ABSTRACT
The IoT has raised a set of challenges due to the enormous amount of data processed and the complex implementation of mechanisms to guarantee these data are exclusively accessed by authorized users. In these ecosystems some devices represent a first “access door” to data obtained from other sources or stored in the Cloud. Consequently, there is a particular need to introduce strong authentication mechanisms that limit unauthorized accesses to thereof. The aim of this paper is to offer a legal perspective on the forces tensioning in the most common authentication methods implemented in these devices, account taken of the particularities of an IoT ecosystem. Due to the topic subject of discussion, it is necessary to lay the technological ground in order to perform a subsequent legal analysis. The conclusions attempt to answer which authentication method achieves a better balance on the forces tensioning in digital identity as well as offering some lines for further research and development in the area.
- Keyur K Patel, Sunil M Patel. 2016. Internet of Things-IOT: Definition, Characteristics, Architecture, Enabling Technologies, Application & Future Challenges. IJESC 6(5), 6123–6131.Google Scholar
- Gilad Rosner & Erin Kenneally J.D. 2018. Clearly opaque: Privacy risks of the internet of things. The Internet of Things Privacy Forum May 2018 [Report] Retrieved the 5th of Mayl 2021 from: https://www.iotprivacyforum.org/clearlyopaque/Google Scholar
- Peter Friess & Ovidiu Vermessan. 2013. Internet of Things: Converging Technologies for Smart Environments and Integrated Ecosystems. River publishers’ series in communications, Aalborg, Denmark.Google Scholar
- Charter of Fundamental Rights of the European Union. Official Journal of the European Communities. C 364/1 (18th December 2000). Available online: https://www.europarl.europa.eu/charter/pdf/text_en.pdfGoogle Scholar
- Bastian Könings & Florian Schaub. 2011. Territorial Privacy in Ubiquitous Computing. In Eighth International Conference on Wireless On-Demand Network Systems and Services. New York 2011 IEEE Könings, 105-108.Google Scholar
- R.W. Picard. 1195. Affective Computing. M.I.T (Report No. 321) Media. Laboratory Perceptual Computing Section Technical. [Report] Retrieved the 5th of May from: https://affect.media.mit.edu/pdfs/95.picard.pdfGoogle Scholar
- Gergely Alpár, Jaap-Henk Hoepman & Johanneke Siljee. 2011. The Identity Crisis. Security, Privacy and Usability Issues in Identity Management. ArXiv Business, Computer Science, Mathematics 1-15. identity-crisis-body.tex 1355 2011-01-02 14:00:45Z jhhGoogle Scholar
- International Telecommunication Union (ITU) Digital Identity Roadmap Guide (2018) [Guide] Available online: https://www.itu.int/pub/D-STR-DIGITAL.01-2018Google Scholar
- Roger Clarke. 2010. A Sufficiently Rich Model of (Id)entity, Authentication and Authorisation. Roger Clarke's website [Website] Retrived the 6th of May 2021 from: http://www.rogerclarke.com/ID/IdModel-1002.htmlGoogle Scholar
- Paul A. Grassi Michael E. Garcia James L. Fenton. 2017. Digital Identity Guidelines (NIST Special Publication 800-63-3). National Institute of Standards and Technology Special Publication. https://doi.org/10.6028/NIST.SP.800-63-3Google Scholar
- Guy De Felcourt. 2021. L'identité numérique aujourd'hui, Cours d'enseignement supérieur Société e identité numérique, presented at Université de La Rochelle [Course material].Google Scholar
- Gilad Rosner. 2014. Identity Management Policy and Unlinkability: A comparative case study of the US and Germany. Doctoral thesis presented at University of Nottingham [Doctoral thesis].Google Scholar
- FATF. 2020. Description of a Basic Digital Identity System and Its Participants. FATF, Paris [Appendix]. Available online: https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/Guidance-on-Digital-Identity-Appendice%20A.pdfGoogle Scholar
- Regulation (EU) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) Official Journal of the European Union, Vol.L119 (4th May 2016) Available online: https://eur-lex.europa.eu/eli/reg/2016/679/ojGoogle Scholar
- Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market. Official Journal of the European Union, Vol. 235/7 (9 September 2015) Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AJOL_2015_235_R_0002Google Scholar
