Which authentication method to choose. A legal perspective on user-device authentication in IoT ecosystems

The IoT has raised a set of challenges due to the enormous amount of data processed and the complex implementation of mechanisms to guarantee these data are exclusively accessed by authorized users. In these ecosystems some devices represent a first “access door” to data obtained from other sources or stored in the Cloud. Consequently, there is a particular need to introduce strong authentication mechanisms that limit unauthorized accesses to thereof. The aim of this paper is to offer a legal perspective on the forces tensioning in the most common authentication methods implemented in these devices, account taken of the particularities of an IoT ecosystem. Due to the topic subject of discussion, it is necessary to lay the technological ground in order to perform a subsequent legal analysis. The conclusions attempt to answer which authentication method achieves a better balance on the forces tensioning in digital identity as well as offering some lines for further research and development in the area.


INTRODUCTION
We are living in a world where millions of "objects can sense, communicate and share information, all interconnected over public or private Internet Protocol networks. These interconnected objects have data regularly collected, analyzed and used to initiate action, providing wealth of intelligence for planning, management and decision-making" [1] (p.6123). We are referring to the world of the Internet of Things (hereafter, IoT). There is not a precise definition for the IoT. Authors such as Dr. Gilad L. Rosner and Erin Kenneally J.D. state that it can refer to a diversity of objects which acquire a variable degree of networked intelligence and have "the ability Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. ARES 2021, August 17-20, 2021 to sense, amass and analyze data and communicate through networks" [2] (pp. [13][14]. Most of the objects that integrate the IoT are familiar objects (e.g., vehicles, smartphones, home appliances, toys, cameras, medical instruments. . .) improved with the ability to store, process and share information, "thus becoming new actors in the informational word" [2] (p.14) and designing spaces where real, digital and virtual merge to create smart environment [3] (p.8).
Beyond its beneficial effects, the IoT is also raising a set of challenges. More specifically, interconnected devices cross and disrupt boundaries of different nature (physical, data type or regulatory boundaries) [2] (p. 19) as most of the above-mentioned objects are being invited to our houses or "private environments". Consequently, notions such as "home" [2] and its privacy implications (e.g., Article 7 of the Charter of Fundamental Rights of the European Union) [4] (p.10) are being challenged. In other words, this invitation to our "private environment" allows the access to certain data or private information and, in the worst cases, could even affect the ability of the user to perceive and control who is observing or disturbing in his/her private territory [5]. Furthermore, the possibilities of some of these devices go beyond physical boundaries and extend to the body and emotional life. Indeed, the commercial market is offering a wide range of devices to monitor people's activities, environments and even physical bodies and emotions [6].
With these references we want to express the potential possibilities of privacy intromissions and the magnitude of the data processing in an IoT ecosystem. In exchange, mechanisms to control intromissions and privacy violations are needed. One of the possibilities consists in reinforcing user control and management strategies. These can refer to measures of diverse types such as data pre-collection or post-collection strategies or privacy by design. However, the innovative approach of this paper is to provide a study on the role of identity management (hereafter, IdM) in the IoT as a mechanism to limit unauthorized access to devices. The study of this aspect is becoming of acute emergency considering that some devices within an IoT ecosystem represent in many cases a first "access door" (i.e., some devices hold a controller role and act as a first barrier that once overcome, allow access to the rest of devices in the IoT network) to a large number of private data due to the interconnection of multiple devices and therefore various data sources, relying on a single authentication process or authentication means.
More specifically, potential negative effects and consequences of the IoT are coherently increasing with the fast development and spread thereof. In other words, nowadays the IoT is posing scenarios where all private information (or the means of access to private information) concerning an individual is regrouped in a number of devices interconnected between themselves. In return, a privacy breach might have catastrophic impact for end users. Consequently, Figure 1: Example of the smartphone as an "access door" to private information in an IoT ecosystem in the current stage of the IoT (and its foreseeable evolution) we will need safer authentication mechanisms, that is to say, strong authentication methods. However, these methods usually require the use of biometrics or other personal data that confirm identity of the user accessing the device, which at the same time raises other issues. The aim of this paper is to study from a legal perspective the tensions between the need of safe and convenient authentication methods in the IoT. For that purpose, we propose the study of a set of concepts as well as a comparative view between authentication methods.

