, Melbourne, Australia, 2023. [Google Scholar]
  31. Yeoh, W.; Liu, M.; Shore, M.; Jiang, F. Zero trust cybersecurity: Critical success factors and A maturity assessment framework. Comput. Secur. 2023, 133, 103412. [Google Scholar] [CrossRef]
  32. Kim, H.; Lee, E.A. Authentication and Authorization for the Internet of Things. IEEE Comput. Soc. 2017, 19, 27–33. [Google Scholar] [CrossRef]
  33. Cena, J. Zero Trust Architecture for Robust IIoT Security, in Electrical Energy and Power Systems Group (EEPS). Ph.D. Thesis, The University of Manchester, Manchester, UK, 2024. [Google Scholar]
  34. Adhikari, T. Advancing Zero Trust Network Authentication: Innovations in Privacy-Preserving Authentication Mechanisms. Comput. Sci. Eng. 2024, 1, 1–22. [Google Scholar]
  35. Chuan, T.; Lv, Y.; Qi, Z.; Xie, L.; Guo, W. An Implementation Method of Zero-trust Architecture. J. Phys. Conf. Ser. 2020, 1651, 012010. [Google Scholar] [CrossRef]
  36. Bhattacharya, S.; Panyam, S.; Deshmukh, G.; Gatala, S.; Vemoori, V.; Seth, D. Integrating User Experience and Acceptance in Authentication: A Synthesis of Technology Acceptance Model and User-Centered Design Principles. Int. J. Comput. Trends Technol. 2024, 72, 15–23. [Google Scholar] [CrossRef]
  37. Capili, M. Simulation-Based Evaluation of Perimeter-Based and Zero Trust Security Implementation on Internet of Things, in Systems Engineering. Ph.D. Thesis, The George Washington University, Washington, DC, USA, 2024; pp. 1–24. [Google Scholar]
  38. Cambou, B.; Philabaum, C.; Hoffstein, J.; Herlihy, M. Methods to Encrypt and Authenticate Digital Files in Distributed Networks and Zero-Trust Environments. Axioms 2023, 12, 531. [Google Scholar] [CrossRef]
  39. Mehraj, S.; Tariq Banday, M. Establishing a Zero Trust Strategy in Cloud Computing Environment. In Proceedings of the International Conference on Computer Communication and Informatics (ICCCI-2020), Coimbatore, India, 22–24 January 2020; pp. 1–6. [Google Scholar]
  40. Zhang, H.; Zhang, Z.; Chen, L. Toward zero trust in 5G industrial internet collaboration systems. Digit. Commun. Netw. 2024, 1, 2022–3357. [Google Scholar] [CrossRef]
  41. Olaoye, G.O.; Ayuns, L. Future Trends and Emerging Technologies in Cloud Security. Ph.D. Thesis, Ladoke Akintola University of Technology, Ogbomoso, Nigeria, 2024; pp. 1–24. [Google Scholar]
  42. Aki, S.R.S. Zero Trust Securityin Wireless and communication Networks. Comput. Secur. Reliab. 2024, 1, 1–24. [Google Scholar]
  43. Tang, F.; Ma, C.; Cheng, K. Privacy-preserving authentication scheme based on zero trust architecture. Digit. Commun. Netw. 2023, 23, 1–15. [Google Scholar] [CrossRef]
  44. Xu, M.; Guo, J.; Yuan, H.; Yang, X. Zero-Trust Security Authentication Based on SPA and Endogenous Security Architecture. Electronics 2023, 12, 782. [Google Scholar] [CrossRef]
  45. Irfan, S. Authentication, Authorization, Access Control, and Key Exchange in Internet of Things. ACM Trans. Internet Things 2024, 5, 1–30. [Google Scholar]
  46. Chen, C.-M.; Xuanang, L.; Shuangshuang, L.; Mu-En, W.; Saru, K.; Youwen, Z. Enhanced Authentication Protocol for the Internet of Things Environment. Secur. Commun. Netw. 2022, 2022, 8543894. [Google Scholar] [CrossRef]
  47. Kang, H.; Liu, G.; Wang, Q.; Meng, L.; Liu, J. Theory and Application of Zero Trust Security: A Brief Survey. Entropy 2023, 25, 1595. [Google Scholar] [CrossRef]
  48. Khan, M.J. Zero trust architecture: Redefining network security paradigms in the digital age. World J. Adv. Res. Rev. 2023, 19, 105–116. [Google Scholar] [CrossRef]
