Annals of Telecommunications

, Volume 74, Issue 7–8, pp 375–388 | Cite as

Access control in the Internet of Things: a survey of existing approaches and open research questions

  • Emmanuel BertinEmail author
  • Dina Hussein
  • Cigdem Sengul
  • Vincent Frey


The Internet of Things operates in a personal-data-rich sector, which makes security and privacy an increasing concern for consumers. Access control is thus a vital issue to ensure trust in the IoT. Several access control models are today available, each of them coming with various features, making them more or less suitable for the IoT. This article provides a comprehensive survey of these different models, focused both on access control models (e.g., DAC, MAC, RBAC, ABAC) and on access control architectures and protocols (e.g., SAML and XACML, OAuth 2.0, ACE, UMA, LMW2M, AllJoyn). The suitability of each model or framework for IoT is discussed. In conclusion, we provide future directions for research on access control for the IoT: scalability, heterogeneity, openness and flexibility, identity of objects, personal data handling, dynamic access control policies, and usable security.


Access control (AC) Internet of Things (IoT) Identity management Security 



  1. 1.
    Shang C, Zhou MC, Chen C (Mar. 2014) Cellphone data and applications. Int J Intell Control Syst 19(1):35–45Google Scholar
  2. 2.
    TRUSTe (2015) Majority of consumers want to own the personal data collected from their smart devices, availabile online: Accessed 28 Feb 2019
  3. 3.
    Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) "An introduction to privacy engineering and risk management in federal systems," National Institute of Standards and Technology Internal Report 8062Google Scholar
  4. 4.
    Hugo Teufel III CPO (2008) Fair Information Practice Principles: framework for privacy, Privacy Policy Guidance MemorandumGoogle Scholar
  5. 5.
    International Organization for Standardization (ISO), ISO/IEC 29100 (2011) Information technology, security techniques, privacy framework, Dec. 2011Google Scholar
  6. 6.
    Cavoukian A (2012) Privacy by Design and the emerging personal data ecosystem, accessible online: Accessed 28 Feb 2019
  7. 7.
    General Data Protection Regulation (GDPR) (2018) General data protection regulation (GDPR) [online]. Available at: Accessed 28 Feb 2019
  8. 8.
    Cerf VG (2015) Access control and the Internet of Things. IEEE Internet Comput 19(5):96CrossRefGoogle Scholar
  9. 9.
    Sicari S, Rizzardi A, Grieco LA, Coen-Porisini A (2015) Security privacy and trust in Internet of Things: the road ahead. Comput Netw 76:146–164CrossRefGoogle Scholar
  10. 10.
    Fagin R (1978) On an authorization mechanism. ACM Trans Database Syst 3, 3(September 1978):310–319CrossRefGoogle Scholar
  11. 11.
    Abadi M, Burrows M, Lampson B, Gordon P (1993) A calculus for access control in distributed systems. ACM Trans Program Lang Syst 15, 4(September 1993):706–734CrossRefGoogle Scholar
  12. 12.
    Gusmeroli S, Piccione S, Rotondi D (2013) A capability-based security approach to manage access control in the Internet of Things. Math Comput Model 58(5):1189–1205CrossRefGoogle Scholar
  13. 13.
    Cirani S, Davoli L, Ferrari G, Léone R, Medagliani P, Picone M, Veltri L (2014) A scalable and self-configuring architecture for service discovery in the Internet of Things. IEEE Internet Things J 1(5):508–521CrossRefGoogle Scholar
  14. 14.
    Roman R, Zhou J, Lopez J (2013) On the features and challenges of security and privacy in distributed Internet of Things. Comput Netw 57(10):2266–2279CrossRefGoogle Scholar
  15. 15.
    Tschofenig H, Arkko J, Thaler D, McPherson DR (2015) Architectural considerations in smart object networking. In: RFC 7452, IETFGoogle Scholar
  16. 16.
    Ouaddah A, Mousannif H, Abou El Kalam A, Ouahman AAIT (2017) Access control in the Internet of Things: big challenges and new opportunities. Comput Netw 112:237–262Google Scholar
