Business Academy Aarhus

IT Network Technology

The impact of authentication methods on the adoption of the Internet of Things

Biometrics and attribute-based authentication as catalyzing factors

The objective of the project is to investigate the influence of authentication methods of digital identity on the adoption of the Internet of Things. Status quo and future perspective will be taken into account. Qualitative research based on Maxwell theory will be constructed and interviews with leading experts from identity management and Internet of Things industry will be conducted to explore the topic.

Author: Dominika Rusek Class: 1it14d4 Submission date: 17.12.2015 Supervisor: Jan Christiansen Company: Deloitte Risk Services B.V. Signature:

1

Table of Contents 1. Introduction: The evolution of digital identity ...................................................................................... 2

1.1. Context: Growing number of IoT devices ..................................................................................... 3

1.2. Problem statement: Management of authentication credentials is becoming more difficult ..... 4

1.3. Research gap ................................................................................................................................. 4

1.4. The aim: Investigation of the relation between authentication methods of digital identity and IoT

2. Methodology ......................................................................................................................................... 6

2.1. Research questions & goal ............................................................................................................ 7

2.2. Conceptual framework: Linear relationship between IoT status quo and IoT of the future ........ 7

2.3. Methods: Qualitative research ..................................................................................................... 8

2.4. Data analysis: nVivo ...................................................................................................................... 8

3. Literature study ..................................................................................................................................... 9

3.1. What is digital identity? ................................................................................................................ 9

3.1.1. Authentication is the keystone of a trust relationship ......................................................... 9

3.1.2. I can change my password, but I can’t change my eyeballs – what will be the future of authentication? ................................................................................................................................... 11

3.2. What is Internet of Things? ......................................................................................................... 11

3.2.1. Security and privacy concerns in the Internet of Things..................................................... 13

3.3. Conclusion on literature study .................................................................................................... 14

4. Results analysis ................................................................................................................................... 15

4.1. Number of credentials is a main concern ................................................................................... 15

4.2. The future of digital identity credentials .................................................................................... 15

4.3. How will Internet of Things evolve? ........................................................................................... 17

4.4. Identity in Internet of Things ...................................................................................................... 18

5. Conclusions ......................................................................................................................................... 20

5.1. Discussion .................................................................................................................................... 20

5.2. Limitations................................................................................................................................... 24

5.3. Further research ......................................................................................................................... 25

Glossary ......................................................................................................................................................... 1

Bibliography .................................................................................................................................................. 2

2

1. Introduction: The evolution of digital identity Imagine driving home from work during a cold winter evening. You log in to your heater application on your smartphone and remotely activate the heating system in your house. The GPS tracker in your car monitors traffic on the road and displays the fastest way home on your screen. When you drive into the street, lights of your house flicker on. You put your finger against a biometric scan on your smartphone application and the door opens up. You go to the kitchen and a smell of fresh coffee hits your nose – your coffee-machine just finished preparing it for you. You log in to your application that monitors the kitchen appliances and see that the fridge ordered groceries based on your preferences, which will be delivered tomorrow. Finally after a tiring day, you sit down on the couch and turn on the TV via your mobile app. It is time for some relaxation. It doesn’t sound bad, right?

This scenario is still a vision. In couple of years it could be part of every day’s life. This is the reality of Internet of Things – a world where all physical assets and devices are connected to the Internet and each other and share information. The number of Internet of Things devices is growing every year. Today there are 25 billion devices, and this number will grow to 50 billion by the year 2020, according to Cisco1.

To fully understand this scenario you have to understand the definition of digital identity. First let’s define real world identity. It is a sum of characteristics including birthplace, birthday, address, or social security number2. When interacting with computers and using Internet digital identity is needed. Digital identity is a representation of a real-world identity. When accessing Internet resources, or logging in to a website, first identification is being done, followed by authentication. Identification is a process of presenting identity to a system and authentication is a process of validating an identity that was provided to a system3. The attributes are used to authenticate digital identity of a person against a service. Every interaction and transaction that a user has with devices, requires use of digital identities. If the user solely has control over a device like a smartphone, that device can become one of the attributes as well. Every user of the Internet has a digital identity.

Recent studies by Experian, global Information Services Company, show that consumers have an average of 26 separate digital identities and use only 5 different passwords4. This corresponds to research done

by CSID, identity protection provider, where they found out that 61% of consumers reuse passwords across multiple websites5. The Telegraph reports that average person uses 10 online passwords a day6. It is clearly visible that

daily managing of several passwords and accounts is a trouble. 38% of adults sometimes think it would be easier to solve world peace than attempt to remember all the passwords, as Janrain, a customer profile-management provider, study shows7. It is convenient for customers to reuse passwords instead of creating a new password for each service. But this raises a security issue, as nobody can be exactly sure how companies deal with usernames and passwords. Some store them in plain text, some use basic password

INTERNET OF THINGS (IoT) – is a network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment (Gartner)

DIGITAL IDENTITY – is an online representation of a real-world identity

3

encryption or hashed passwords, which adds more protection or use slow hashes, which according to most security experts is the best option for storing passwords.8. The user can’t control it. Since majority of internet users’ reuses passwords9, this means that if one account on a website with poor security gets compromised the risk is very high that other accounts will be compromised too.

In 2013, hackers got access to Adobe customer’s IDs and encrypted passwords10. 36 millions of customers were affected. A year later, Ebay was hacked and 145 million passwords retrieved11. The database contained customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth12.

The way users are forced to manage multiple username and password combinations and how companies store them, raises voices of concern and it doesn’t help with creating a safe digital ecosystem.

Authentication methods like passwords are already a big hassle and it will get worse with the growth of Internet of Things. As mentioned on the first page, Cisco forecasts that the number of devices on the Internet of Things will grow from 25 billion in 2015 to 50 billion in 202013. With this growth in mind, it is important to understand the impact of digital identity on Internet of Things. Each device, sensor and person needs to have an identity, to ensure that data collected by the Internet of Things is relevant and attached to a device. Soon, users will have to manage several Internet of Things devices. With traditional password authentication this will be time-consuming and inefficient. The interconnected landscape is developing rapidly and measures need to be taken to ensure appropriate identity management for IoT.

1.1. Context: Growing number of IoT devices The ability to ensure only authorized access to systems and data is critical for protecting information. The process of controlling access starts with defining digital identities and associating them with credentials. With Internet explosion and adoption of the IoT average user needs to manage multiple username/password combinations to get access to resources.

Every device on the Internet of Things has an identity14. Therefore with the growing number of the IoT devices, the number of digital identities grows as well. To be able to use digital identity, authentication is needed. Authentication enables devices to securely link to other devices and services. In the same time it allows people to receive and see data from a device and accept or deny connections with other devices.

The starting point for this research was the report “The Identity of Things for the Internet of Things”, written by analyst Earl Perkins and Ant Allan from Gartner. The authors emphasized that existing ideas and approaches to identity management won’t be relevant for IoT. The authors also stated that “Managing identities and access is critical to the success of IoT (...)”15. Second paper that caught attention was “The Identity of Things (IDoT)” written by Forgerock. It was stated in the white-paper: “We have reached a point where consent and control over devices and data is critical to the success of IoT”. The authors determined that online representation of a person, called digital identity and its management is important for Internet of Things. With billions of devices on the Internet of Things, determining whether someone is in fact who it declared to be is significant16. The importance of authentication of digital identity was confirmed in the study “Authentication in Internet of Things” by analysts Anmol Singh and Earl Perkings from Gartner. The analysts came to conclusion that “Authentication plays pivotal role in ensuring access to IoT devices, but authentication methods used in today’s IT may not work for all IoT device classes”17.

4

Based on the literature study it can be concluded that the aspect of digital identity and authentication is important for the Internet of Things. Therefore the main focus of this research will be the future of digital identity and the IoT and the relationship between them. To be able to benefit from the IoT, the shift away from traditional ways of authentication like username and passwords, needs to be done.

1.2. Problem statement: Management of authentication credentials is becoming more difficult

A username/password combination is the main method of authentication for more than four decades18. In early years of the Internet, people started to create digital identities to access websites and services. It was needed to log in to different websites, do purchases or communicate online. As long as people didn’t have too many accounts online, username/password authentication was efficient and scalable.