  49. Chen, X.; Wei, F.; Ning, G.; Yan, Z. Zero Trust Architecture for 6G Security. IEEE Netw. 2023, 1, 1–8. [Google Scholar] [CrossRef]
  50. Wu, K.; Cheng, R.; Xu, H.; Tong, J. Design and Implementation of the Zero Trust Model in the Power Internet of Things. Int. Trans. Electr. Energy Syst. 2023, 2023, 6545323. [Google Scholar] [CrossRef]
  51. Su, R.; Riahi, A.; Natalizio, E.; Moyal, P.; Saint-Jore, A.; Song, Y.-Q. Assessing intra- and inter-community trustworthiness in IoT: A role-based attack-resilient dynamic trust management model. Internet Things 2024, 26, 101213. [Google Scholar] [CrossRef]
  52. Azad, M.A.; Sidrah, A.; Junaid, A.; Harjinder, L.; Yussuf, H.A. Verify and trust: A multidimensional survey of zero trust security in the age of IoT. Internet Things 2024, 27, 101227. [Google Scholar] [CrossRef]
  53. Itodo, C.; Ozer, M. Multivocal literature review on zero-trust security implementation. Comput. Secur. 2024, 141, 103827. [Google Scholar] [CrossRef]
  54. SumanPrakash, P.; Ramana, K.S.; CosmePecho, R.D.; Janardhan, M.; Arellano, M.T.C.; Mahalakshmi, J.; Bhavsingh, M.; Samunnisa, K. Learning-driven Continuous Diagnostics and Mitigation program for secure edge management through Zero-Trust Architecture. Comput. Commun. 2024, 220, 94–107. [Google Scholar] [CrossRef]
  55. Zhang, J.; Zheng, J.; Zhang, Z.; Chen, T.; Tan, Y.-A.; Zhang, Q.; Li, Y. ATT&CK-based Advanced Persistent Threat attacks risk propagation assessment model for zero trust networks. Comput. Netw. 2024, 245, 110376. [Google Scholar]
  56. Krishnan, P.; Kurunandan, J.; Shivananda, R.P.; Satish, N.S.; Tulika, P.; Rajkumar, B. eSIM and blockchain integrated secure zero-touch provisioning for autonomous cellular-IoTs in 5G networks. Comput. Commun. 2024, 216, 324–345. [Google Scholar] [CrossRef]
  57. Mekala, S.H.; Zubair, B.; Adnan, A.; Sherali, Z. Cybersecurity for Industrial IoT (IIoT): Threats, countermeasures, challenges and future directions. Comput. Commun. 2023, 208, 294–320. [Google Scholar] [CrossRef]
  58. Kaur, M.; Verma, V.K. Cooperative-centrality enabled investigations on edge-based trustworthy framework for cloud focused internet of things. J. Netw. Comput. Appl. 2024, 226, 103872. [Google Scholar] [CrossRef]
  59. Ni, L.; Gong, X.; Li, J.; Tang, Y.; Luan, Z.; Zhang, J. rFedFW: Secure and trustable aggregation scheme for Byzantine-robust federated learning in Internet of Things. Inf. Sci. 2024, 653, 119784. [Google Scholar] [CrossRef]
  60. Cao, Y.; Zhang, J.; Zhao, Y.; Su, P.; Huang, H. SRFL: A secure & robust federated learning framework for IoT with trusted execution environments. Expert Syst. Appl. 2024, 239, 95–118. [Google Scholar]
  61. Varela-Vaca, Á.J.; Gasca, R.M.; Iglesias, D.; Gónzalez-Gutiérrez, J. Automated trusted collaborative processes through blockchain & IoT integration: The fraud detection case. Internet Things 2024, 25, 101106. [Google Scholar]
  62. Arazzi, M.; Nicolazzo, S.; Nocera, A. A novel IoT trust model leveraging fully distributed behavioral fingerprinting and secure delegation. Pervasive Mob. Comput. 2024, 99, 89–99. [Google Scholar] [CrossRef]
  63. Javeed, D.; Saeed, M.S.; Adil, M.; Kumar, P.; Jolfaei, A. A federated learning-based zero trust intrusion detection system for Internet of Things. Ad Hoc Netw. 2024, 162, 150–162. [Google Scholar] [CrossRef]
Symmetry 16 00993 g001
Figure 1. The essential elements of authentication technologies for zero trust in the IoT environment.