  17. 17.
    Bui DT, Douville R, Boussard M (2016) "Supporting multicast and broadcast traffic for groups of connected devices," 2016 IEEE NetSoft Conference and Workshops (NetSoft), Seoul, 2016, pp. 48–52Google Scholar
  18. 18.
    Bell DE, La Padula LJ (1975) Secure computer system: unified exposition and Multics interpretation. In: Technical report, Technical Report MTIS AD-A023588. MITRE Corporation, McLeanGoogle Scholar
  19. 19.
    Denning DE (1976) A lattice model of secure information flow. Commun ACM 19(2):236–243MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Sandhu RS, Samarati P (1994) Access control: principle and practice. IEEE Commun Mag 32(9):40–48CrossRefGoogle Scholar
  21. 21.
    Sandhu RS (1998) Role-based access control. Adv Comput 46:237–286CrossRefGoogle Scholar
  22. 22.
    Samarati P, Di Vimercati SDC (2001) Access control: policies, models, and mechanisms. Found Secur Anal Des 2171:137–196CrossRefzbMATHGoogle Scholar
  23. 23.
    Kalam A, Baida R, Balbiani P, Benferhat S, Cuppens F, Deswarte Y, Miege A, Saurel C, Trouessin G (2003) Organization based access control. In: Proc. POLICY 2003. IEEE 4th Int. Work. Policies Distrib. Syst. Networks, IEEE Comput. Soc, pp 120–131CrossRefGoogle Scholar
  24. 24.
    Zhang G, Tian J (2010) An extended role based access control model for the Internet of Things, 2010 International Conference on Information, Networking and Automation (ICINA), 1, IEEE, pp. V1–319Google Scholar
  25. 25.
    Jindou J, Xiaofeng Q, Cheng C (2012) Access control method for Web of Things based on role and SNS, in: 2012 IEEE 12th Int. Conf. Comput. Inf. Technol.,IEEE, pp. 316–321Google Scholar
  26. 26.
    Barka E, Mathew SS, Atif Y (2015) Securing the Web of Things with role-based access control. Springer International Publishing, New York City, pp 14–26zbMATHGoogle Scholar
  27. 27.
    Liu J, Xiao Y, Chen CP (2012) Authentication and access control in the Internet of Things, in: 2012 32nd Int. Conf. Distrib. Comput. Syst. Work., IEEE, pp. 588–592Google Scholar
  28. 28.
    I. Bouij - Pasquier, A. Ait Ouahman, A. Abou El Kalam and M. Ouabiba de Montfort, SmartOrBAC security and privacy in the Internet of Things, 2015 IEEE/ACS 12th International Conference of Computer Systems and Applications (AICCSA), Marrakech, 2015, pp. 1–8Google Scholar
  29. 29.
    E. Yuan, J. Tong, Attributed based access control (ABAC) for Web services, in: IEEE Int. Conf Web Serv, IEEE, 2005CrossRefGoogle Scholar
  30. 30.
    Ye N, Zhu Y, Wang R-C, Malekian R, Qiao-min L (2014) An efficient authentication and access control scheme for perception layer of Internet of Things. Appl Math Inf Sci An Int J 1624(4):1617–1624CrossRefGoogle Scholar
  31. 31.
    Hemdi M, Deters R (2016) Using REST-based protocol to enable ABAC within IoT systems. In: 2016 IEEE 7th Annual Information Technology. Electronics and Mobile Communication Conference (IEMCON), Vancouver, BC, pp 1–7Google Scholar
  32. 32.
    Sciancalepore S et al (2017) Attribute-based access control scheme in federated IoT platforms. In: Podnar Žarko I, Broering A, Soursos S, Serrano M (eds) Interoperability and open-source solutions for the Internet of Things. InterOSS-IoT 2016. Lecture Notes in Computer Science, vol 10218. Springer, ChamGoogle Scholar
  33. 33.
    Ouechtati H, Ben Azzouna N, Ben Said L (2018) "Towards a self-adaptive access control middleware for the Internet of Things," 2018 International Conference on Information Networking (ICOIN), Chiang Mai, Thailand, pp 545–550Google Scholar
  34. 34.
    Hussein D, Bertin E, Frey V (2017) "Access control in IoT: from requirements to a candidate vision," 2017 20th Conference on Innovations in Clouds. Internet and Networks (ICIN), Paris, pp 328–330Google Scholar
  35. 35.