Since 1999, when Internet became mainstream19, things have changed rapidly. Currently, the average Internet user has 26 different accounts according to Experian, a global Information Services Company. Using traditional ways of authentication like the username and password combination is becoming a burden. Technology industry is trying to find more user-friendly and secure authentication methods for years, yet username and passwords are still commonly used.

On top of that, the Internet of Things is under rapid adoption. It is an important topic of conversation in technical circles in the past few years20. The IoT connects everything – devices, sensors, and people. It is a huge interconnected network. Authentication is needed to provide security and a right access to the right people. In order to use the devices that are connected to IoT like a coffee-machine, shoes with a GPS tracker, or a heating system, the user needs to authenticate his digital identity against a service. Nowadays, an average person has 1,7 IoT devices, by 2020 this number will double to 4,7 devices per person21. The number of devices per person might seem low, but this is due to the fact that calculation is based on the entire world population. If we reduce the population sample to only people connected to Internet (2 billion), the number of devices rises dramatically – jumps to 6,25 instead of 1,722.

Authentication for the Internet of Things is getting challenging. Existing methods like usernames and passwords are becoming ineffective due to the number of devices. This increases a chance for human error and the sophistication of malware attacks23. Huge amount of devices means that it is most likely impossible to securely authenticate every part of the network with passwords24. Not to mention, the collection of passwords would be a huge liability for users. New solutions, which are more secure, user friendly and seamless are needed.

Problem statement: It is becoming more difficult to manage authentication methods for the increasing amount of Internet of Things devices.

1.3. Research gap The Internet of Things is growing at a significant pace and this trend will continue in the future. Whilst on the security and privacy of IoT (Ukil & Sen, 2011; Yuanjun, 2013; Medegalia & Serbanati, 2010; Weber, 2010) research has been done, the concept of identity for the Internet of Things is relatively new and unexplored. Based on the literature study for this thesis it seems that the concept of digital identity and the ease of authentication within the IoT isn’t exploited enough. Therefore, the research will be addressing the influence of digital identity and authentication methods on the Internet of Things.

5

1.4. The aim: Investigation of the relation between authentication methods of digital identity and IoT

The goal of this research is to contribute to existing literature, by clarifying the relationship between digital identity and the Internet of Things. The evolution that the authentication within the IoT will undergo, will be investigated. Through a development of a model with predictions, the explanation of the relationship between the IoT and digital identity authentication will be shown. It will be done based on qualitative interviews conducted with experts from academic field as well as experts from private companies, actively working in digital identity and the IoT industry.

This research could be a valuable input for companies, which based on prediction model can make better decision on which authentication method apply to their products and services, so that customers are satisfied and security is in place. The decision made by companies will directly impact consumers, as they will be the target group. It will also help customers to understand what is happening on the market with the development of Internet of Things and the abundancy of devices that everyone has. It might help to recognize processes behind authentication and the value of digital identity. This will lead to customers being capable of making more conscious decisions.

Aim: Investigate if there is a relation between digital identity authentication methods and the Internet of Things.

6

2. Methodology The way of working is based on the book “Qualitative Research Design, An Interactive Approach” by J. Maxwell (2005). In order to structure research an interactive model of research design is used (See Figure 1).

This model describes five elements that need to be addressed in order to come up with well-structured design.

1. Goals: What issues are needed to be clarified and why is the research worth doing? 2. Conceptual framework: What is the approach for the research? 3. Research questions: What needs to be understood and what are the questions this research will

answer? 4. Methods: How is the research structured? 5. Validity: What are the alternative interpretations and validity threats?

Figure 1: Interactive model of research design, Maxwell (2013)

Research questions are in the center of the design and connected to all the components. They might be modified or expanded as result of changes in goals or conceptual framework. The research questions have a clear relationship with the goal of the study and are grounded in what is already known about the topic. The goals of the study should be informed by current theory and knowledge. The bottom triangle of the model is operational half of design. The methods used during the research need to enable answering the research questions and deal with validity threats.

RESEARCH QUESTION

GOALS CONCEPTUAL FRAMEWORK

METHODS VALIDITY

7

Each component will be defined and described in the following sections.

2.1. Research questions & goal The main research question is: “What is the relationship between authentication of a digital identity and the Internet of Things?” This question will be answered from a status quo and future perspective. To answer this question both fields of digital identity and the Internet of Things need to be investigated. The main question has been divided into sub-questions:

A. How will digital identity authentication methods evolve towards 2020? B. How will the Internet of things evolve towards 2020? C. How is ease of authentication influencing the adoption of the Internet of Things?

The questions will be answered by literature review and interviews with experts from identity management and the IoT industry. First, the future of authentication of digital identity and the IoT will be investigated as separate topics. Later the intersection of those two topics will be examined, which should answer the question about the relationship between those two.

2.2. Conceptual framework: Linear relationship between IoT status quo and IoT of the future

The relationship between digital identity and the IoT is an interesting subject as it will align the topic of digital identity to the Internet of Things. Whilst on digital identity and the IoT separately, researches has been done, in the field of relationship of digital identity and IoT, little research seems to have taken place.

Figure 2, shows the relationship between digital identity and the IoT now and in the future. Nowadays, the Internet of Things is a hype, which means that it is intensively promoted and it is at the peak of

expectations. The usage of IoT devices is growing, but managing digital identity credentials (username/ password combinations) to get access to collected data is time consuming and not user friendly. The authentication methods like username/password combinations are a barrier for more rapid adoption of IoT. A user will think twice before buying another gadget, because another digital identity credentials will be needed during registration process. Managing multiple devices with different digital identity credentials will be a big hassle. This barrier might slow down the adoption of IoT devices for consumers. On the other hand, if the authentication methods are easier and privacy friendly, this might encourage users to buy and use more connected devices. The red line indicates the process of adoption of the IoT,

Figure 2: Conceptual model

8

which is slowly going from the IoT how we know it now, to the IoT in the future. However without appropriate digital identity authentication the adoption of the IoT will slow down.

In order to contribute to existing literature, the investigation on how digital identity influences the adoption of the IoT needs to be done. This will be completed by conducting semi-structured interviews. The main hypothesis for this research is the following:

1. Ease of authentication methods can have positive impact on the adoption of the Internet of Things.

The main hypothesis was divided into sub-hypothesis, as following:

1.1. Traditional methods of authentication can slow down the adoption of the Internet of Things. 1.2. New methods of authentication can accelerate the growth of the Internet of Things.

2.3. Methods: Qualitative research The first phase of research was a collection phase that also involved a detailed analysis of the literature which revealed key issues of digital identity and the Internet of Things today. Most of the collected data are reports, presentations, and white-papers. White-papers come from identity management, the Internet of Things and information technology research companies.

The second phase involved qualitative research, which was conducted to answer the main research question. The advantage of qualitative research is that it examines the topic in detail and in depth and it also encourages people to expand on their responses25. The approach used for performing the qualitative research was the Pyramid Principle by Barbara Minto26. This approach involves formulating hypothesis based on the literature review and conducting qualitative research to prove if this hypothesis is correct.

The method used for data collection was conducting semi-structured interviews, either through face-to-face meetings or using voice over IP. Semi-structured type of interviews was selected, because it allows new ideas to be brought up during interviews, as a result of what the interviewee says. Participants were leading experts from private companies, actively working in identity management and the IoT industry, banks and consultants within the industry. The European market of identity management and the Internet of Things was the focus. In total 22 interviews, each of approximately one hour duration were conducted. The interviews were recorded and later transcribed into digital text. The transcription made the actual data obtained through the interview clear and visible. The findings reported in this paper are restricted to the results of literature analysis and the semi-structured interviews.

2.4. Data analysis: nVivo The data analysis phase consisted of evaluating data using analytical and logical reasoning. All 22 interviews were transcribed and introduced into nVivo. nVivo is a computer program used for analysis of qualitative data and it was used to help with management of data during coding. Coding is “a systematic way in which to condense extensive data sets into smaller analyzable units through the creation of categories and concepts derived from the data”27. It helps with organization and interpretation of data and helps to lead to a conclusion. The data from the interviews was aggregated and filtered by nVivo software, which resulted in creating thematic categories. The outcome obtained through qualitative interviews was validated. Short summary of results was send to participants to confirm that the content is in line with their point of view.

