Systematic Review of Authentication and Authorization Advancements for the Internet of Things

Technologies for the Internet of Things (IoT) are maturing, yet no common standards dictate their direction, leaving space for a plethora of research directions and opportunities. Among the most important IoT topics is security. When we design a robust system, it is important to know the available options for facing common tasks related to access control, authentication, and authorization. In this review, we systematically analyze 1622 peer-reviewed publications from October 2017 to December 2020 to find the taxonomy of security solutions. In addition, we assess and categorize current practices related to IoT security solutions, commonly involved technologies, and standards applied in recent research. This manuscript provides a practical road map to recent research, guiding the reader and providing an overview of recent research efforts.


Background
Internet of Things (IoT) is an environment in which numerous heterogeneous and small devices interact and cooperate. However, the large number of cooperating devices raises numerous problems such as: • With which participants can data be shared? • Which participants can be interacted with? • What is the best way to authenticate participants? • What is the best way to detect a malicious node? • What is the best way to introduce a new device into the network? • What is the best way to retire the device, and when should this be done?
Devices in a network have different software versions, operating systems, and manufacturers and are often owned by different users. For this reason, IoT has become more complicated due to the heterogeneity of the nodes.
Building IoT based on the Internet makes it intrinsically inherent to the security problems from the Internet. In the initial stage of IoT development, security is typically not a significant concern to the users or stakeholders [1]. Security in this stage is often ignored [2] as the industry intends to push IoT to be commercialized as soon as possible. Nevertheless, with the rapid development of IoT, security issues have emerged due to the vulnerability of the nodes and the highly distributed and dynamic features of the underlying networks. Therefore, security is one of the most crucial challenges in the IoT system [3,4].

Motivation and Contribution
Numerous efforts have been made in IoT security research. Noor et al. published an IoT security survey [5] from a comprehensive viewpoint. While the study provides a wide range of perspectives for authentication and authorization, the survey is limited to the years 2016 to 2018. Our previous work on this topic includes another extensive survey [6] but is also limited to the years 2012 to 2017. The most recent overview of security challenges and their solutions is provided in [7]; however, it does not provide sufficient detail on authorization and authentication. Similarly, another study considers the detail of information security and privacy perspectives in IoT [8]. Continuous authentication methods are then elaborated in [9] through a survey that provides a great overview of the specialized perspective but not a general overview for authorization and authentication. Another prominent study [10] goes through industrial IoT security issues. An overview of the related studies is summarized in Table 1. These publications provide reasonable detail but are limited by years or focus on selected security perspectives or application areas, leaving gaps regarding the following three questions: (1) What does current IoT authentication and authorization research look like? (2) What are the common properties of IoT application-layer authentication and authorization solutions? (3) How can a general researchers grasp the main trend of this area quickly? Table 1. Overview of related work.

Publication Published Summary
Noor et al. [5] 2019 A comprehensive overview of authentication and authorization research for years between 2016 and 2018. Trnka et al. [6] 2018 Mapping study for authentication and authorization articles from 2012 to 2017. Chanal et al. [8] 2020 Survey providing an overview of architectures, privacy and research challenges, and differences of solutions between domains. Milovlaskaya et al. [7] 2019 Great overview of IoT back-end security issues, general hardware, and application security, along with a summary of IoT security management and security standards. Al-Naji et al. [9] 2020 Focused survey on continuous authentication methods. Tange et al. [10] 2020 Focused survey on industrial IoT security issues.
This work is concerned with currently available IoT security solutions located at the application layer. Our contributions made in this work consist of two parts: • We offer a useful roadmap of analyzed and distilled key information from recent 1622 peer-reviewed articles located at major academic sources. Unlike previous surveys and reviews focusing on the specific theme of IoT security, our work provides a blueprint to the general readers without much relevant background working in this area. • Since the IoT application layer includes application-specific vulnerabilities such as authentication, authorization, identification, data management, and information privacy, we position this systematic review primarily concerning the taxonomy of security solutions, context-aware solutions adopted standards, and the distributed vs. centralized nature of given approaches and specific interactions.
The remainder of this manuscript is structured as follows. The goals of this manuscript are listed in Section 2. The literature identification is explained in Section 3. Resulting publications are categorized in Section 4. Respective research goals are elaborated in Section 5. Threats to validity are discussed in Section 6. Section 7 summarizes achieved goals. Finally, the conclusion of the survey is presented in Section 8.

