# A lightweight zero-trust authentication architecture for IoT via unified enhanced FAST-SM9 and dynamic re-authentication

**Authors:** Zhanfei Ma, Hui Wei, Jing Jiang, Bisheng Wang, Hefei Wang, Zhong Di

PMC · DOI: 10.1371/journal.pone.0332943 · 2025-10-27

## TL;DR

This paper introduces a secure and efficient authentication system for IoT devices using a zero-trust approach and optimized algorithms.

## Contribution

A lightweight zero-trust authentication framework combining enhanced FAST-SM9 and dynamic re-authentication for IoT.

## Key findings

- The proposed framework reduces communication rounds by 40% and latency by 56.6%.
- It achieves energy savings of 63% compared to traditional PKI methods.
- AVISPA verification confirms the system's security and scalability in IoT environments.

## Abstract

Authentication is a crucial challenge for Internet of Things (IoT) security, especially in open, distributed and resource-constrained environments. Current methods have significant shortcomings in terms of efficiency, adaptability, and ability to cope with complicated security threats. Therefore, this paper proposes a lightweight authentication framework for Cloud-Edge-End, which integrates the enhanced Fast Authentication and Signature Trust for SM9 (FAST-SM9) algorithm and zero-trust Dynamic Re-authentication (zero-trust-DRA) mechanism. First, FAST-SM9 effectively reduces protocol overhead, and meanwhile ensuring security by organically integrating authentication and signature processes. Its architectural optimization reduces the number of communication rounds by 40% and simplifies trust negotiation between heterogeneous layers without affecting the integrity of encryption mechanisms. To enhance runtime protection, the designed zero-trust-DRA mechanism also introduces context-aware, time-windowed based re-authentication techniques so as to efficiently defend against risks such as session hijacking and credential leakage. In addition, the Dynamic Identity Token Generation Mechanism (DITGM) enhances the security and flexibility of the system by incorporating multi-factor attributes such as fingerprints and OTP seeds into time-sensitive tokens. Experimental results show that this scheme reduces latency by 56.6% and energy consumption by 63% compared to traditional PKI edge authentication methods, and effectively resists related attacks. The formal tool AVISPA verification further confirms its security. The scalability testing also proves its applicability in IoT. A feasible path is provided for efficient and secure identity authentication in distributed systems, which helps to promote the development of zero-trust security systems.

## Full-text entities

- **Genes:** PRKG1 (protein kinase cGMP-dependent 1) [NCBI Gene 5592] {aka AAT8, PKG, PKG1, PRKG1B, PRKGR1B, cGK}, FASTK (Fas activated serine/threonine kinase) [NCBI Gene 10922] {aka FAST}
- **Diseases:** SYN (MESH:C535863)
- **Chemicals:** DEM (MESH:C498810), AVISPA (-), CL (MESH:D002713)

## Figures

50 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12558534/full.md

---
Source: https://tomesphere.com/paper/PMC12558534