9

3. Literature study 3.1. What is digital identity? According to Collins English Dictionary identity is “The state of having unique identifying characteristics held by no other person or thing”. There was always a need to prove that we are who we claim we are. In the physical domain it is done with a paper certificate, passport or later an ID card. However, with the adoption of Internet in 90s28 a new type of identity was created – digital identity. Digital identity is an online representation of real-world identity. It consists of a collection of attributes. To access services or resources authentication of digital identity is required. There are multiple methods of authentication, most commonly it is password/username combination. Every Internet user has multiple digital identities credentials for different services, with different levels of assurance. The level of assurance (LOA) of a digital identity is the degree of trust that the person who presents a digital credential, is in fact that person29. According to the Standard for Personal Digital Identity Levels of Assurance, level 0 is the lowest level of assurance, where no identity is being claimed or asserted. In level 1, there is some claim to an identity. One example can be an e-mail address that is used as identity verification. For levels 2 and higher, the claim to a physical identity is stronger, by using a photo ID from a reliable authority like government of bank.

The level of assurance is a way to determine trust online. According to P. Windley in the book “Digital identity” every authentication done using digital identity infrastructure depends on trusting that an identity and its attributes are correct. In an online world obtaining trust is more difficult than in the physical world, because online transactions are more impersonal, more automated, entitle more legal uncertainties and present more opportunities for fraud and abuse30. There are several ways of authentication that prove trustworthiness of digital identities.

3.1.1. Authentication is the keystone of a trust relationship Authentication is a “process or action of proving or showing something to be true, genuine or valid”, as stated in the Oxford Dictionary. In the online world, the authentication ensures that the claimed identity is the same as the identity being presented in online setting31 .The authentication process involves presenting credentials and comparing them to those in a database. If credentials match, the process if completed and the user is granted access.

In the context of Internet of Things there are two types of authentication: user authentication and machine authentication32. User authentication occurs within human-to-computer interaction. A user has to enter credentials to begin using the system. Machines need to authorize their automated actions within a network as well. Machine authentication can be done with machine credentials such as, digital certificates or public key infrastructure. Machine authentication is a broad topic, hence it is out of scope for this paper. The main focus will be user authentication.

10

All approaches for authentication rely on at least one of following:

Authentication factors refer to the type of information used to verify a person’s identity in the online world.

1. The most popular are username/passwords combinations33. It relies on “Something that you know” factor. Although it doesn’t require a lot of processing power to authenticate34, there are several drawbacks of this method. First of all it is easy to lose control of passwords. Users share password with other users, or write them down and other users read them. Long and complex passwords are harder to guess, however they are no less vulnerable to other attacks like phishing35. It also makes it harder for the users to remember complex passwords, therefore users use the same password across multiple websites, which might result in compromising them all. Another type of “Something that you know” factor are one-time passwords. They were developed to avoid problems associated with reusing passwords36. One-time passwords are valid for only one login attempt, which makes them useless to login again. In case of capturing the password, potential attacker won’t be able to abuse it, as the credential will no longer be valid.

2. “Something that you have” factor refers to items such as smart cards. Using smart card requires physically inserting the card into a card reader and entering the PIN. They provide stronger security, because they require physical possession. At the same time this is a drawback and limitation – a user needs to carry a card at all times to be able to authenticate.

3. Third factor – “Something that you are” refers to biometric methods of authentication, like a fingerprint, retinal or iris scan and voice analysis. Fingerprints is the most widely used biometric method today37.

Figure 3: Three factors of authentication

11

Trust and security in an online society are the most challenging problems businesses face these days38. Authentication is a way to confirm the truth of a digital identity and establish trust between parties involved in a transaction. Therefore it is very important that authentication methods are secure. With the growing number of devices connected to the IoT, the number of interactions online will also grow. According to Gartner39 “Authentication plays a pivotal role in securing access to IoT devices, but authentication methods used in today’s IT may not work for all IoT devices”. New ways of authentication, beyond username/password combinations are needed.

3.1.2. I can change my password, but I can’t change my eyeballs – what will the future of authentication be?

For more than four decades the basis for authentication when accessing online services are usernames and passwords40. It was a practical approach back in the day but today’s user activities and the evolution of Internet of Things have changed the computer landscape so much, that username and passwords are not able to protect systems anymore.

The Internet of Things is developing rapidly and the average user has more devices than ever before. This number will grow in the future. From 4,9 billion devices we will move to 25 billion devices, as Gartner predicts41. It is impossible to manage multiple password and username to log in to each of those devices. More secure and

user convenient methods of authentication are needed and the industry is putting its hope into biometrics.

Biometrics is the measurement and analysis of unique physical or behavioral characteristics especially as means of verifying personal identity42. One of the most commonly used biometric technology is fingerprint recognition. Law enforcement agencies and governments have been using biometric technology for many years for accurate identification. Biometric technology now is more sophisticated43 and became an alternative to traditional password authentication. Biometrics identify user by “who they are” factor of authentication, which excludes the need to remember password combinations.

Combining different factors of authentications, provides more security. In fact Gartner advises that business should use multifactor authentication44. It adds additional protection by using more than one method of authentication, from independent categories. For example using a smart cart and a PIN is two-factor, since the two factors are “something that you have” and “something that you know”. It decreases the chances of an unauthorized person circumventing the security system, as the person needs both factors to get access.

3.2. What is the Internet of Things? From a computer perspective the IoT is not new. In 1982, a group of students from Carnegie Mellon University connected a Coke machine to the Internet45. The reason was fairly simple. Nobody, in 8th story building would like to go to third floor only to discover that machine is empty and they couldn’t buy a can of Coke. That is how they came up with the idea to hook it up to the Internet and check if the drink is available.

BIOMETRIC AUTHENTICATION–relies on the unique biological characteristics of individuals to verify identity for secure access to electronic systems (TechTarget)

12

Although the Internet of Things has been around for many years, Cisco estimated that it has been born between 2008 and 200946. This means that around that time the number of devices on the Internet of Things has outnumbered the number of people living on the Earth (see Figure 4). Currently, Internet of Things is growing in even quicker pace. Cisco predicts that there will be 25 billion connected devices in use in 2015 and 50 billion by 202047.

Gartner explains the IoT as “a network of physical objects that contain embedded technology”48. It refers to growing network of physical objects – so called “things” that can communicate with each other. An object becomes a part of Internet of Things because of two features: a unique identifier and Internet connectivity49. “Things” are also called “smart” devices. Internet connectivity allows for a device to communicate with computers, or other objects. Each of those devices is identifiable by IP address. IoT devices communicates with a radio that can send and receive wireless communication. It is important that devices operate on low power and use low bandwidth, because many of IoT devices like door locks or standalone sensors will use batteries, instead of power from electrical systems.50 If the “smart” device uses small amounts of energy, the usage will be more efficient.

Figure 5 shows full range of the Internet of Things home appliances. “Things” can be home appliances like lightbulbs, heaters, refrigerators, coffee-machines, or medical devices or even fitness trackers. The smart home industry, which includes entertainment appliances, smart home appliances and kitchen appliances, is projected to grow from $33 billion in 2013 to $71 billion by 2018, according to study by Juniper Research51.

Figure 5: IoT home automation

Figure 4: When was the Internet of Things born?

13

The IoT is becoming reality, thanks to several factors. The hardware is cheaper than ever before and production costs are constantly dropping. The costs of connecting device are also decreasing. In the same time the wireless connectivity is evolving in rapid pace, broadband Internet is widely available and the sale of smartphones and tablets is sky-rocketing. Also the convenience to have technology that helps people with all kinds of day-to-day activities makes the Internet of Things so popular and widely adopted.

3.2.1. Security and privacy concerns in the Internet of Things

Security

The top concern in cyberspace is the security of devices and the data they collect, process and transmit52. Financial losses from cyberattacks go into billions. McAfee estimates that annual cost to the global economy is more than $400 billion53.

