International Journal of Information Security, vol.22, no.2, pp.479-495, 2023 (SCI-Expanded)
© 2022, The Author(s), under exclusive licence to Springer-Verlag GmbH, DE.Smart home technologies constantly bring significant convenience to our daily lives. Unfortunately, increased security risks accompany this convenience. There can be severe consequences when unauthorized or malicious users gain access to smart home devices. Therefore, dependable and comprehensive access control models are needed to address the security concerns. To this end, the attribute-based access control (ABAC) model is usually considered the most satisfactory access control model for running IoT applications. However, the uncertainty left with the authentication stage should be carried to the authorization policy specification. In this work, we extend the ABAC model by carrying the assurance level of user authentication obtained from biometric authentication systems for authorization. The extended ABAC model quantifies how far the authentication matching score is from the predefined threshold. This quantification serves as a regular attribute like others to define authorization policies. The novelty in this quantification is that it consults false matching rate and hence can easily normalize across wide range of biometric authentication devices and algorithms. As a result, the resulting access control policies are concise and easy to comprehend. Moreover, our model is fine-grained in that different access policies can be specified for each smart device functionality. This work also shows, through case studies, that the extended ABAC model is feasible and implementable in XACML language.