Indexer Query
General query ("Internet of Things" OR "IoT") AND "Security" AND ("Authentication" OR "Authorization" OR "Identity" OR "Access control") AND NOT ("Network" OR "Hardware" OR "RFID" OR "Protocol" OR "Cryptography" OR "Survey" OR "Study") IEEE Xplore (("Abstract": "Internet of Things" OR "Abstract": "IoT") AND ("Abstract": "Authentication" OR "Abstract": "Authorization" OR documentAbstract: "Identity" OR "Abstract": "Access Control") AND "Index Terms": "Security" AND NOT("Index Terms": "Network" OR documentAbstract: "Hardware" OR "Abstract": "Cryptography" OR "Abstract": "Protocol" OR "Document Title": "Survey" OR "Abstract": "RFID" OR "Document Title": "Study")) ACM DL Abstract: (IoT "Internet of Things") AND Abstract: ("Authentication" OR "Authorization" OR "Identity" OR "Access Control") AND Title: (-study -Survey) AND Abstract: (-Hardware -rfid -Cryptography) AND Keyword: (-Hardware -Physical -Network) WoS SCIE TI = (Internet of Things OR IoT) AND TS = (Authentication OR Authorization OR Identity OR Access Control) NOT TS = (Hardware OR Cryptography OR Protocol OR RFID OR Physical OR Network) NOT TS = (Survey OR Study) AND TS = Security SpringerLink '(Authentication OR Authorization OR Identity OR "Access Control") + title ("Internet of Things" OR IoT)' ScienceDirect ("Internet of Things" OR "IoT") AND ("Authentication" OR "Authorization" OR "Identity" OR "Access control") AND NOT ("Hardware" OR "Cryptography") Table 3. Number of articles processed in the survey. IEEE Xplore  442  90  76  ACM DL  150  43  28  WoS  133  56  16  SpringerLink  491  6  2  ScienceDirect  406  19  10   Total  1622  214  132 To select relevant publications, we established inclusions and exclusion criteria, which we detail below. These criteria are applied to all 1622 results. We proceeded as follows: in the first round of elimination (prefiltering), we considered publication abstract, title, and keyword assessment. When it passed the inclusion and exclusion criteria, we included the publication in the next stage in the next stage. There, we read the full text of the candidate publication and decided whether it was in the scope based on the ability to decode answers for the questions that we raised in this systematic review. The reduction process with relevant publication numbers is detailed in Table 3.

Inclusion and Exclusion Criteria
The inclusion criteria for the publications can be summarized with the following list: • Published between October 2017 and 2020 (both inclusive). • Indexed by either IEEE Xplore, ACM DL, WoS SCIE, SpringerLink, or ScienceDirect. • Relates to authentication, authorization, identity management, or access control for IoT. In particular, we considered whether the publication proposed a solution to considered topics.
To narrow down the scope, we have also formed exclusion criteria that are applied to the included articles: • Not written in English. • Duplicate publication. • Published before October 2017 (considering our previous survey time scope [6]). • Less than four pages. Blockchain is excluded from the result not because it does not fall into the scope but rather because of its high prevalence. There were over one hundred articles focused on blockchain technologies for the IoT. To detail the perspective, our previous survey [6] contained only two blockchain articles. This illustrates the massive increase in blockchainrelated research. Thus, we do not discuss the differences between blockchain technologies in the scope of a general review due to their similarities from a high-level perspective.