With the growing number of devices on the IoT, the potential risk of successful intrusion and data breach is also higher. With more connections and points of entry, the IoT increases exposure to cyber risk. For example, an employee might infect organization’s network by coming to work with a wearable device like a smart watch, and then the hacker subsequently gets access to other parts of the company’s network.

Privacy

Privacy, along with security, is one of the most challenging issues for the Internet of Things. Although it is not the main focus of this paper, it is an extremely important aspect of the IoT, certainly worth mentioning. Privacy is “the quality or state of being apart from company or observation”54, in other words the state of being secluded. It is also a “right to keep personal matters and relationships a secret”55. The article called “The right to Privacy”, written in the 1890 Harvard Law Review formed a basis of today’s privacy. It was inspired by the rise of photography, newspapers and the possibility to publish images and personal’s information to public. The world has changed since then. The technology advanced in a rapid pace. Nowadays, we not only have newspaper and photography, but also television, computers, Internet and the Internet of Things. Safeguarding our personal data became even more difficult.

The availability of cheap sensors and smartphones are one of the factors why Internet of Things is growing in a rapid pace56. The evolution of the IoT have led to increasingly connected world. With billions of devices being part of the IoT, more data is being produced, processed and transferred than ever before. Cisco reports that the IoT will generate 400 zettabytes (ZB) of data by year 201857. Sensors connected to the Internet of Things, collect sensitive personal data like precise geolocation, health or household information and store it in the cloud. Massive volume of gathered data allows to perform complex analytics and discover patterns, which wasn’t possible before the era of Internet of Things. The data collected by IoT devices might be used by companies to make credit, insurance or employment decisions. Good example is a popular fitness tracker band. Now it is used for wellness purposes, but the data gathered by the device might for example be used by insurance companies in the future.

The capacity to correlate data might have scary consequences. A good example is a Samsung television. It is possible that “smart TV” voice recognition software, was transmitting private conversations to a third party58. The customers might be unaware of the presence of sensors and of the spectrum of data they

14

produce59. In addition, they don’t have a choice. Either they accept oppressive user terms & conditions or they don’t get to use the service.

The increased collection and processing of personal data triggers numerous debates. The governments need to update laws and regulations, so they can handle the explosion of Internet of Things. The European Commission plans to unify data protection and proposed reform of data protection rules in EU called General Data Protection Regulation60. The goal is to give citizens back the control over their personal data.

3.3. Conclusion on literature study Creating trust online is a big challenge. People use digital representation of themselves to communicate, shop and work online. An average Internet user has multiple digital identities and this number is constantly growing. In the same time we are in the hype of Internet of Things. It is a topic of broad and current interest. The number of connected devices and sensors is growing at a tremendous rate. Most people focus on the security and privacy aspect of Internet of Things, but there are some voices raising and saying that it is identity that is a crucial part of the interconnected world. As billions of devices have Internet connectivity, can communicate, and do things on our behalf, the identity in the IoT is becoming a critical component of the modern Web. Each of those “entities” needs a unique identity, otherwise the transactions over the IoT won’t be trustworthy.

The way identity is confirmed is through authentication. Right now, mainly username and passwords are used for this purpose. In a couple of years, everybody on the planet will have at least 6 “smart” devices. On top of that average users are subscribed to different websites and services. Logging in to those devices or services with separate username and password would be a nightmare. If the industry won’t stop using passwords and the authentication method won’t change to a more user-friendly, it will slow down the adoption of Internet of Things. As a consumer I would think twice if I was to buy another “smart” device where I need separate credentials for to be able to see the collected data and further use it. Traditional authentication methods are simply not scalable anymore.

15

4. Results analysis The main focus of this chapter is analysis of conducted interviews. It consists of three parts, including analysis of digital identity, Internet of Things, and the relation between digital identity and Internet of Things.

4.1. Number of credentials is a main concern

Authentication

The number of credentials used by an average person to prove digital identity is a growing problem. In most cases, username and password combinations are still used. The more services the user interacts with, the more accounts and credentials need to be managed. It results in people loosing track of different credentials, using weak password combinations or repeating the same passwords across websites. If one of the passwords gets compromised, all of them are. The problem with the registration process was mentioned as well. During registration for a website users need to provide information, and when they wish to access another service, the registration is needed one more time. This necessity to provide the same information for different services is becoming a burden.

Privacy

Various participants think that the privacy is the biggest concern of digital identity. Users have no insight into which data is being accessed and by whom. Managing of digital identities is obscure. There is a big pressure from corporations that want to connect all the services and therefore collect information about users. The responders fear that their goal is the ownership of user’s identity, which is a big privacy threat. Another problem according to participants is the lose approach to personal data that companies have. The security measures taken to protect it are not enough. User profiling, which involves construction of profiles based on user behavior online, generated by computerized data analysis, is also declared a privacy concern.

4.2. The future of digital identity credentials In the future, there will be multiple digital identity credentials for websites or services, just as there are now, but the number will be reduced to about 2 or 3 with different levels of assurance. One will be of a high level of assurance digital identity used for banking transactions or taxes, the other one will be of a low level assurance used for social accounts or web shops. The last one might be a “throw away” digital identity, with a very low level of assurance, used only for non-important services. Responders insist that having clarity and overview of how the digital identity credential is used is very important and should be provided in the future to mitigate privacy issues. This could be a manager of identities or a “gate keeper”, which warns the user about the data that is being shared during a transaction. One person stated that if users have one single identity, the difficulty of the authentication would not be a problem. Users would be willing to setup and manage the security of only one account, instead of creating weak username/passwords for multiple services.

16

Figure 6, presents the point of view of participants on the future of authentication. Common opinion is that current digital identity credentials are not future-proofo and will be replaced in the future. However part of the responders say that username/password combination will still be in use. One interviewee claims that if users didn’t have so many different digital identity credentials and only one, they wouldn’t oppose to have long and complicated passwords.

The majority agrees that multi-factor authentication will be widely used in the future, as one factor authentication doesn’t provide enough security. Social login might become even more popular. Re-using digital identity credentials across multiple websites and services is highly convenient for users.

From the research it can be concluded that biometrics will be one of the standards for authentication in the future. This includes two types (as shown in the Figure 7) behavioral patterns like keystroke analysis or signature analysis and physical traits like fingerprint, facial recognition or voice recognition. With the use of biometrics the authentication would be more user-friendly.

Figure 6: Authentication methods

17

One interviewee added that biometrics are great way to enhance the authentication, but as username component, not as password. The reason for that is the fact that a person has only one representation of them. If they get compromised, there is no way to change it, like in the case of “something that you know factor”.

In the future, there should be a way to put users into control of the identity. A way to do it might be using attribute based authentication. Interviewees say that whenever it is possible attributes should be used, instead of identities. Attribute based systems don’t exist on massive scale yet, but there are groups developing frameworks based on attributes (UMA, IRMA). The way authentication works now, is that each user is identified in a back end system, all attributes are retrieved and based on that the authentication decision is made. This could be done directly, where a user can immediately give the attribute instead of the identifier. This way the system wouldn’t store the identifier. However corporations do want to use identifiers. This makes it possible to profile people, trace them and this is part of corporation’s business model. Participants fear that this might be an obstacle for attribute based authentication.

Conclusion: In the future there will be combinations of authentication methods used, including biometrics and attribute-based authentication.

4.3. How will the Internet of Things evolve? The biggest benefit of the Internet of Things is user convenience. Some participants state that users are willing to give up sense of privacy when enough convenience is being given in return. The IoT users are also looking for time saving. Using connected devices helps them with day-to-day activities, leaving more time to do fun things.

With the ability to aggregate and provide data analysis, improvements around electricity, energy usage, better role planning, and better health care provision can be seen. Instead of simply collecting data, the prediction when the device will fail or current status of the device will be given. Since everything will be connected, it will improve efficiency and bring money savings.

With the adoption of the IoT, new groups of technically savvy people might be formed. They would understand processes behind Internet of Things and become more influential, than the average user.

Figure 7: Biometric methods of authentication:

18

Good user cases and better service delivery will accelerate the growth of the IoT. If shopping online will be as easy and accessible (by for example user-friendly authentication methods) as a normal shop, the IoT will grow further.