DIGITAL IDENTITY 2.1 Concept and types
The point of departure in the study of identity is the concept of entity. An identity describes an entity within a specific scope, therefore it can be defined as "a set of all characteristics that have been attributed to an entity within a scope" [7] (p.5). The International Telecommunication Union also defines the concept of identity as a "representation of an entity in the form of one or more attributes that allow the entity or entities to be sufficiently distinguished within context" [8] (p.4). Building on this definition, we can state that a digital identity is the digital representation of an entity detailed enough to make the individual distinguishable within a digital context [8]. "An entity is a real-world thing" [9] (p.4), which includes and at the same time distinguishes between natural or legal persons and objects. All of these can be considered entities, and therefore have an identity. However, the content thereof will vary depending on the entity to which it is applied. This paper focuses on the identity of natural persons in userdevice authentication. Referring the concept of digital identity to a natural person, it can be defined as "the unique representation of an individual in an online transaction" [10] (p.4). The concept of digital identity in the case of natural persons must be designed and constrained by the particularities raised by the fact that it applies to human beings. In this sense, it must take into account that some data should not be used as they can be a source of discrimination as well as that some of them are particularly sensitive (e.g., biometrics, unique identifiers. . .) [11].
To function, these identities must exist within a technical framework, that is to say, they must be managed. Following the definition given by Dr. Gilad L. Rosner [12] (p.98), "Identity management is an operational and technical framework that defines and administers the lifecycle, use and security of digital identities. Authentication and the management of credentials are key focuses of IdM systems. They are transactional and operated by organizations". In other words, IdM is concerned with the lifecycle of digital identities.

Identities lifecycle and "strong identities"
Identity lifecycle covers from the creation to the deletion of digital identity (or the deregistration of the user) [13] [11]. The cycle starts with user identity proofing and enrollment, concluding with verification. However, concerning the scope of the paper, access to devices, this verification does not really take place in the majority of cases (e.g., a scenario of corporative use of devices could be different) since the key issue is to assure the person accessing the device in a later moment is the same who has set the authentication method.
Once the digital identity has been created and validated (i.e., the user has been identified), this phase finishes with user enrollment and the issuance of an authenticator such as a password, token, PIN or biometric recognition. Consequently, the user is now able to perform his/her authentication. Authentication consists in the recognition of an identity previously issued and at the same time it can rely on different types of authentication factors and processes. These factors and processes are of interest for this paper.
The authentication factors can be separated in three basic categories: a) Knowledge factors or "something you know" (e.g., PIN, passwords, answer questions); b) Ownership factors or "something you have" (e.g., one-time passwords, Personal Identity Verification card); c) Inherence factors-"something you are"-e.g., fingerprint, face, voice. Another category of factor could refer to location data, "somewhere you are", via IP address or behavior data, "something you do" as it was the case of Windows 8 picture password feature, although behavioral data may be considered as an inherence factor also.
On the other hand, authentication processes can be classified into two basic categories: a) Single-factor authentication -uses only one authenticator; b) Multi-factor authentication -uses two or more independent authenticators from at least two different authentication factor categories.
Finally, authorization refers to the last stage (excluding deletion or user deregistration). Once the individual has been verified as previously identified user, now, we process to the verification of corresponding rights and fulfillment of requests.
Depending on how phases are performed and the parties involved, we can distinguish different types of identities or IdM systems. The study of the types of IdM is out of the scope of this paper. With regard to the types of identities, we make appeal to the concept of strong identities understood as those identities that reach a high level of assurance during the whole identity lifecycle, that is to say, it exists a strong identity proofing during the process of binding identities, as well as in a later stage and it operates by means of strong and safe mechanisms for IdM.
In order to illustrate the term of strong identities from a legal perspective, it is of interest to take into account the following European Union regulations, the eIDAS Regulation and the PSD2 Directive, as they state relevant legal requirements for the understanding and the definition of the concept of strong identities. These regulations have in common that both aim to achieve a substantial or even high level of assurance in authentication so that the natural person is who claims to be, thus he/she has the right to perform the corresponding operation. The basis for these strong identities is the good protected, i.e., in the scope of the eIDAS Regulation, the access to cross-border public services by citizens, and in the scope of the PSD2 Directive, the protection of natural person's economic goods and the well-functioning of the market. In other words, we can extract from these regulations that the legal requirements in the authentication processes vary regarding the good protected.
When accessing an interconnected device holding a controller role such as the case of smartphones, the individual will probably gain access not only to the device, but also to other accessible sources in the Cloud, uploaded content from synchronized devices or even the password manager, usually protected with the same access code set up to protect the device. As an example, for the nature of the data processed it is interesting the latest incorporation of smartwatches, aiming to offer health information and sharing this data with other devices (i.e., the smartphone). However, health data are considered by the General Data Protection Regulation (hereafter, the GDPR) as a special category of data [14], thus the means to access this data should assure the person accessing them is the authorized natural person, that is, a strong authentication process. The issue is that the security when accessing this sensitive data relies on the authentication process implemented by the controller device, normally a smartphone, where the synchronized content can be visualized by the user. Therefore, these devices that hold a controller role represent an "access door" to other data, and the protection of these devices poses a challenge since they require an appropriate level of assurance, while convenience must also be maintained.