Searched and Filtered Results
After the queries were run over all indexing services, we were presented with a set of 1622 publications considering inclusion and exclusion criteria from Section 3.1 . We were then able to eliminate one duplicate publication found by the WoS indexer. Finally, we read the abstract of each article and eliminated any publications that did not fit within the scope of this survey, giving us 214 prefiltered candidates.
Upon completion of the filtering process, we read through the remaining publications, categorized them based on the criteria discussed in this survey, and performed property coding detailed in Section 3.3. During this read-through, we were able to remove more articles that at first looked as though they fit our scope but upon further examination were proven unrelated. The complete statistics of publications found, prefiltered, and included for every indexing site can be seen in Table 3. This shows that the indexer, IEEE Xplore, returned 442 total results originally, 90 articles remained after prefiltering, and 76 articles were declared relevant. ACM DL returned 150 results originally; 43 articles remained after prefiltering, and 28 articles were declared relevant. WoS returned 133 results originally; 56 articles remained after prefiltering, and 16 articles were declared relevant. SpringerLink returned 491 results originally; 6 articles remained after prefiltering, and 2 were declared relevant. Finally, ScienceDirect returned 406 articles originally; 19 articles remained after prefiltering, and 10 were declared relevant. The summation of these indexers showed 1622 articles were originally returned; 214 articles remained after prefiltering, and 132 were declared relevant. The survey process-flow is illustrated in Figure 1.

Property Coding
Each publication that passed through inclusion and exclusion criteria was read fulltext with the intent to extract information relevant to this study. If we could not extract the information, we excluded the publication.
We assessed each publication's metadata (i.e., years, conferences, authors, etc.). In the full text, we targeted the target domain, motivations, and goals to categorize the metadata. We determined whether the particular publication topic applies a specific approach in the application layer if it is a context-aware approach for addressed and architectural properties, such as whether the solution tends to be centralized or decentralized . We assessed whether any specific constraints were assumed for the solution and devices and if a special device (i.e., external one) is needed for the considered approach. We also identified where the schema applied to both user-to-machine and machine-to-machine interactions. We compiled all considered publications into a large roster detailed in the taxonomy section based on this coding scheme.

Taxonomy and Trends
Categorizing the filtered publications into specific groups is one of the main goals of this survey. This categorization is done with three different taxonomy models; they are described in the following subsections: 1.
Years-based Taxonomy.

4.
The three-year perspective trends.

Years Based Taxonomy
This graph projects data in the period of October 2017 till December 2020. Since early 2017, published papers have already been included in the previous survey [6]; the graph starts from October 2017. As represented in Figure 2, the values of the graph show a fair increase in the number of papers regarding this research scope since the last survey we conducted, such that it varies in the range of 30 to 50 papers per year. However, it is noted that the number of papers slightly decreased in 2020, probably because of the appearance of the COVID-19 pandemic that affected most industries and fields then.

of 25
177 ion that passed through inclusion and exclusion criteria was read full-178 to extract information relevant to this study. If we could not extract the 179 cluded the publication. 180 ach publication's metadata (i.e., years, conferences, authors, etc.). In the 181 d to identify the target domain, motivations, and goals to categorize it. 182 ether the particular publication topic applies a specific approach in the 183 f a context-aware approach for addressed and architectural properties, 184 e solution tends to be centralized or decentralized. We assessed whether 185 aints were assumed for the solution and devices and if a special device 186 is needed for the considered approach. We also identified where the 187 both user-to-machine and machine-to-machine interaction. We compiled 188 lications into a large roster detailed in the taxonomy section based on 189 .

Goals-based Taxonomy
Assigning the filtered papers into specific and predefined categories (as detailed in Section 3.3) is one of the main directions of this article. Therefore, four categories are explored to satisfy the research goals and to answer the research questions mentioned in Section 2. Accordingly, the characteristics of papers are fully surveyed to be classified into the following categories:

1.
Context-awareness (yes/no): the ability of a system to gather information about its environment at any given time and adapt behaviors accordingly.