Internet of Things threats

Security for the Internet of Things is one of the biggest issues to be solved. Authentication is one of the most important ways of securing systems. Dependence on online presence is also mentioned as a threat. If something happens with Internet connectivity, none of the IoT devices will work. The participants also indicate that there is no real control of collected by IoT devices data. If the information is published on the Internet, there is no power to erase it.

The problem is that Personally Identifiable Information is mixed with non-sensitive information. If there is a distinction between those two, the privacy issue can be mitigated. It is called anonymization of data. If a user wants to proceed with a certain transaction, for example buy shoes online, identity in form of a number is needed. If specific functions are assigned to that number and send over to the shoes seller, instead of identity, than even if hackers eavesdrops on that information, it can’t be related to a person.

Majority states that ease of use is more important for customer than privacy. Some participants say it will only get even more important in the future, the other part states that people will realize the importance of privacy. One person says that it depends on activity online. If users are buying a sweater – ease of use and convenience is important, if banking transfer is being done – privacy and safety of the data. The participants are pointing out that users don’t have a choice between ease of use or privacy. Either they have to accept the term of agreement, or resign from a service. The process of storing and sharing information is not transparent either. Having simple, clear processes should be a standard. It will change in the future, but it will be a time-consuming process.

Governments participation in the IoT

Governments will continue with creating regulations, but in the same time they will not able to keep up with the technology and the market. Some suspect there will be a conflict between organizations who want to collect user data and use it and people who want privacy. The only way to limit this, is to have regulations. Another point of view is that the governments should set principles, provide insights and means to apply it, without actively organizing it themselves. The government is not one entity, hence one vision is almost impossible to achieve. In this case it would be more self-regulating, than enforced by government. Some say there is no possible way, that government which changes every couple of years, can solve the issues that the technology industry is facing, others are afraid that creating legislations will limit development.

Conclusion: The biggest benefit of the Internet of Things is user convenience and time saving. Security and privacy of data is the biggest concern. The opinions are divided if it comes to government’s participation in ensuring the security.

4.4. Identity for Internet of Things The current way of thinking about digital identities will be extended. According to interviewees identity is a key to unlock the potential of the IoT. Before the IoT, only people had identity. With the development of the IoT, not only people have identity, but also devices and sensors. Without having unique identifier, they cannot be registered, connected to other devices, nor can they control certain processes.

19

Devices connected to the Internet of Things act on users’ behalf. The user needs to define tasks to be performed by a device by sending instructions. “Things” are tied to persons’ identity via an email account on a smartphone. This means for every use of device connected to the IoT, there is a login needed. Majority of participants agree that ease of authentication methods will enable people to more easily access digital services, hence it will be easier to use devices connected to the IoT.

Some participants say that to fully benefit from the information across different sensors and applications from Internet of Things, one single identity and one digital identity credential is needed. In the same time they admit that it is too early to talk about it, it will take years or even decades to implement one digital identity.

Two participants mentioned a concept that is not taken into account in the IoT nowadays - the household concept. People usually don’t live on their own, they share devices with their family and kids, and the industry doesn’t address the need of having “family identity”. There should be a “cockpit” in place with all digital identities and the IoT devices, which can be accessed by users with credentials to change permissions, share or remove data.

In the future, houses can have identities as well, by assigning certain attributes to it like size, position, location. If somebody with a smartphone comes to the door of the house, the house can check the attributes on that phone and authenticate the identity of the person for example delivery boy. When this is done delivery box is opened immediately. In case there is a fire, this home box can detect this and give access to certain attributes like number of people living in the house or floor plan to the fire department. In that case the house is considered an entity, and the person who lives there has access to certain rights to those home devices. It is not yet certain if this idea gets implemented in the future.

In the future the possession of a device might become important factor of online representation. This is the factor “something you have”. The fact of having a phone would be an authentication. It is a concept where “things” can identify a user. Having a smartphone, laptop and shoes with GPS tracker means that it most likely will be “me” going to the bank. In that case devices can be attributes used to identify a person. The combination of devices and location based services will have increasing impact. GPS coordinates from the phone and laptop that a person is often in the office in certain hours, can contribute to authentication. If the person goes to the office outside office hours, extra authentication will be needed. Hence the interaction aspect where a user needs to log in to an application will decrease in the future. The process will become more implicit and dynamic. When a user enters a shop, the shop will know who it is, what the preferences are, what is the buying history, without user making interaction with any application.

One participant mentioned that the true potential of the IoT can be unlocked, when we have the same level of trust online, as we do in the physical world. In the physical world, if a customer goes into a local shop, the shop owners probably knows him, and if he forgot his wallet, he can promise that he will bring that money in an hour and they believe him. This is trust. This kind of level of trust needs to be achieved online, without losing privacy.

Conclusion: Identity is a crucial concept for the Internet of Things. Devices need an identity for registration purposes, to communicate and exchange information.

20

5. Conclusions Through this research the topic of digital identity and the Internet of Things has been explored. The first goal was to investigate the relationship between digital identity and Internet of Things. The second goal was to determine how the Internet of Things and authentication methods of digital identity could evolve in the future. This topic has been explored with the use of a literature review, along with qualitative research which consisted of semi-structured interviews with leading experts in identity management and in the Internet of Things industry.

There are four main conclusions drawn from the research:

1. Digital identity credentials are outdated and new ways of authentication are needed.

Based on the literature review and the interviews the conclusion is that username/password combinations are an outdated method of authentication. With a multitude of services and devices connected to the IoT, it is neither secure nor user-friendly to use username/password combinations. New ways of user-authentication should be developed. According to literature review and interviews the evolution of authentication of digital identity will shift to biometrics and attribute-based authentication.

2. Method of authentication of digital identity can have an influence on adoption of the Internet

of Things.

Traditional methods of authentication like username/password combinations are not scalable for use with the IoT devices. A user will be more cautious with buying and using another device or sensor that requires a new username/password combination. If a method of authentication changes, it would be easier to convince a potential buyer to use an IoT device. Biometric authentication is more user-friendly. The attribute-based authentication on the other hand, puts users in control of data and therefore is more privacy friendly. Users that are not eager to use the IoT devices because of privacy doubts and issues, will be more likely to use it.

3. Privacy and security in the Internet of Things is a serious concern.

Conclusion from both the literature review and interviews is that security and privacy of the IoT is a big concern for companies and customers. The number of the IoT devices is growing and therefore the number of hacks or data breaches will increase. The industry needs to find a solution to tackle the problem of both data security and data privacy. Strong authentication can help with securing systems - it will be more difficult for a hacker to get access to it. Attribute-based authentication on the other hand can solve the problem with privacy. Since the user is in control of the data, only he or she can indicate who can have access to it.

5.1. Discussion Based on my thoughts predictions for the future of the IoT and digital identity authentication can be made.

In the future, there will be more devices connected to the Internet of Things. The IoT devices have the ability to aggregate data, which leads to data analysis, with improvements for example around energy usage, better role planning, and better health care provision. Good user cases will accelerate the growth of Internet of Things. People are more likely to use the IoT devices if they see benefits, for example when saving time. Using connected devices for day-to-day activities, saves time and leave more of it to enjoy hobbies. If a fridge, connected to the IoT, orders food, a user will spend time in more pleasant ways than

21

shopping. User convenience is the most important factor of the Internet of Things. Customers are willing to give up sense of privacy if enough user convenience is given in return. User convenience is inseparable with authentication methods that are used to provide access to resources. Username/password combination are difficult to manage and remember for multitude of devices. Therefore a majority of the responders indicated biometrics and attribute-based authentication as a direction into which authentication of digital identity will evolve. The interviews shows that a distinction between customer’s priorities can be made. Two groups of customers can be distinguished:

1. First group is concerned about the privacy of data and wants to be in control of it.

2. The other group thinks that user-convenience is more important, which means that easier authentication methods would convince them to use IoT devices.

Based on the assumptions above, an authentication matrix can be created. Figure 8 shows the predictions on how authentication of digital identity will evolve in the future.