The cited regulations establish the following legal requirements in order to assure security in the authentication process, or as we have noted before, that the user performing the operation is who claims to be. Article 7 of the eIDAS Regulation establishes a set of conditions for the mutual recognition of electronic identification means in the European Union between Member States. In short, among these conditions, pursuing sections b) and c) "the assurance level must be equal or higher than the level required by the relevant public sector body to access the service online". Security levels are described in Article 8.2, as a number of high-level and somewhat abstract criteria, thus, to determine whether an electronic means fulfills these Levels of Assurance (hereafter, LoAs), we should refer to the Annex of the Commission Implementing Regulation (EU) 2015/1502 of the 8th of September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means. Pursuing this legal text, to achieve at least a substantial LoA during authentication phase, a dynamic authentication method is required. This text also contains a definition for a dynamic authentication in the Article 1 (3) of the Annex, as "an electronic process using cryptography or other techniques to provide a means of creating on demand an electronic proof that the subject is in control or in possession of the identification data and which changes with each authentication between the subject and the system verifying the subject's identity" [15] (p.11). In other words, a multi-factor authentication method where one of the factors changes in each authentication process.
On the other hand, the EU Revised Directive on Payment Services (PSD2) within the European Economic Area, has already been implemented in all Member States [16] and introduces the concept of Strong Consumer Authentication (hereafter, SCA) envisaged by Article 4 (30) of this text [17], which has been developed in the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017. The SCA requirement ensures that electronic payments are performed with multi-factor authentication to increase their security. The factors are independent in a way that the breach of one does not compromise the reliability of the other and is designed in such a way as to protect the confidentiality of the authentication data.
From these regulations we can conclude that multi-factor authentication is generally required in environments where identity attributes need to be trustworthy shared between different parties under the control of the natural person. This requirement can make sense in the scope of application of the cited legal instruments, but its implementation would be more complex in IoT scenarios which demand the deployment of very specific authentication factors that assure the maintenance of a high degree of convenience.

STRONG AUTHENTICATORS
At this point we have discussed that those devices operating in an IoT ecosystem require strong authentication mechanisms, especially concerning interconnected devices that hold a controller role. Nevertheless, in such scenario a multi-factor authentication process raises challenges in terms of convenience since these are usually devices that we access many times per day.
This section contains some reflections about the main advantages and drawbacks in the implementation of biometrics as authenticator, as well as the explanation of an alternative authentication method, the Expanded Password System (hereafter, the EPS). For the development of this section, we will refer to the reflections pointed out by the professional in the area Hitoshi Kokumai collected from a set of articles, posts and discussions.
Among the categories of factors, we can claim that "inherence factors" offer a higher level of assurance since user impersonation is more complex. The most traditional "inherence" factor is biometrics, however, some reflections must be made account taken of the particularities of the scenario studied in the paper.

Biometrics
Biometric authentication refers to the automatic identification or identity verification of living individuals using physiological and behavioral characteristics [18]. Biometric identification is developed through different techniques, among which the most commonly used are fingerprints or face recognition (especially concerning everyday IoT objects), but there exist others such as the recognition of the iris, the hand geometry or the retina [19]. The study of biometric identification technologies is out of the scope of this paper, but we consider pertinent to highlight some of its common features. Firstly, biometric authentication requires the use of characteristics that uniquely represent an individual. This introduces an important advantage in terms of security as it hampers user impersonation, but at the same time it poses an important risk. Once biometric data are compromised, they will be compromised forever. This aspect of biometrics makes evident the need of stronger security measures when this type of authentication method is chosen, requiring robust security systems or designs. In other words, economic investment.
From a legal point of view the processing of natural persons' biometric data is included in the special categories of data envisaged by Article 9 of the GDPR. Therefore, since the data processing implies a high risk, pursuing Recital 84 of the GDPR [14] the obligation to conduct a Data Protection Impact Assessment (hereafter, DPIA) will apply. In the DPIA the proportionality of this authentication choice should be studied, as well as the specific technical measures adopted. It should be noted, however, that we are discussing the use of biometric data for authentication purposes (before the device) and not for their comparison and identification by third parties. This aspect has been recently analyzed with regard to facial recognition for identity verification and control in online exams [20] in the Report 0036/2020 of the Spanish Data Protection Agency [21] that, based on the interpretation of the GDPR and the White Paper on Artificial Intelligence of the European Commission, concluded that this case should not be considered a processing of special categories of personal data. For this reasoning, the Spanish Data Protection Agency takes into account what stated in the Opinion 3/2012 on developments in biometrics technologies [22] and distinguishes between: a) Biometric identification, as the process of comparison of biometric data with templates or data stored in a data base (search of correspondence) and b) Biometric authentication, as the process of comparison of biometric data with a single biometric template stored in a device. Only the first case is considered a processing of special category of personal data.