    Salama U, Yao L, Wang X, Paik HY, Beheshti A (2017) "Multi-level privacy-preserving access control as a service for personal healthcare monitoring," 2017 IEEE International Conference on Web Services (ICWS), Honolulu, HI, pp 878–881Google Scholar
  36. 36.
    Sandhu R (1992) The typed access matrix model. In: Proc. 1992 IEEE Comput. Soc. Symp. Res. Secur. Priv., IEEE Comput. Soc. Press, pp 122–136Google Scholar
  37. 37.
    Lampson B (1974) Protection, ACM SIGOPS. Oper Syst Rev 8:18–24CrossRefGoogle Scholar
  38. 38.
    Oh SW, Kim HS (2014) Decentralized access permission control using resource-oriented architecture for the Web of Things, 16th International Conference on Advanced Communication Technology, Pyeongchang, pp 749–753Google Scholar
  39. 39.
    Dennis JB, Van Horn EC (1966) Programming semantics for multiprogrammed computations. Commun ACM 9(3):143–155CrossRefzbMATHGoogle Scholar
  40. 40.
    Anggorojati B, Prasad NR, Prasad R (2012) Capability-based access control delegation model on the federated IoT network, 2012 15th Int’l. Symp. Wireless Personal Multimedia Commun, pp 604–608Google Scholar
  41. 41.
    Mahalle P (2013) Identity authentication and capability-based access control (IACAC) for the Internet of Things. J Cyber Secur Mobility 1:309–348Google Scholar
  42. 42.
    Hernández-Ramos JL et al (2013) Distributed capability-based access control for the Internet of Things. J Internet Serv Info Secur 3(3/4):1–16Google Scholar
  43. 43.
    Hernández-Ramos JL, Jara AJ, Marín L, Gómez AFS (2016) DCapBac: embedding authorization logic into smart things through ECC optimizations. Int J Comput Math 93(2):345–366.
  44. 44.
    Gusmeroli S, Piccione S, Rotondi D (2012) IoT access control issues: a capability-based approach, 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, Palermo, pp. 787–792Google Scholar
  45. 45.
    Lynch L (2011) Inside the identity management game. IEEE Internet Comput 15(5):78–82CrossRefGoogle Scholar
  46. 46.
    Beltran V, Bertin E, Crespi N (2014) User identity for WebRTC services: a matter of trust. IEEE Internet Comput 18(6):18–25CrossRefGoogle Scholar
  47. 47.
    Hussein D, Han SN, Lee GM, Crespi N, Bertin E (2017) Towards a dynamic discovery of smart services in the social Internet of Things. Comput Electr Eng 58, C(February 2017):429–443CrossRefGoogle Scholar
  48. 48.
    Armando A, Carbone R, Compagna L, Cuellar J, Tobarra L (2008) Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for Google apps. In: Proceedings of the 6th ACM workshop on Formal methods in security engineering. ACM, New York City, pp 1–10Google Scholar
  49. 49.
    Hardt D (2012) The OAuth 2.0 authorization framework, IETF RFC 6749, Oct. 2012, IETF. [online] Accessed 28 Feb 2019
  50. 50.
    Home - WG – User-Managed Access - Kantara Initiative, [online] Available at Accessed 28 Feb 2019
  51. 51.
    Zhang G, Liu J (2011) A model of workflow-oriented attributed based access control. Int J Comput Netw Inf Secur 1(February):47–53Google Scholar
  52. 52.
    Hughes J, Maler E (2005) Security Assertion Markup Language (SAML) v2.0 technical overview. OASIS SSTC Working Group, ClovisGoogle Scholar
  53. 53.
    Hughes J, Cantor S, Hodges J, Hirsch F, Mishra P, Philpott R, Maler E (2005) Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, BurlingtonGoogle Scholar
  54. 54.
    Moses T (2005) eXtensible Access Control Markup Language (XACML), version 2.0. OASIS Standard, BurlingtonGoogle Scholar
  55. 55.
    Zhang G, Liu J (2012) The study of access control for service-oriented computing in Internet of Things. Int J Wireless Microwave Technol (IJWMT) 2(3):62–68CrossRefGoogle Scholar
  56. 56.
    Seitz L, Selander G, Gehrmann C (2013) Authorization framework for the Internet of Things, 2013 IEEE 14th International Symposium on “A World of Wireless, Mobile and Multimedia Networks” (WoWMoM), Madrid, pp. 1–6Google Scholar
  57. 57.