Figure 8: The evolution of digital identity authentication

22

Scenario 1: Biometrics + Attribute based authentication

The industry evolves into using combination of biometrics and attribute-based authentication. Those methods of authentication make it more user-friendly, as there is no need to remember different username/password combinations for each login, to each device. The privacy is also respected because the user is in control of data. During authentication attributes – pieces of information about a user, are shared instead of entire identities. This prevents social media websites, corporations and big brands from collecting data, profiling user and misusing that data.

Scenario 2: Biometrics

In the course of the evolution into biometric and attribute-based authentication, big brands and corporations might oppose to use attribute-based authentication. Attribute-based authentication puts user in control of data, which means that corporations won’t be able to gather and sell it. Multitude of companies track user behavior online such as, visited websites, shopping patterns. They use this data either to target marketing campaigns towards a potential client or sell it. Since data collection won’t be possible with attribute-based authentication, this method is a threat for those companies which business model is selling personal data. Therefore corporations might block development of attribute-based authentication and support only biometric authentication. Biometrics will continue to be developed and adopted. More advanced biometric authentication methods will be proposed such as retinal scan or vein recognition. Due to its user-friendly approach, customers will be satisfied.

Scenario 3: Attribute based authentication

During the evolution into biometric and attribute-based authentication a security incident might occur. This can for example include extraction of biometric information from database, or impersonating biometrics which would lead to stealing an identity. Biometrics as “something that you are” factor of authentication cannot be changed or replaced in case the fingerprint or any other biometric trait is stolen. If a security incident happens, people might lose trust and stop using biometrics for authentication, because of the high risk involved. Instead, people will continue using attribute-based authentication. With this type of authentication, the user will be in control of its data.

Scenario 4: Unpredictable incident

One more option can get in the way of implementing biometrics authentication and attribute-based authentication. The technology is moving fast and developing new solutions rapidly. New kind of incidents might appear in the future that will discard both biometrics and attribute-based authentication. Both types of authentication could be superfluous and this could lead to a situation where the industry would have to come up with entirely new concept of authentication. However it is difficult to predict what it might be.

5.1.1. Impact on the Internet of Things

Scenario 1: Biometrics + Attribute based authentication

The evolution of authentication methods of digital identity into the direction of biometric and attribute-based authentication can increase the adoption of the Internet of Things. As a result of seamless and user-friendly authentication customers are more likely to buy and use more IoT devices. Since the burden of

23

remembering multiple digital identity credentials is gone, users will be more eager to use new IoT- applications, - services and - devices. The privacy is respected and users have control over their personal data, therefore people deeply attached their privacy will be less worried and presumably use the IoT devices more often for every-day situations. These factors will influence Internet of the IoT and speed up its adoption.

Scenario 2: Biometrics

This situation implies that people who are concerned about privacy and want to be in control might refuse to buy and use more IoT devices. At the same time, users who are seeking user-friendly authentication methods will be satisfied with biometrics. In that case the adoption of the Internet of Things will be growing, however not as fast as in the Scenario 1.

Scenario 3: Attribute based authentication

Customers who are attached to their privacy will be satisfied with attribute - based authentication methods. This method puts users in control of their data and therefore is privacy friendly. In this case, the adoption of the Internet of Things will be growing, as much as in the Scenario 2.

Scenario 4: Unpredictable incident

The influence of that situation on the Internet of Things is unknown.

24

Authentication methods have an influence on the adoption of the Internet of Things. The relationship between the ease of authentication and the adoption of the IoT is shown on the graph (Figure 9).

If the authentication methods are user friendly, more people will be interested in purchasing and using the IoT devices. It will be easier to get access to data and interact with devices. Username/password authentication is not scalable for the amount of IoT devices that every user will have. If biometrics and attribute- based authentication replaces the traditional method of authentication, the adoption of the Internet of Things devices will speed up.

5.2. Limitations Although the research was carefully prepared, it has its limitations and shortcomings. The study was conducted on small size population, which included 22 interviews. To generalize the results, the research should have involved more participants. For instance quantitative survey on a larger population could have been performed. The research looked only at European digital identity and the IoT companies. It cannot be assumed that the entire industry will behave as the European one. Also the interviews have been taken with different stakeholders, which might result in a CEO giving a different point of view then

Figure 9: The relationship between the IoT and authentication methods

25

sales representative. Finally, not all the companies from digital identity and the Internet of Things sector in Europe were interviewed.

5.3. Further research The current research could be extended to different continents to prove sustained validity of the predictions outside one continent – Europe that it has been investigated in. Future research could possibly concentrate on machine-to-machine authentication for the Internet of Things, as it was out of scope of this paper. Also deeper investigation and testing of framework that could be used for the Internet of Things in the future (UMA, IRM, and FIDO) could be done. Security and privacy issues of the IoT are also a very broad topic, which could be further investigated.

1 DAVE EVANS (2011) “The Internet of Things: How the next evolution of the Internet is changing everything” 2 INTERNET SOCIETY “Understanding your Online Identity. An Overview of Identity” 3 GISSIMEE DOE “Difference Between Identification & Authentication” [Online] Available from: http://science.opposingviews.com/difference-between-identification-authentication-3471.html [Accessed: 26.11.2015] 4 EXPERIAN (2012) “Online ID OD: Illegal web trade in personal information soars” [Online] Available from: https://www.experianplc.com/media/news/2012/illegal-web-trade-in-personal-information-soars/ [Accessed: 10.10.2015] 5 CSID (2012) “Consumer survey: password habits” 6 THE TELEGRAPH (2011) “Average person uses 10 online passwords a day” [Online] Available from: http://www.telegraph.co.uk/technology/news/8602346/Average-person-uses-10-online-passwords-a-day.html [Accessed: 15.10.2015] 7 JANRAIN (2012) “Online Americans Fatigued by Password Overload Janrain Study Finds” [Online] Available from: http://janrain.com/about/newsroom/press-releases/online-americans-fatigued-by-password-overload-janrain-study-finds/ [Accessed: 15.10.2015] 8 WHITSON GORDON (2012) “How Your Passwords Are Stored on the Internet (and When Your Password Strength Doesn’t Matter) [Online] Available from: http://lifehacker.com/5919918/how-your-passwords-are-stored-on-the-internet-and-when-your-password-strength-doesnt-matter [Accessed: 16.10.2015] 9 GRAHAM CLULEY (2013) “55% of net users use the same password for most, if not all, websites. When will they learn?” [Online] Available from: https://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/ [Accessed: 16.10.2015] 10 BRAD ARKIN (2013) “Important customer security announcement” [Online] Available from: http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html [Accessed: 16.10.2015] 11 JIM FINKLE, DEEPA SEETHARAMAN (2014) “Cyber Thieves Took Data on 145 Million eBay Customers By Hacking 3 Corporate Employees” [Online] Available from: http://www.businessinsider.com/cyber-thieves-took-data-on-145-million-ebay-customers-by-hacking-3-corporate-employees-2014-5?IR=T [Accessed: 16.10.2015] 12 DON REISINGER (2014) “eBay hacked, requests all users change passwords” [Online] Available from: http://www.cnet.com/news/ebay-hacked-requests-all-users-change-passwords/ [Accessed: 16.10.2015] 13 DAVE EVANS (2011) “The Internet of Things. How the Next Evolution of Internet Is Changing Everything” 14 GARTNER (2014) “Gartner says the Internet of Things will drive device and user relationship requirements in 20% of new IAM implementations by 2016” [Online] Available from: http://www.gartner.com/newsroom/id/2944719 [Accessed: 20.11.2015] 15 EARL PERKINS, ANT ALLAN (2015) “The Identity of Things for the Internet of Things” 16 FORGEROCK “The Identity of Things (IDoT). Access Management (IAM) Reference Architecture for the Internet of Things (IoT)” 17 ANMOL SINGH, EARL PERKINS (2015) “The Authentication in the Internet of Things”