2.
Centralized vs. decentralized network topology (centralized/decentralized/both or N/A): the solution topology could require either centralization, decentralization, or combination between such elements. 3.
Communication model (M2M/U2M/both or N/A): the different communication methods in terms of the machine-to-machine (M2M) or user-to-machine (U2M), which strictly require some user input information. 4.
Existing vs. new method (existing, new, extension): the novelty of the method. It is unusual for solutions to be novel as a whole. It is common to reuse existing technology in novel ways .
These categories are considered common and valuable for most IoT approaches. Therefore, they are individually described in the upcoming sections. One contribution of this survey is the large property coding described in Section 3.3, and it is shared through Tables 4 and 5.

Automation Based Taxonomy
To further broaden our categorization, we utilized automated algorithms. In particular, we used the automated algorithms that produced the most common categories among all of the relevant publications. For this process we used pdftotxt [143] for transforming the PDF documents into plain searchable text. Then, the RAKE [144] algorithm was used for keyword extraction. After that, the extracted keywords were grouped together into 10 major categories. Note that categories are not exclusive in such a process, and one publication can be a member of multiple categories at the same time.
There are interesting observations, such as that Attribute-Based Access Control (ABAC) [145] has become increasingly popular for security. This is due to its higher flexibility and ability to better describe complex rules. Vice-versa, the Role-Based Access Control (RBAC) [146], is slowly losing its popularity. One other interesting observation is that there are very few healthcare applications. In our last survey [6] from 2017, 14% of the papers were concerned about healthcare. In contrast, now it is only 4.4%.

The Three-Year Perspective Trends
Compared to our previous survey [6], we can observe trends. We can constantly see high interest in the authentication (51% before vs. 55% now). The second most populous category now is context, which has a share of 35% versus 23% in 3 years ago. Our perspective shows that IoT security research is moving towards solutions that can capitalize on one of the main IoT advantages (inherent access to context). Services have experienced a slight loss in popularity (37% vs. 32%). The authorization research has dropped significantly from 46% to 25%. However, we attribute that to the fact that we have skipped all research related to blockchain solutions in this study. Moreover, in our experience, blockchain is a promising technology to share security rules, and therefore most of the omitted papers would fall into this category. The cloud category does not exhibit any significant popularity changes (19% vs. 22%). Finally, the ABAC, as mentioned above, is getting more popular, with an increase from 14% to 19%. Roles are still a minor topic. The most surprising category is healthcare. There is a notable drop in healthcare solutions. In 2017, 14% of related publications were concerned about healthcare. In contrast, now it is only 4.4%. What was a notable research topic three years ago was identity management and tokens. However, these were not identified for the current publications.

Details on Goal-Based Taxonomy Perspectives
Goals-based taxonomy is summarized by Tables 4 and 5. We discuss the statistics in the following subsections.