Figure 1. The essential elements of authentication technologies for zero trust in the IoT environment.
Symmetry 16 00993 g001
Symmetry 16 00993 g002
Figure 2. Authentication for zero trust in the IoT environment.
Figure 2. Authentication for zero trust in the IoT environment.
Symmetry 16 00993 g002
Symmetry 16 00993 g003
Figure 3. Key considerations of authentication for zero trust in the IoT environment.
Figure 3. Key considerations of authentication for zero trust in the IoT environment.
Symmetry 16 00993 g003
Table 1. The summary of the existing authentication technologies for IoT with zero trust.
Table 1. The summary of the existing authentication technologies for IoT with zero trust.
Author(s)ImplementationAuthentication TechnologyAdvantages/Challenges
[3]
(2023)		Using factors such as PIN password, verification, and facial recognition.Biometric authentication
  • Strong authentication based on unique biological or behavioral traits.
  • Passwords and tokens must be remembered.
  • Potential privacy concerns.
  • Increasing device costs.
[9]
(2021)		Identifying device fingerprint authentication for users and providing entry-point security, identifying the subject, and accessing the device.
[26]
(2019)		Using specialized biometric scanners, users’ individual biological data is collected and compared to stored data.
[5]
(2020)		Used for verification and calculating the discrete algorithm problem.Cryptographic authentication
  • Offers mathematical security.
  • Supports secure key exchange.
  • Non-repudiation, data integrity, and cryptographic primitives.
  • Computationally intensive for constrained IoT devices.
  • Requires secure communication channels for key exchange.
[10]
(2024)		Taking uniqueness and persistence of physiological characteristics and user identity.
[21]
(2022)		Protecting the system by manufacturers.
[25]
(2023)		Securing protocols for data storage and transmission and using confidentiality, integrity, and availability.
[26]
(2019)		Used to morph actual messages during communication in an insecure network.
[28]
(2023)		Offering higher confidence over authenticator and verifying an authentication key.
[29]
(2019)		Used as a key requirement within the scheme to fulfill the cryptographic checksum needed.
[6]
(2024)		Ensuring only authorized users, devices, and applications can access networks.Federated Identity and Access Management (FIdAM)
  • Enables seamless authentication across multiple IoT.
  • Reduce complexity.
  • Supports various authentication methods.
  • Required trust establishment.
[11]
(2023)		Providing the requested security services, access control, and management of configuration updates.
[30]
(2023)		Adds security for all resource authentication and authorization and is strictly enforced.
[1]
(2020)		Proposing an anonymous access system and computing the divided identity block data.Blockchain-based authentication
  • Offer a decentralized structure.
  • Enables secure and editable identity management.
  • Supports distributed trust.
  • Scalability limitations.
  • Requires design and implementation to ensure privacy and security.
[10]
(2024)		Presenting blockchain technology for zero trust networks and comparing techniques used by different platforms. Presenting a possible approach for trusted transactions.
[11]
(2023)		Securing data storage, including sensitive data, and distributing data across multiple nodes.
[25]
(2024)		Protecting sensitive information and combining blockchain and trust assessment.
[28]
(2023)		Presenting blockchain technology with zero trust.
[29]
(2019)		Presenting the potential to increase privacy and security in blockchain applications.
[9]
(2021)		Designing characteristics that are used in one piece of hardware.PUFs, or physically unclonable functions
  • Unique physical properties.
  • Offers tamper resistance and counterfeiting capacities.
[20]
(2024)		Linking between malware on Android devices and zero trust security.
Table 2. The evaluation benefit of emerging authentications.
Table 2. The evaluation benefit of emerging authentications.
Evaluation CriteriaBenefitsRefs.
IoT Device Identification
  • Identify all the IoT devices connected to networks.
  • Vulnerability security.