26

18 NXP (2012) “Digital identity: Towards more convenient, more secure online authentication” 19 ROB SPIEGEL (1999) “When did the Internet become mainstream?” [Online] Available from: http://www.ecommercetimes.com/story/1731.html [Accessed: 29.10.2015] 20 DAVID NEEDLE (2014) “Internet of Things Must Overcome Many Challenges to Win Wide Adoption” 21 TIM MAYTON (2014) “Four Connected Devices per Person Worldwide by 2020” [Online] Available from: http://mobilemarketingmagazine.com/four-connected-devices-per-person-worldwide-by-2020/ [Accessed: 16.10.2015] 22 DAVE EVANS (2011) “The Internet of Things. How the Next Evolution of Internet Is Changing Everything” 23 GEORGE AVETISOV (2015) “Biometric security: Authentication for a more secure IoT” [Online] Available from: http://www.itproportal.com/2015/08/08/biometric-security-authentication-for-a-more-secure-iot/ [Accessed: 29.10.2015] 24 CHLOE GREEN (2015) “Why identity will be the most crucial element of the Internet of Things” [Online] Available from: http://www.information-age.com/technology/security/123459408/why-identity-will-be-most-crucial-element-internet-things [Accessed: 29.10.2015] 25 CLAIRE ANDERSON (2010) “Presenting and Evaluating Qualitative Research” [Online] Available from: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2987281/ [Accessed: 21.10.2015] 26 BARBARA MINTO (2008) “The Pyramid Principle: Logic in Writing and Thinking” 27 LOCKYER SHARON (2014) “Coding Qualitative Data” 28 GEORGE VOUSINAS “Internet &the birth of InfoCom industry IT & Economic Performance” 29 EARVING BLYNTHE (2010) “Standard for Personal Digital Identity Levels of Assurance” 30 HEAD MILENA, HASSANEIN KHALED (2002) “Trust in e-Commerce: Evaluating the Impact of Third-Party Seals” 31 EARVING BLYNTHE (2010) “Standard for Personal Digital Identity Levels of Assurance” 32 TECHTARGET “Authentication definition” [Online] Available from: http://searchsecurity.techtarget.com/definition/authentication [Accessed: 18.10.2015] 33 MICHEAL WENSTROM (2002) “Examining Cisco AAA Security Technology” 34 SANS INSTITUTE INFOSEC READING ROOM (2001) “An Overview of Different Authentication Methods and Protocols” 35 ANT ALLAN (2011) “Authentication: Ten Myths and Misconceptions Debunked” 36 SANS INSTITUTE INFOSEC READING ROOM (2001) “An Overview of Different Authentication Methods and Protocols” 37 GIBSON DARRIL (2011) “Understanding the Three Factors of Authentication” [Online] Available from: http://www.pearsonitcertification.com/articles/article.aspx?p=1718488 [Accessed: 30.11.2015] 38 THAWTE “The value of Authentication” 39 ANMOL SINGH, EARL PERKINS (2015) “Authentication in the Internet of Things” 40 NXP, “Digital identity: Toward more convenient, more secure online authentication” 41 GARTNER (2014) “Gartner Says 4,9 Billion Connected “Things” Will Be in Use in 2015” [Online] Available from: http://www.gartner.com/newsroom/id/2905717 [Accessed: 21.10.2015] 42 MERRIAM-WEBSTER dictionary “Biometrics” [Online] Available from: http://www.merriam-webster.com/dictionary/biometrics [Accessed: 05.11.2015] 43 ARIFIN HUSSAIN (2015) “Biometrics as an Alternative to Passwords” [Online] Available from: http://blog.m2sys.com/biometric-hardware/biometrics-as-an-alternative-to-passwords/ [Accessed: 05.11.2015] 44 WARWICK ASHFORD (2011) “Business must use multi-layer authentication, says Gartner” [Online] Available from: http://www.computerweekly.com/news/1280095402/Business-must-use-multi-layer-authentication-says-Gartner [Accessed: 30.11.2015] 45THE CARNEGIE MELLON UNIVERSITY COMPUTER SCIENCE DEPARTMENT “The "Only" Coke Machine on the Internet”[Online] Available from: https://www.cs.cmu.edu/~coke/history_long.txt [Accessed: 05.11.2015] 46 DAVE EVANS (2011) “The Internet of Things. How the Next Evolution of Internet Is Changing Everything” 47 DAVE EVANS (2011) “The Internet of Things. How the Next Evolution of Internet Is Changing Everything” 48GARTNER IT Glossary “Internet of Things” [Online] Available from: http://www.gartner.com/it-glossary/internet-of-things/ [Accessed: 10.11.2015] 49 ERIC A.FISHER (2015) “The Internet of Things: Frequently Asked Questions”

27

50 PATRICK THIBODEAU (2014) “Explained: The ABCs of the Internet of Things” [Online] Available from: http://www.computerworld.com/article/2488872/emerging-technology-explained-the-abcs-of-the-internet-of-things.html?page=2 [Accessed: 11.11.2015] 51 JUNIPER RESEARCH (2014) “Smart home revenues to reach $71 billion by 2018, Juniper Research finds” [Online] Available from: http://www.juniperresearch.com/press-release/smart-home-pr1 [Accessed: 11.11.2015] 52 STEPHEN LAWSON (2014) “Why Internet of Things ‘Standards’ Got More Confusing in 2014” [Online] Available from: http://www.pcworld.com/article/2863572/iot-groups-are-like-an-orchestra-tuning-up-the-music-starts-in-2016.html [Accessed: 13.11.2015] 53 CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES (2014) “Net Losses: Estimating he Global Cost of Cybercrime” 54 MERRIAM-WEBSTER dictionary “Privacy” [Online] Available from: http://www.merriam-webster.com/dictionary/privacy [Accessed: 26.10.2015] 55 CAMBRIDGE DICTIONARIES ONLINE “Privacy”[Online] Available from: http://dictionary.cambridge.org/dictionary/english/privacy [Accessed: 26.10.2015] 56 JOHN GREENOUGH (2014) “Here Are The Four Elements That Will Make The ‘Internet of Things’ An Absolutely Massive Market” [Online] Available from: http://uk.businessinsider.com/four-elements-driving-iot-2014-10?r=US&IR=T [Accessed: 26.10.2015] 57 CISCO (2014) “Cisco Global Cloud Index: Forecast and Methodology 2013-2018 White Paper” 58 ALEX HERN (2015) “Samsung rejects concern over ‘Orwellian’ privacy policy” [Online] Available from: http://www.theguardian.com/technology/2015/feb/09/samsung-rejects-concern-over-orwellian-privacy-policy [Accessed: 26.10.2015] 59 EUROPEAN PARLIAMENT, STUDY FOR THE LIBE COMMITTEE (2015) “Big Data and Smart Devices and Their Impact on Privacy” 60 EUROPEAN COMMISSION (2015) “Protection of Personal Data” [Online] Available from: http://ec.europa.eu/justice/data-protection/index_en.htm [Accessed: 26.10.2015]

1

Glossary

Identity The fact of being who a person is or what a thing is. Sum of attributes like birthplace, birthday, social security number etc.

Digital identity It is online representation of real-world identity.

Digital identity credential Username and password combination used to authenticate digital identity.

Authentication It is the process of determining whether someone or something is, in fact, who or what it is declared to be.

Authentication method It is a method used for authentication e.g. username and password.

Internet of Things

It is a network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.

Attribute-based authentication Authentication based on exchanging attributes.

Biometric authentication It is a type of system that relies on the unique biological characteristics of individuals to verify identity for secure access to electronic systems.

Semi-structured interview It is an interview conducted with a fairly open framework which allow for focused, conversational, two-way communication.