Context-Awareness
Context-awareness in IoT is the ability of a system to gather information about its environment by detecting context entities using various methods, such as collecting data via sensors, smartphones, tablets, wearable devices, smart bands, cameras, microphones, GPS devices, and user input. The collected information can be turned into higher-level knowledge and is useful in various applications. Utilizing this functionality, numerous objects in the environment are monitored, notify the consumer of potentially dangerous situations, provide the ability to communicate with trusted devices, and address eventual accidents. These abilities allow for increased safety, efficiency, and economic benefit for those environments. In this subsection, we first provide the papers that utilize contextual information to achieve security in an IoT environment using authentication and access control techniques, and then we present papers that could meaningfully avail information in various domains and perspectives.
Authenticating a user is paramount when it comes to security. When implemented in conjunction with password-based authentication methods, context-aware authentication systems append an additional security layer. They can replace the conventional authentication methods. For example, in the paper [98], to strengthen authentication security, the author has presented a dynamic authentication model for accessing smart home devices by utilizing traditional credentials with context-aware information. Context-aware authentication is an important characteristic of smart homes. The goal of context-aware authentication systems in smart homes is to provide security services that maximize the user's comfort and safety while minimizing the user's explicit interaction with the environment [46,49,147]. For instance, ref. [35,48,66] utilizes location-based information in authentication framework for smart environment.
The growth of IoT technology presents excellent opportunities but also produces many new challenges related to authentication in IoT devices. Using passwords or pre-defined keys has drawbacks that limit the use of different IoT applications. Thus, authenticating users on password mechanisms is not always feasible. To overcome this issue, some papers focus on different authentication methodologies. For example, one paper implements JSON Web Token (JWT) [148], which is an open standard that uses encoded JSON objects as a payload while transmitting information between two parties [75,119], and Two Microphone Authentication [105], which uses the audio and network channel to authenticate commands. It provides an additional security check against maliciously injected commands.
IoT device authentication is fundamental to ensure the identity of connected devices can be trusted. Alongside authentication, Access Control (AC) provides selective restriction of access to services and data, or for performing a certain operation on a resource, service, or connected object. There are various paradigms of access control mechanisms, which are shifted from fixed desktop to dynamic context-aware environments. Mainstream approaches in access control systems include RBAC [146] and ABAC [145]. For example, to mitigate malicious attacks in IoT environments, the paper [87] uses the Role-Based Reputed Access Control method and achieves device security by tracking the activities of the device based on location. With ABAC, access decisions are made based on attributes (characteristics) about the subject. While RBAC covers broad access [65,111], ABAC can control access on a more detailed level. Several researchers have developed ABAC models that support context-based access control [20,32,104,113,125].
Different types of dynamic context information bring new challenges to access control systems. To improve the classic access control techniques, Alianea and Adda published an extension to the ABAC in the form of the High-Order Attribute-Based Access Control model (HoBAC) [114]. This new model makes it possible to implement IoT AC policies based on hierarchies of entities (objects, subjects, and environment attributes) built using aggregation operations on the attributes of existing entities. Furthermore, ref. [103] presents additional functionality in which the model not only considers system-wide attributesbased security policies but also takes into account the individual user privacy preferences for allowing or denying services. Additionally, utilization of context information can also be performed in Operation-Based Access (grouping is performed on the basis of operations instead of roles) [97], Event-Based Access Control (only authorized device can send data and initiate the events) [13], Capability-Based Access Control (CBAC) [130], and Hybrid Access Control Model [100] (a combination of RBAC, ABAC, and CBAC, employing attributes, roles, and capabilities). Moreover, in order to improve access control mechanisms, contextual information can also be taken into consideration at the time of trust value verification [108,112].
A context-aware system uses heterogeneous data sources to adapt and provide services to the user according to his needs, his localization, or his interaction with the environment. This results in the ubiquitous source of context data in mobile devices that can provide different services in different contexts-where context is strongly related to a device's location . Due to this, most initial research in context-aware computing focused on location-aware systems. For example, context-based information is utilized from the MAC address of devices that support information such as the owner name or location for user authentication [92]. However, context is more than just location. Biometric data as addressed in [22,92,102] are also considered "contextual" by definition. Contextual data help to obtain the background information and can be used to frame what you know in a larger picture. Moreover, the authors of [28] utilized the contextual data using Radio Frequency Identification (RFID) technology.