Nevertheless, although this interpretation exempts from specific legal obligations particularly concerning the legal basis of the processing, it does not change the nature of the data processed and the risks attached in case of resulting compromised. In this sense, from a legal point of view Article 32 of the GDPR establishes that "in assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed" [14]. This legal provision is reinforced with the right to the protection of personal data envisaged by Article 8 of the Charter of Fundamental Rights [4]. Consequently, the design of IdM solutions requires to take into account these considerations in order to comply with regulations and what is more important, offer balanced solutions. The tensions that characterize the relation between security, privacy and convenience in IdM play a key role for the evolution of identity systems. In the case of biometric authentication security and convenience might imply at least a sacrifice of privacy due to the nature of the data involved.
With these reasonings, we do not intend to disqualify biometrics, but to make aware of their implications. If properly implemented, biometrics probably support the most accurate identification means in terms of assuring the user is the person who claims to be and are adequate for a scenario where a high degree of convenience must be maintained. However, the "probabilistic" nature of biometrics makes necessary a fallback measure to cover cases of false rejection [23]. Indeed, contrary to the case of "deterministic" authenticators (e.g., text password, PIN or token), the user must be provided with a fallback measure to avoid situations of permanent denied access.
The most common fallback measures for biometrics are text passwords or PINs, hence the user will be required to provide one of these in case of being denied access.
It must be noted that the fallback measure will apply in case of false rejection, as well as in the case of an unauthorized user. Therefore, the deployment of biometrics alternatively with another authentication factor (that acts as fallback measure) reduces the real security of biometrics to the fallback measure. Exceptionally, the fallback measure could be a human manager i.e., a natural person that can take care of verifying people's identities and grant the access in case of false rejection. Nevertheless, this possibility would be just foreseeable for reduced scopes (e.g., to identify the employees in a company) and definitely it would not make sense in accessing devices that we usually have at home.
Despite the controvert conclusions about whether personal data are or not process, it is still of interest the principle of data minimization contained in Article 5 of the GDPR. Pursuing this principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This implies considering risks and benefits attached to the data processing or, in other words, an evaluation of the proportionality [24]. From the proportionality perspective it is necessary to evaluate if the aim pursued can be achieved by other means which imply a lower risk. In this sense, there might exist tensions between agility, security and privacy (i.e., biometrics in authentication can be more agile, but for the nature of this data it can imply a higher privacy risk). The Spanish Data Protection Agency provided some guidelines in order to evaluate the proportionality requirements [25] and in the case of biometric authentication in the way they are commonly implemented in the scenario discussed (i.e. biometrics alternatively with a PIN or password) will not fulfill the suitability and the necessity criteria (at least from a privacy perspective, omitting convenience aspects), as the same or even higher security (since we would not consider possibilities of false acceptance) [26] is achieved with just a PIN or a text password.
The conclusion is that possibilities to deploy biometrics in "multilayer" method [27] in IoT scenarios must be studied, as their current implementation in "multi-entrance" method lowers the security by increasing the possibilities of unauthorized access [26]. Another possibility would be to explore alternative methods. In this sense, the following method represents an alternative in authentication that aims to maintain convenience at the same time it avoids the use of biometric data.

The Expanded Password System
The EPS consists in an authentication method that introduces the possibility of converting text passwords into images. The authentication process would take place by selecting a set of images that only the user is able to select correctly since these images are associated with his/her autobiographical or episode memories. The functioning of the method is the following [28] [29]. The user will be able to take or select a set of pictures from his device (e.g., a smartphone). The pictures could be a picture of his last travel, furniture, objects . . . (ideally something that does not make the individual easily identifiable). During the authentication, the user will be presented these images among other random images and he will have to select them correctly. The identification of the pictures will be easy insofar as they are associated to his/her personal memories. Consequently, the combination of these "personal" images will be not only easy to remember but hard to forget [30]. Nevertheless, it should be noted that this combination of images will be exclusively presented to the user, since software will translate these images into text passwords, that will be the ones finally stored. This would allow the user to create extreme long text passwords without the burden of remembering them.