2

Bibliography ALEX HERN (2015) “Samsung rejects concern over ‘Orwellian’ privacy policy” [Online] Available from: http://www.theguardian.com/technology/2015/feb/09/samsung-rejects-concern-over-orwellian-privacy-policy [Accessed: 26.10.2015] ANMOL SINGH, EARL PERKINS (2015) “Authentication in the Internet of Things” ANMOL SINGH, EARL PERKINS (2015) “The Authentication in the Internet of Things” ANT ALLAN (2011) “Authentication: Ten Myths and Misconceptions Debunked” ARIFIN HUSSAIN (2015) “Biometrics as an Alternative to Passwords” [Online] Available from: http://blog.m2sys.com/biometric-hardware/biometrics-as-an-alternative-to-passwords/ [Accessed: 05.11.2015] BARBARA MINTO (2008) “The Pyramid Principle: Logic in Writing and Thinking” BETSY BURTON, MIKE WALKER (2015) “Hype Cycle for Emerging Technologies, 2015” BRAD ARKIN (2013) “Important customer security announcement” [Online] Available from: http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html [Accessed: 16.10.2015] CAMBRIDGE DICTIONARIES ONLINE “Privacy”[Online] Available from: http://dictionary.cambridge.org/dictionary/english/privacy [Accessed: 26.10.2015] CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES (2014) “Net Losses: Estimating the Global Cost of Cybercrime” CHLOE GREEN (2015) “Why identity will be the most crucial element of the Internet of Things” [Online] Available from: http://www.information-age.com/technology/security/123459408/why-identity-will-be-most-crucial-element-internet-things [Accessed: 29.10.2015] CISCO (2014) “Cisco Global Cloud Index: Forecast and Methodology 2013-2018 White Paper” CLAIRE ANDERSON (2010) “Presenting and Evaluating Qualitative Research” [Online] Available from: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2987281/ [Accessed: 21.10.2015] CSID (2012) “Consumer survey: password habits” DAVE EVANS (2011) “The Internet of Things. How the Next Evolution of Internet Is Changing Everything” DAVID NEEDLE (2014) “Internet of Things Must Overcome Many Challenges to Win Wide Adoption” DON REISINGER (2014) “eBay hacked, requests all users change passwords” [Online] Available from: http://www.cnet.com/news/ebay-hacked-requests-all-users-change-passwords/ [Accessed: 16.10.2015]

EARL PERKINS, ANT ALLAN (2015) “The Identity of Things for the Internet of Things” EARVING BLYNTHE (2010) “Standard for Personal Digital Identity Levels of Assurance” ERIC A.FISHER (2015) “The Internet of Things: Frequently Asked Questions” EUROPEAN COMMISSION (2015) “Protection of Personal Data” [Online] Available from: http://ec.europa.eu/justice/data-protection/index_en.htm [Accessed: 26.10.2015] EUROPEAN PARLIAMENT, STUDY FOR THE LIBE COMMITTEE (2015) “Big Data and Smart Devices and Their Impact on Privacy” EXPERIAN (2012) “Online ID OD: Illegal web trade in personal information soars” [Online] Available from: https://www.experianplc.com/media/news/2012/illegal-web-trade-in-personal-information-soars/ [Accessed: 10.10.2015]

3

FORGEROCK “The Identity of Things (IDoT). Access Management (IAM) Reference Architecture for the Internet of Things (IoT)” GARTNER (2014) “Gartner Says 4,9 Billion Connected “Things” Will Be in Use in 2015” [Online] Available from: http://www.gartner.com/newsroom/id/2905717 [Accessed 21.10.2015]

GARTNER (2014) “Gartner says the Internet of Things will drive device and user relationship requirements in 20% of new IAM implementations by 2016” [Online] Available from: http://www.gartner.com/newsroom/id/2944719 [Accessed: 20.11.2015]

GARTNER IT Glossary “Internet of Things” [Online] Available from: http://www.gartner.com/it-glossary/internet-of-things/ [Accessed: 10.11.2015]

GEORGE AVETISOV (2015) “Biometric security: Authentication for a more secure IoT” [Online] Available from: http://www.itproportal.com/2015/08/08/biometric-security-authentication-for-a-more-secure-iot/ [Accessed: 29.10.2015] GEORGE VOUSINAS “Internet &the birth of InfoCom industry IT & Economic Performance” GIBSON DARRIL (2011) “Understanding the Three Factors of Authentication” [Online] Available from: http://www.pearsonitcertification.com/articles/article.aspx?p=1718488 [Accessed: 30.11.2015] GISSIMEE DOE “Difference Between Identification & Authentication” [Online] Available from: http://science.opposingviews.com/difference-between-identification-authentication-3471.html [Accessed: 26.11.2015] GRAHAM CLULEY (2013) “55% of net users use the same password for most, if not all, websites. When will they learn?” [Online] Available from: https://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/ [Accessed: 16.10.2015] INTERNET SOCIETY “Understanding your Online Identity. An Overview of Identity” JANRAIN (2012) “Online Americans Fatigued by Password Overload Janrain Study Finds” [Online] Available from: http://janrain.com/about/newsroom/press-releases/online-americans-fatigued-by-password-overload-janrain-study-finds/ [Accessed: 15.10.2015]

JIM FINKLE, DEEPA SEETHARAMAN (2014) “Cyber Thieves Took Data on 145 Million eBay Customers By Hacking 3 Corporate Employees” [Online] Available from: http://www.businessinsider.com/cyber-thieves-took-data-on-145-million-ebay-customers-by-hacking-3-corporate-employees-2014-5?IR=T [Accessed: 16.10.2015]

JOHN GREENOUGH (2014) “Here Are the Four Elements That Will Make the ‘Internet of Things’ An Absolutely Massive Market” [Online] Available from: http://uk.businessinsider.com/four-elements-driving-iot-2014-10?r=US&IR=T [Accessed: 26.10.2015] JUNIPER RESEARCH (2014) “Smart home revenues to reach $71 billion by 2018, Juniper Research finds” [Online] Available from: http://www.juniperresearch.com/press-release/smart-home-pr1 [Accessed: 11.11.2015] LOCKYER SHARON (2014) “Coding Qualitative Data” MERRIAM-WEBSTER dictionary “Biometrics” [Online] Available from: http://www.merriam-webster.com/dictionary/biometrics [Accessed: 05.11.2015] MERRIAM-WEBSTER dictionary “Privacy” [Online] Available from: http://www.merriam-webster.com/dictionary/privacy [Accessed: 26.10.2015] MICHEAL WENSTROM (2002) “Examining Cisco AAA Security Technology” NXP (2012) “Digital identity: Towards more convenient, more secure online authentication”

4

NXP, “Digital identity: Toward more convenient, more secure online authentication” PATRICK THIBODEAU (2014) “Explained: The ABCs of the Internet of Things” [Online] Available from: http://www.computerworld.com/article/2488872/emerging-technology-explained-the-abcs-of-the-internet-of-things.html?page=2 [Accessed: 11.11.2015] ROB SPIEGEL (1999) “When did the Internet become mainstream?” [Online] Available from: http://www.ecommercetimes.com/story/1731.html [Accessed: 29.10.2015] SANS INSTITUTE INFOSEC READING ROOM (2001) “An Overview of Different Authentication Methods and Protocols” STEPHEN LAWSON (2014) “Why Internet of Things ‘Standards’ Got More Confusing in 2014” [Online] Available from: http://www.pcworld.com/article/2863572/iot-groups-are-like-an-orchestra-tuning-up-the-music-starts-in-2016.html [Accessed: 13.11.2015]

TECHTARGET “Authentication definition” [Online] Available from: http://searchsecurity.techtarget.com/definition/authentication [Accessed: 18.10.2015]

THAWTE “The value of Authentication” THE CARNEGIE MELLON UNIVERSITY COMPUTER SCIENCE DEPARTMENT “The "Only" Coke Machine on the Internet”[Online] Available from: https://www.cs.cmu.edu/~coke/history_long.txt [Accessed: 05.11.2015] THE TELEGRAPH (2011) “Average person ‘uses 10 online passwords a day’” [Online] Availbale from: http://www.telegraph.co.uk/technology/news/8602346/Average-person-uses-10-online-passwords-a-day.html [Accessed: 15.10.2015]

TIM MAYTON (2014) “Four Connected Devices per Person Worldwide by 2020” [Online] Available from: http://mobilemarketingmagazine.com/four-connected-devices-per-person-worldwide-by-2020/ [Accessed: 16.10.2015]

WARWICK ASHFORD (2011) “Business must use multi-layer authentication, says Gartner” [Online] Available from: http://www.computerweekly.com/news/1280095402/Business-must-use-multi-layer-authentication-says-Gartner [Accessed: 30.11.2015] WHITSON GORDON (2012) “How Your Passwords Are Stored on the Internet (and When Your Password Strength Doesn’t Matter) [Online] Available from: http://lifehacker.com/5919918/how-your-passwords-are-stored-on-the-internet-and-when-your-password-strength-doesnt-matter [Accessed: 16.10.2015]