Distributed vs. Centralized Network Topology
With IoT systems, we typically expect to follow the decentralized nature of solutions. However, authentication and authorization are sometimes designed with centralism in mind. This leads us to two strategies of security solutions: distributed and centralized.
The centralized approach has benefits related to global governance and simplicity. It is easy to control and enforce identical policies across the ecosystem from a single focal point. Moreover, this model allows for migration between non-IoT-based software and that which is IoT-based. However, the drawbacks of this approach include the potential lack of scalability and creating a system bottleneck; this implies potential issues with resilience and a single point of failure. Centralized approaches often consider a component in the middle [95]. This approach seems natural for smart homes [59,77,93,103,130] and cars where the scale does not introduce an issue. However, as apparent from Tables 4 and 5, this is not not always the case [69,98].
In contrast, the distributed approach addresses concerns related to resilience and scalability by not relying on a central node for processing. The distributed solution makes individual nodes more responsible for their logic, which limits coupling. However, this approach adds a layer of complexity to the system's synchronization, maintenance, and auditing. It also introduces a new problem, whether devices can be trusted.
Distributed Secure Multi-Party Computation (SMPC) nodes [120] were used to make policy decisions for authentication of devices. These learn device behavior and limits using a distributed registry and assemble a decentralized decision based on the honesty of a device.
In order to produce a scalable, decentralized public key distribution scheme, [55] called for a decentralized, permissionless Public Key Infrastructure (PKI) running on a blockchain. First, it ensures that the public keys belong to the real device and owner without involving a Trusted Third Party (TTP). Second, it considers an authentication flow to define the process for an entity to grant approval to access a resource.
A History-Based Capability System (HCAP) [129] regulates the order in which permissions are exercised in a distributed authorization environment. HCAP capabilities carry sequencing constraints in the form of security automata. An HCAP works well as a building block suite for centralized policy administration and decentralized policy enforcement.
The rule-attribute-based access control model proposed in [19] targets a distributed environment. It is based on using digitally signed documents or certificates that convey identity, authorization, and attributes.
A data protection framework introduced in [16] has a set of constraints for policy construction. It proposed an access-control framework (policy-based language) to govern the security operation of distributed data in dynamic IoT networks.
In [132], smart meters mutually authenticate each other with a service provider to establish a session key for secret communication.
A security framework for edge-computing [118] has been connected to healthcare systems. It utilizes multi-factor access control and ownership transfer mechanism to create an authentication system. Furthermore, scalability is achieved by employing a distributed approach for clustering techniques that analyze and aggregate voluminous data acquired from heterogeneous devices individually before it transits to the cloud.
Unfortunately, the ability to distinguish a solution between these two categories is not always possible. Some solutions can work with both centralized and distributed environments, causing a blur in the categorization. Due to this, we have split up these categories further by introducing the subcategories: strictly centralized, strictly distributed, both, and not applicable.
Identity management through a centralized server is essential for certain practices due to the added difficulty of securing distributed operations. This added security may be a result of IoT in a specific domain [46], or it might just be derived from the methods or technologies employed [33,109,111,112,134]. The authors of [123] proposed a self-sovereign identity offered by distributed ledger technology to provide a secure, decentralized, and persistent identity for IoT devices. This allows a device identity, along with all its relationships, to be securely managed throughout its entire lifecycle.
However, some proposals decide to take a distributed approach by necessity. ABAC systems [32,33,97,100,103,104,111,114,124,125,140] rely on peer devices for entity attribute confirmation, which also requires a distributed architecture to function.