    Hussein D, Bertin E, Frey V (March 2017) A community-driven access control approach in distributed IoT environments. IEEE Commun Mag 55(3):146–153CrossRefGoogle Scholar
  58. 58.
    Jones M, Hildebrand J (2015) JSON Web Encryption (JWE). RFC 7516, IETF, available at Accessed 28 Feb 2019
  59. 59.
    Hammer-Lahav E (2010) The OAuth 1.0 protocol. RFC 5849, IETF, available at Accessed 28 Feb 2019
  60. 60.
    Leiba B (2012) OAuth web authorization protocol. IEEE Internet Comput 16(1):74–77CrossRefGoogle Scholar
  61. 61.
    Fremantle P, Aziz B, Kopecký J, Scott P (2014) Federated identity and access management for the Internet of Things, 2014 International Workshop on Secure Internet of Things, Wroclaw, pp 10–17Google Scholar
  62. 62.
    Denniss W, Bradley J, Jones M, Tschofenig H OAuth 2.0 device flow for browserless and input constrained devices, Internet-draft, IETF, draft-ietf-oauth-device-flow-09Google Scholar
  63. 63.
    Seitz L, Gerdes S, Selander G, Mani M, Kumar S (2016) Use cases for authentication and authorization in constrained environments, RFC 7744, January 2016, IETFGoogle Scholar
  64. 64.
    Jones M, Wahlstroem E, Erdtman S, Tschofenig H (2018) CBOR Web Token (CWT), RFC 8392, May 2018. IETF, FremontGoogle Scholar
  65. 65.
    Beltran V, Skarmeta AF (2016) An overview on delegated authorization for CoAP: authentication and authorization for constrained environments (ACE). In: 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), pp 706–710CrossRefGoogle Scholar
  66. 66.
    Su X et al (2016) Privacy as a service: protecting the individual in healthcare data processing. In: Computer, vol. 49, no. 11, pp 49–59Google Scholar
  67. 67.
    OMA (2017) Lightweight machine to machine requirements, Candidate Version 1.1 – 08 Dec 2017, Open Mobile AllianceGoogle Scholar
  68. 68.
    Costa D, Mingozzi E, Tanganelli G, Vallati C (2016) An AllJoyn to CoAP bridge, 2016 IEEE 3rd World Forum on Internet of Things (WF-IoT), Reston, VA, pp. 395–400Google Scholar
  69. 69.
    Fernandes E, Rahmati A, Jung J, Prakash A (2017) Security implications of permission models in smart-home application frameworks. IEEE Secur Priv 15(2):24–30CrossRefGoogle Scholar
  70. 70.
    Zorzi M, Gluhak A, Lange S, Bassi A (2010) From today’s INTRAnet of things to a future INTERnet of things: a wireless- and mobility-related view. IEEE Wirel Commun 17(6):44–51CrossRefGoogle Scholar
  71. 71.
    Dillet R (2017) Netatmo is trying really hard to make the smart home happen. January 3, 2017, Techcrunch. Available at: Accessed 28 Feb 2019
  72. 72.
    Bertin E, Crespi N (2009) Service business processes for the next generation of services: a required step to achieve service convergence. Ann Telecommun 64(3–4):187–196CrossRefGoogle Scholar
  73. 73.
    Sloan RH, Warner R (2014) Beyond notice and choice: privacy, norms, and consent. Suffolk Univ J High Technol 14(2):370–412Google Scholar
  74. 74.
    Rastogi V, Welbourne E, Khoussainova N, Kriplean T, Balazinska M, Borriello G, Kohno T, Suciu D (2007) “Expressing privacy policies using authorisation views,” in Proc. of the 5th International Workshop on Privacy in UbiComp (UbiPriv’07)Google Scholar
  75. 75.
    Kolias C, Kambourakis G, Stavrou A, Voas J (2017) DDoS in the IoT: Mirai and other botnets. IEEE Comput 50(7):80–84CrossRefGoogle Scholar
  76. 76.
    Kovacs E (2016) Hosting provider OVH hit by 1 Tbps DDoS attack. Retrieved from Accessed 28 Feb 2019
  77. 77.
    Tian Y, Zhang N, Lin Y-H, Wang XF, Ur B, Guo XZ, Tague P (2017) SmartAuth: user-centered authorization for the Internet of Things. In: USENIX security conferenceGoogle Scholar

Copyright information

© Institut Mines-Télécom and Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Emmanuel Bertin
    • 1
    Email author
  • Dina Hussein
    • 1
  • Cigdem Sengul
    • 2
  • Vincent Frey
    • 3
  1. 1.Orange LabsCaenFrance
  2. 2.NominetLondonUK
  3. 3.Orange LabsCesson-SevigneFrance

Personalised recommendations