- European Commission. Implementing measures for Directive (EU) 2015/2366 on payment services. European Commission official website. Last accessed 2021/06/6. Available online: https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366/implementation/implementation-eu-countries_enGoogle Scholar
- Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. Official Journal of the European Union, Vol. 337/35 (23rd December 2015). Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366Google Scholar
- James. L. Wayman (2001) Fundamentals of Biometric Authentication Technologies. International. Journal of Image and Graphics 01(01), 93–113.Google ScholarCross Ref
- Debnath Bhattacharyya, Rahul Ranjan,Farkhod Alisherov & Choi Minkyu. 2009. Biometric Authentication: A Review. International Journal of Service, Science and Technology 2(3), 13–28 (2009). Retrieved the 7th of May 2021 from: https://www.researchgate.net/publication/46189709_Biometric_Authentication_A_ReviewGoogle Scholar
- Ricard Martínez Martínez. 2020. Facial Recognition identity verification and control of Online Exams. Education and law review No. 22Google Scholar
- Spanish Data Protection Agency. Report 0036/2020. Retrieved the 6th of June 2021 from: https://www.aepd.es/es/documento/2020-0036.pdfGoogle Scholar
- A29 WP. Opinion 3/2012 on developments in biometric technologies. 00720/12/EN WP193. Adopted on 27th April 2012. Retrieved the 6th of June 2021 from: https://www.pdpjournals.com/docs/87998.pdfGoogle Scholar
- Hitoshi Kokumai. 2021. Negative Security Effect of Biometrics Deployed in Cyberspace. Hitoshi Kokumai LinkedIn profile last accessed 2021/2/1.Google Scholar
- Paul Voigt & Axel von dem Bussche. 2017. The EU General Data Protection Regulation (GDPR). Springer, Cham, Germany.Google Scholar
- Spanish Data Protection Agency. Guía práctica para las evaluaciones de Impacto en la protección de los datos sujetas al RGPD. V.2018. [Guide] Available online: https://www.aepd.es/sites/default/files/2019-09/guia-evaluaciones-de-impacto-rgpd.pdfGoogle Scholar
- Hitoshi Kokumai. 2021. Quantitative Examination of Multiple Authenticator Deployment. Hitoshi Kokumai LinkedIn profile last accessed 2021/2/1.Google Scholar
- Hitoshi Kokumai. 2016. Misuse of Biometrics Technologies. Payments Journal, May 18. Last accessed 2021/01/20 Retrieved the 7th of May 2021 from: https://www.paymentsjournal.com/misuse-of-biometrics-technologies/Google Scholar
- Hitoshi Kokumai. 2019. Passwords Made of Unforgettable Images. Payments Journal 30th September. Last accessed 2021/01/26. Retrieved the 7th of May 2021 from: https://www.paymentsjournal.com/passwords-made-of-unforgettable-images/Google Scholar
- Hitoshi Kokumai. 2018. Identity Assurance by Our Own Volition and Memory Part 1. Payments Journal 1st August. Last accessed 2021/01/26. Retrieved the 7th of May 2021 from: https://www.paymentsjournal.com/identity-assurance-by-our-own-volition-and-memory-part-1Google Scholar
- Hitoshi Kokumai. 2020. ‘Easy-to-Remember’ is one thing ‘Hard-to-Forget’ is another. Payments Journal 28th April (2020). Last accessed 2021/01/26. Retrieved the 7th of May 2021 from: https://www.paymentsjournal.com/easy-to-remember-is-one-thing-hard-to-forget-is-anotherGoogle Scholar
Recommendations
Emerging Security Threats and Countermeasures in IoT
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityIoT (Internet of Things) diversifies the future Internet, and has drawn much attention. As more and more gadgets (i.e. Things) connected to the Internet, the huge amount of data exchanged has reached an unprecedented level. As sensitive and private ...
SUACC-IoT: secure unified authentication and access control system based on capability for IoT
AbstractWith the widespread use of Internet of Things (IoT) in various applications and several security vulnerabilities reported in them, the security requirements have become an integral part of an IoT system. Authentication and access control are the ...
A privacy enhanced device access protocol for an IoT context
In this paper, we present the case for a device authentication protocol that authenticates a device/service class rather than an individual device. The devices in question are providing services available to the public. The proposed protocol is an ...
Comments