[5,24,32,33]
Network Segmentation
  • Analyze network segmentation.
[7,10,34]
Access Management
  • Determine authentication methods.
  • Vulnerability to unauthorized access.
[11,30]
Data Encryption
  • Assess the encryption protocols.
  • Use data transmission within an IoT environment.
[5,14]
Threat Detection
  • Evaluate mechanisms and analyze effectiveness.
[20,31]
Penetration Testing
  • Conduct hacking and simulated attacks to assess the authentication mechanisms.
  • Test against various attacks (spoofing and man in the middle).
  • Identify and exploit potential vulnerabilities.
[2,10,30,32,35,36]
Formal Verification
  • Use techniques and mathematical models to confirm the security characteristics of cryptography and authentication.
  • Ensure the established security guarantees.
[5,12,34]
Simulation and Emulation
  • Simulate the IoT and authentication to evaluate performance and scalability.
  • Identify resource constraints and interoperability.
[30,37]
Compliance Testing
  • Assess authenticity to security standards.
  • Ensure compliance with legal data protection and data privacy.
[10,23,28]
Table 5. Comparison of the evaluation and implementation of zero trust in the IoT environment.
Table 5. Comparison of the evaluation and implementation of zero trust in the IoT environment.
Evaluation/
Implementation		[11][12][15][20][24][33][38][40][42][43][44]
Stringent access controls
Micro-segmentation strategies
Threat detection systems
Data encryption
Zero trust policies across the IoT environment
Integrating IoT security
Developing IoT environments under zero trust principles
Table 6. Future directions for authentication with zero trust in the IoT environment.
Table 6. Future directions for authentication with zero trust in the IoT environment.
Future DirectionsSuggestions
Continuous Adaptive Risk and Trust Assessment (CARTA)This framework is endlessly adapted based on context, behavior, and risk factors for IoT devices [51,52,53,54,55].
Blockchain-based AuthenticationDevelop blockchain technologies for decentralized, tamper-proof authentication and access control in IoT ecosystems. This technology addresses scalability limitations on a large scale [56,57].
Quantum-resistant CryptographyInvestigate quantum-resistant cryptographic algorithms as the protocols to secure IoT authentication against and prepare for potential vulnerabilities from future quantum computing threats [58].
Federated Identity and Access Management (FedIAM)Implement FedIAM solutions to enable secure and seamless authentication across multiple IoT service providers. This reference implements a standardized authentication protocol to facilitate it across IoT platforms [52,53].
Integration (AI) and Machine Learning (ML)Develop AI/ML techniques for real-time anomaly detection and adaptive authentication mechanisms in IoT environments. To analyze user and device patterns in real-time, dynamically adjust access control policies based on risk assessment [55,59].
Privacy-preserving AuthenticationExplore authentication schemes that protect user privacy and sensitive data in the IoT environment. Develop for user control and usage associated with authentication [54,60].
Secure Firmware and Hardware Roots of TrustIntegrate secure hardware and trusted execution environments for IoT device authentication and integrity [61,62].
Standardization of Authentication Protocols for interoperabilityParticipate in standards and ensure interoperability among different IoT authentication solutions. Develop open-source libraries and references for standardized authentication protocols [52,57].
User-centric Authentication for Improve UsabilityDiscover user-centric authentication, user preferences, user-friendly interfaces, and workflows such as biometrics and behavioral patterns for secure and convenient IoT access control in an IoT environment [53].
Emerging TechnologiesInvestigate the security implications of emerging technologies and networks on authentication processes within the IoT environment [58,60,63].
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Bast, C.; Yeh, K.-H. Emerging Authentication Technologies for Zero Trust on the Internet of Things. Symmetry 2024, 16, 993. https://doi.org/10.3390/sym16080993

AMA Style

Bast C, Yeh K-H. Emerging Authentication Technologies for Zero Trust on the Internet of Things. Symmetry. 2024; 16(8):993. https://doi.org/10.3390/sym16080993

Chicago/Turabian Style

Bast, Chanapha, and Kuo-Hui Yeh. 2024. "Emerging Authentication Technologies for Zero Trust on the Internet of Things" Symmetry 16, no. 8: 993. https://doi.org/10.3390/sym16080993

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop