The Internet of Things (IoT) effortlessly gathers and shares data from diverse embedded devices, sensors, and actuators. This inherent capability positions it as a promising network scenario, promoting efficient data exchange and interconnected functionality ^[1][2][1,2]. According to a recent study, the current count of IoT devices stands at almost 13.15 billion in 2023, with an anticipated increase to over 25.4 billion by 2030. This exponential growth underscores the expanding role and significance of IoT in our interconnected digital landscape [3].

IoT is prevalent in almost every aspect of life, such as healthcare, smart cities, and transportation ^[4][5][4,5]. For instance, by fastening wearables or sensors on patients, doctors can monitor their condition in real-time when they are away from the hospital. The Internet of Things can enhance medical care and avoid fatalities in high-risk patients by continuously monitoring specific metrics and sending automatic alerts on their vital signs. IoT offers potential solutions to address urban problems such as pollution, traffic congestion, and energy shortages. IoT applications include the smart home, self-driving cars, smart grid, IoT retail shops, smart parking, smart supply-chain management, environmental monitoring, industrial internet, and e-voting, to name a few ^[6][7][8][6,7,8]. As the number of IoT applications increases, more critical information, including personal or confidential information, is produced. The most current IoT system can not guarantee trust and privacy for the data [9].

A rogue device might disrupt the IoT network’s operation and result in disastrous outcomes. The IoT environment is battling problems with heterogeneity, integrity, resource limitations, availability, privacy, and security susceptibility [10]. In addition, authentication and access control are the first lines of protection because they only allow individuals with the necessary rights to access data ^[11][12][11,12]. To guarantee data security and integrity, secure IoT systems require reciprocal permission between IoT devices and other networks ^[13][14][15][13,14,15]. If not, these systems will be vulnerable to various security issues, such as unauthorized access, data theft, and data modification ^{[16][17][18][19]}[16,17,18,19]. Due to the heterogeneous nature and distributed architecture of IoT networks, establishing authentication between diverse IoT devices involves complex and varied rules and regulations. Maintaining this with the aid of third-party authorities presents significant challenges, including issues of trust and potential bottlenecks. Further, there are several access control mechanisms in the state-of-the-art works. For example, usage control model (UCON), organizational-based access control (OrBAC), capability-based access control (CapBAC), role-based access control (RBAC), and attribute-based access control (ABAC) have been utilized in the literature [20]. role-based access control (RBAC) refers to managing user access to resources based on their roles [21]. The attribute-based access control (ABAC) is a logical access control paradigm that controls the access between subjects and objects by the properties of entries, operations, and related environments [22]. In conventional security systems, these access control mechanisms are implemented using centralized architectures, which are susceptible to single-point failures, scalability challenges, lower reliability, and reduced throughput. To address this issue, at present, researchers have sought blockchain technologies, which have only recently emerged, to successfully provide a solution to improve scalability, privacy, security, validity, and reliability. Blockchain is a decentralized platform where every transaction is carried out decentrally ^[23][24][23,24].

Patil et al. proposed a framework of access control using blockchain technology [25]. Further, Nayabe et al. [26] proposed a blockchain-based authentication mechanism for establishing secure communication between cars and shortening the time required for message transmission and verification. Similarly in [27], Bera et al. suggested a decentralized access control systems for the IoT environment, which allows mutual authentication between two surrounding drones and their corresponding ground station servers.

IoT systems require operation in a distributed fashion, with minimal delay to facilitate device interactions and deliver crucial services. Consequently, distributed security measures are essential to ensure the protection of these systems. Traditional security mechanisms, like authentication procedures, often fall short due to the centralized and non-scalable nature of IoT systems. For instance, an airborne drone transmitting time-sensitive data may need rapid authentication with multiple command stations in a distributed environment [28]. Most existing solutions fall short in addressing the emerging challenges in IoT. Many fail to fulfill key IoT attributes like usability, scalability, interoperability, security, and automation. To address these significant issues effectively, novel security and access control strategies in distributed frameworks are required. 

The various blockchain-based authentication and access control options for IoT are summarized below.

Ouaddah et al. [29] presented a token-based access control paradigm called “FairAccess”, which manages access policy efficiently and restricts policy reuse by deploying smart contracts. The authors employed public and private tokens to indicate user access rights, which may be transferred between peers. The token recipient must unlock the lock scripts to prove the token ownership. Though it is a brilliant concept to lock scripts for access control, the processing capacity of the locking scripts is rather limited.

Xu et al. [30] suggested a blockchain federated IoT access control system based on federal capacity. The architecture takes two IoT domains into consideration. For each area, the cloud elects the coordinator and transfers the decision-making process to the coordinators, which contributes to the system’s scalability. The coordinator writes and registers blockchain policies. The procedure of verification of access rights is carried out in the IoT device using the local chain data synced with the blockchain network. Thus, certain IoT devices incur the cost of retaining local chain data, reducing the system’s usability. Additionally, the compatibility of IoT devices and blockchain technology is not examined when it comes to synchronizing local chain data.

Hammi et al. [31] examined the blockchain concept’s feasibility for solving different security challenges in IoT. The paper proposes a blockchain-based authentication system. It enables decentralized authentication for IoT technology. The primary disadvantage of the suggested approach is that devices from one system cannot connect with devices from another system. As a result, it is inapplicable to a variety of dispersed IoT applications where communication between IoT devices belonging to various systems is crucial.

Han Liu et al. [32] designed and implemented an access control system named fabric IoT based on Hyperledger Fabric. In the proposed scheme, there were three smart contracts, namely policy contract (PC), device contract (DC), and access contract (AC). The authors implemented the ABAC policy management and ensured the access security of the device resources by implementing the smart contract application. This system utilizes a distributed architecture to manage the physical network’s access control in a fine-grained and dynamic manner. However, the reliability and performance of the system is limited.

Using blockchain technology, Sivaselvan et al. [33] built an IoT access control system that uses capability-based authentication. A capability token is a digital representation of the access privileges granted to the device that holds it. The suggested architecture employs smart contracts to execute all actions, contributing to its scalability. However, no blockchain technology is included in IoT devices for authentication or access control. The essential connectivity between IoT devices and the blockchain network is achieved via interfaces that convert IoT-COAP messages to blockchain-compatible JSON-RPC messages and vice versa.

Khalid et al. [34] developed a decentralized authentication system for Internet of Things (IoT) devices that is suitable for a wide variety of scenarios. The mechanism is built on fog computing technology and the concept of a public blockchain. In general, the fog nodes belong to different people and may not be made by the same company, which makes it less safe. The elliptic curve digital signature algorithm (ECDSA) is utilized in this approach to generate public and private keys for devices and fog nodes. The issue identified in this work is that PoW consumes a lot of energy to validate each block.

Weizheng Wang et al. [35] introduced a smart contract token-based solution for decentralized access control in the Industrial Internet of Things (IIoT). While highlighting the use of the nth-degree truncated polynomial ring units (NTRU) for post-quantum encryption and a prototype platform for performance evaluation, certain limitations emerge. The paper lacks in-depth discussions on the token mechanism, security evaluation metrics, scalability considerations, and a clear distinction between the prototype and real-world implementations. Additionally, a more thorough comparative analysis with existing solutions is needed to comprehensively assess the proposed scheme’s strengths and weaknesses in the context of IIoT access control.

Feifei Guo et al. [36] have proposed a domain attribute-based access control (DABAC) approach to address access control challenges in dynamic IoT environments. The proposed solution relies on an intelligent gateway for regional device management, which may introduce a single point of failure and potential scalability concerns. Additionally, the implementation on the Ethereum platform, while illustrating feasibility in a simulated smart medical scenario, raises questions about real-world scalability, transaction speed, and resource consumption. The effectiveness of DABAC in mitigating threats is asserted but requires substantiation through a more comprehensive analysis of potential drawbacks and comparative assessments with existing solutions.

An Internet of Things (IoT) access management strategy based on smart contracts was proposed by O.novo in [37]. It makes no attempt to integrate blockchain technology with IoT devices. In contrast, the necessary interactions between IoT devices and the blockchain are formed through management hubs, which serve as middlemen between the two technologies. The interface makes use of the Web3 JavaScript API to connect with the Ethereum nodes using RPC calls, as well as a CoAP library named node-coap5 to connect with the IoT devices. The scheme’s usability, scalability, and interoperability are all strong characteristics. The security features, on the other hand, are restricted. There is no way to verify the legitimacy of the management hubs.

Xuanmei et al. [38] have presented a lightweight decryption-based access control mechanism based on fabric blockchain technologies. The authors have shown how to use fabric blockchain technologies to keep one’s information secure. The blockchain’s security mechanisms ensure that outsourcing decryption works successfully without requiring additional computation. However, they could not provide dynamic attribute management or automated smart contract features.

From the above related works, researchers can conclude that present state-of-the-art access control methods do not adequately address essential IoT attributes, including usability, scalability, interoperability, security, and automation. These criteria have been widely acknowledged in the literature as key factors contributing to the success of IoT solutions. Specifically, usability ensures a user-friendly experience, security addresses the protection of data and devices, scalability focuses on accommodating growth seamlessly, integrity ensures data reliability and accuracy, and automation emphasizes the efficiency of operations.