Communication Model
The communication model can be seen in the perspectives of machine-to-machine (M2M) or user-to-machine (U2M). U2M strictly requires some user input information. IoT interaction may, similar to other distributed systems, consider stimuli from users or other autonomous parts of the system. The subcategories to encompass all articles involve M2M, U2M, and both.
U2M communication centers around user actors. Thus, we need to authenticate users, either in a conventional way or sometimes through unconventional means such as biological information [32,46,66,77,102,104,117] or even forms such as a user's mental state [39].
For M2M communication, there is no restriction that U2M systems possess (user stimuli/intervention); however, the abilities of these systems are often limited to the initial programming of users upon setup. M2M enables devices on the network to exchange information and perform actions without the manual assistance of humans. This fits IoT as the common use case is to tap into sensor data and transmit it to a target system for processing or further escalation of automated actions. There are times when a user wants the responsibility of maintaining the security of an IoT system [66,120,140], and this is where M2M becomes valuable. Among examples, monitoring, supply chain management, and smart homes are all great fits for IoT solutions.
Authentication and authorization for M2M use cases are designed in [79], which specifically discusses one M2M security architecture, OAuth 2.0 framework, and Mobius. A more specific use case can be shown through a video surveillance system [115]. This system enables the active (automatic) monitoring of the controlled areas as it allows for the detection and the pre-alarm of abnormal events in real-time. A Diffie-Hellman-inspired protocol was used to allow two smart cameras to share a secret image. A tunneling framework was provided to protect the M2M communications established between the cameras using their fingerprints as an authentication factor and a secret image they share as a cipher key. A password-based authentication scheme for M2M Networks in [25] was achieved using hash invocations and symmetric key encryption. The scheme is suitable for environmental sensors, which are limited in resources (computation, storage, energy, etc.) Furthermore, a novel security model approach in [65] introduced security-related attributes combined with privilege management infrastructure to overcome known drawbacks in machine-to-machine communication such as poor extensibility, lacking use-case-related authorization schemas, and weak separation between information and authorization model.
There may be instances where either a U2M or M2M model exists in a researched technology. For these instances, a M2M tool can be transformed to work with a U2M model [81], or the tool can exist in both models [33,38,56,74,111].

Existing versus New Methods
Here, we consider the method novelty. It is common to build on existing solutions and extends them, but some researchers propose novel alternatives.
In this taxonomy, current publications on IoT security can roughly be divided into three categories: applying existing methods, extending them to better suit the IoT specifications, and building new methods.
Studies that adapted or applied existing technologies and methods from other security domains to the IoT environment often considered extensions to ABAC and RBAC [32,33,97,100,103,104,111,114,124,125,140]. While RBAC is a method of restricting network access based on the roles of individual users within an enterprise, ABAC is an authentication and authorization model under the identity management umbrella that uses attributes rather than roles to grant users access.
Other interesting technologies in this taxonomy include OAuth 2.0 [81,134] and the Fuzzy logic system [42,109]. OAuth 2.0 is an authorization protocol that is used by online applications to gain access to resources hosted by other online applications. The Fuzzy logic system is an attempt to imitate how people think through computation. This allows reasoning to be considered regarding a problem, as opposed to an approach with basic evaluation. Three works focused on the use of JSON Web Token (JWT) [148] for different authentication techniques [75,119,124]. JWT is similar to regular web tokens, but it contains a set of claims to transmit information between two entities.
Studies that focus on novel ideas make use of very diverse methods to achieve unique results. One proposal [26] introduces the security framework, named SODA, to centralize security policy and service management for IoT environments, acting as an intermediate device that all devices are connected to, which allows all security concerns to be routed through it. Other approaches based on physical authentication discuss the use of brainwaves for authentication by considering the familiarity between users and certain images [39], and two methods use an accelerometer to measure a person's gait and authenticate the user based on this metric [60,76].
Extensions were more common for context-unaware works. There was no significant impact from topologies or communication models.

Domains and Constraints Used in Research of Security Solutions
The publications we assessed considered security solutions in general and specific domains. Tables 4 and 5 indicate the specifics for each publication. Overall, nearly half of the publications considered solutions applicable to any domain, which we classify as general. Among specific domains were mentioned IoT platforms, smart homes, healthcare, fog computing, wearable, surveillance, ATM, smart city, and cars.
Often, the security solutions considered constrained devices or even a specialized or external device such as smartwatches and other wearable technology, which we highlight in Tables 4 and 5 as well. Most approaches did not require special devices. However, a large number required special devices such as biometric sensors, wearables, cameras, security devices, mobile devices/smartphones, and RFID and sensors.