As other authentication methods, the EPS could be implemented in different ways, hence specific scenarios must be studied. Likewise, some considerations should be made, such as the possibilities of the user in selecting images. However, our study presumes at least an adequate selection of images (i.e., that do not make the individual directly identifiable). This approach represents an important innovation as it is a hybrid authentication factor. On the one hand, the method proposed remains in the field of knowledge factors as long as the final output is a text password. However, conversely to the case of passwords based on pictures or other possibilities offered by derivation algorithms, this password would be intrinsically linked to the person's memories, that is to say, "something he/she is".
While not being formally considered as an inherent authentication factor, this method could replace or be implemented conjointly with biometrics for authentication in some devices as it would avoid the problem of remembering passwords or to rely on a weak PIN. Indeed, the main advantage is that the EPS will simplify the task of remembering passwords in a context where the excessive number of accounts or devices and passwords and their corresponding correlation is becoming an unmanageable burden for the user and resulting in undesirable practices such as the need of written down all passwords or using the same password repeated times. Likewise, the particular features of this authentication method can offer a different approach with regard to the forces tensioning. Indeed, the possibility offered by the EPS of converting text passwords into "familiar" images would enhance user's convenience at the time it would offer a privacy-preserving solution since biometric data would not need to be used.
To conclude, although the EPS would not improve security against threats like brute-force attacks, it could achieve a higher level of security in reducing the scope of impersonation as the recognition of the images would be intrinsically linked to our own person and memories. Indeed, it is still possible that people in our very close or familiar environment are able to select the images correctly, but at the same time this will strongly rely on the images chosen by the user (e.g., the user could choose an image of his favorite number, letter or day of the month). Furthermore, it could also help the user to detect phishing attempts insofar as the images are not presented. Nevertheless, we must also be aware of the limitations of this method, especially in the case of diseases related to the loss or confusion of memory or personal experiences. In addition, in these situations alternative methods for account recovery must be envisaged, which at the same time might lead us again to biometric authentication. Ultimately, a further study of this method should be considered.

CONCLUSIONS
The IoT is in constant development and it is requiring technology and regulations to adapt to it. The aim of this paper was to offer a set of reflections with regard to the evolution of IdM concerning the IoT focusing on a concrete aspect, user authentication before the device. The main concern raised throughout of this paper is the growing scope of interconnected devices and their increasing functionalities. In other words, the amount and types of data processed are increasing at a breakneck speed and some devices are beginning to represent an "access door" to large sources of data, some of them considered by the GDPR as special categories of personal data. The clearest example is the smartphone. However, we did not want to limit the reflections to this specific device as the "manager role" that the smartphone holds nowadays could be easily assumed by other devices.
From a practical point of view, we are facing a scenario where most of our private life is accessible through a single or a reduced number of devices, which raises the question of whether the access to this/these device/s is enough protected. As we have pointed out during this paper by making reference to the eIDAS Regulation and the PSD2 Directive, authentication requirements vary depending on the good protected, so, should we reinforce authentication methods in smart devices? Certainly, the evolution of authentication methods implemented in interconnected devices seems to confirm that, but some inconsistencies are also appreciated. The case of biometric authentication cited in this paper is a great example, especially considering the current global situation where most people need to wear face masks. In some devices it is enough that your face is not recognized twice to be asked your PIN and measures such as a number of failed authentications might not prevent the person placed behind you in a queue from seeing your PIN.
This suggests that the main improvement of biometrics for authentication as they are implemented nowadays in the scenario described is the convenience of their use. However, does this convenience justify the use of such sensitive data? The answer is that it depends. In scenarios where strong security measures are adopted and alternative strong fallback measures are foreseeable, it might be adequate and it is perfectly reasonable that devices that we are constantly using have convenient authentication methods. In this regard the possibilities to implement biometrics in a multi-factor scheme in IoT devices without reducing convenience in authentication, as well as the possibilities offered by hardware tokens must be studied. Concerning the alternative proposed by the EPS might be of interest for certain scenarios (e.g., a device we use a few times per day) or as a fallback measure in biometric authentication to avoid relying on weak PINs and increase convenience of passwords.
In conclusion, it might be necessary to maintain biometric authentication properly implemented in those scenarios where a very high level of security is required and the safeguards implemented to protect biometric data are strong enough (e.g. derived feature representation of biometric data). However, for other scenarios it might be desirable to consider alternative authentication methods that do not imply such a high risk as if biometric data are compromised. This is a topic that will foreseeably evolve and change a lot in the coming years. At the current state, it is necessary at least to reevaluate the implementation of biometrics and determine whether they are proportional with the benefit offered in the scenario discussed in the paper. Likewise, in relation to this scope, other convenient and secure authentication methods must be explored and will hopefully appear in a near future.