Threats to Validity
It is usual for systematic reviews, mapping studies, and surveys to suffer from several threats to validity that need to be addressed. We have discovered multiple threats to mention. In this context, we discuss the validity threats from the perspective of Wohlin's taxonomy [149]. In particular, four potential threats are considered: construct validity, internal validity, external validity, and conclusions validity.
The construct validity is meant to consider the research questions within the investigated area. Our queries are motivated by a previously performed study, which dated results. The primary terms were combined with secondary terms and exclusion parts to execute this study. All used terms are commonly recognized in the community and domain of this work, and all are suitable to be used as search strings. A possible threat of omitting relevant research from our review was addressed by experimenting with several other search strings identifying related work. Still, this study could miss relevant work, although given threads would be slightly impacted. Moreover, selected major research databases were considered but not all. The analyzed sample only considered peer-reviewed articles published by journals or conferences to ensure the objectivity and reliability of the information sources. It did not include reprints of the papers submitted to or accepted in journals and conferences published by arXiv.org, researchgate.net, or individual personal pages. These reprints might contain novel ideas, methods, and new challenges relevant to the scope of analyzed papers. Furthermore, our article queries were limited to the abstracts of the articles, so we could have missed relevant work with poorly stated abstracts.
Internal validity involves methods to study and analyze data (e.g., the types of bias involved). One potential threat is related to inclusion and exclusion, a process that included metadata, abstracts, and possibly full-text assessments; this could be further affected by our bias when performing the filtering. Multiple authors performed this, with primary authors assigned to a particular indexer and secondary authors to spot-checking. Apart from the filtering process, we performed question coding, leading to improper interpretation of results. We addressed the above by assigning distinct indexers to different researchers, with spot-check validation by others on sample publications. Our goal-based taxonomy is a result of our discussions of interpreted results and represents our view on the identified literature. We also performed automated keyword extraction meant to address potential bias threats.
External validity is related to knowledge generalization. This survey interprets and categorizes works we gathered from established scientific channels, and our observations related to IoT. We could have missed related work; however, we aimed to minimize the impact possibly resulting from the presented trends and their generalization given through the diversity of scientific channels.
The conclusions result from several brainstorming sessions independently settled by all authors. To address the validity of the conclusions, we involved multiple authors in this study, with all of them discussing the outcomes in the context of extracted and synthesized information.

Answers to Research Questions
In this paper, we raised multiple Research Questions (RQ) addressed throughout the previous sections. Next, we provided more concise answers to the RQs with back-references to the particular section content.

RQ1 What is the taxonomy of security solutions?
This question is answered through three taxonomy models of distinctions by publication year, goals, and categorization through extracted keywords in Section 4. In particular, Figure 2 details the publication year taxonomy, with the year 2019 being the most active year. The keyword taxonomy is highlighted in Figure 3, giving the proportions of research focus on authentication, context, services, authorization, cloud, attributes, roles, and health.
RQ2 What topologies, communication types, and perspectives are most dominant in the authentication and authorization IoT research?
We have identified that IoT solutions become more context-aware when considering the perspectives of past and present. There is no conclusion to be made whether centralized or distributed models dominate; both are used with the moderate majority for distributed models as described in Section 5.2. The user-to-machine communication model has a significantly greater scientific interest than machine-to-machine models, although a hybrid model accommodating both is also considered as Section 5.3 stated in detail. The great majority of research works are on established methods.

RQ3
What are the applicability domains and requirements of identified solutions?
We addressed this question through full-text analysis, which resulted in comprehensive answers available in Tables 4 and 5. A summary of the results is shown in Section 5.5.

Conclusions
This systematic review provides a practical overview of recent IoT authentication and authorization advancements. Using a systematic literature review approach, it assessed 1622 peer-reviewed publications to find evidence to provide security solution taxonomy and discuss recent efforts from other related perspectives. The provided details show that common practices and models are applied for authentication and authorization. Contextawareness can be a beneficial companion to aid authentication. While most security solutions are distributed, still a significant proportion are centralized. Research directions are further fragmented by communication from the central perspective to users or devices, for which we provide a practical road map to existing works .

Conflicts of Interest:
The authors declare no conflict of interest. The patrons had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.

Abbreviations
The following abbreviations are used in this manuscript: