Authentication and Authorization for Mobile IoT Devices using Bio-features: Recent Advances and Future Trends

Bio-features are fast becoming a key tool to authenticate the IoT devices; in this sense, the purpose of this investigation is to summaries the factors that hinder biometrics models' development and deployment on a large scale, including human physiological (e.g., face, eyes, fingerprints-palm, or electrocardiogram) and behavioral features (e.g., signature, voice, gait, or keystroke). The different machine learning and data mining methods used by authentication and authorization schemes for mobile IoT devices are provided. Threat models and countermeasures used by biometrics-based authentication schemes for mobile IoT devices are also presented. More specifically, We analyze the state of the art of the existing biometric-based authentication schemes for IoT devices. Based on the current taxonomy, We conclude our paper with different types of challenges for future research efforts in biometrics-based authentication schemes for IoT devices.



There are no comments yet.


page 1

page 7


The House That Knows You: User Authentication Based on IoT Data

Home-based Internet of Things (IoT) devices have gained in popularity an...

IoT Security and Authentication schemes Based on Machine Learning: Review

With the latest developments in technology, extra and extra human beings...

BreathRNNet: Breathing Based Authentication on Resource-Constrained IoT Devices using RNNs

Recurrent neural networks (RNNs) have shown promising results in audio a...

Is Your Smartband Smart Enough to Know Who You Are: Towards Continuous Physiological Authentication in The Wild

The use of cloud services that process privacy-sensitive information suc...

Is Your Smartband Smart Enough to Know Who You Are: Continuous Physiological Authentication in The Wild

The use of cloud services that process privacy-sensitive information suc...

Machine Learning Algorithms In User Authentication Schemes

In the past two decades, the number of mobile products being created by ...

A Technical Report for Light-Edge: A Lightweight Authentication Protocol for IoT Devices in an Edge-Cloud Environment

Selected procedures in [1] and additional simulation results are present...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Biometric identification enables end-users to use physical attributes instead of passwords or PINs as a secure method of accessing a system or a database. Biometric technology is based on the concept of replacing ’one thing you have with you’ with ’who you are’, which has been seen as a safer technology to preserve personal information. The possibilities of applying biometric identification are really enormous.

Biometric identification is applied nowadays in sectors where security is a top priority, like airports and could be used as a means to control border crossing at sea, land and air frontier [1]. Especially for the air traffic area, where the number of flights will be increased by 40 % before 2013, the authentication of mobile IoT devices will be achieved when the bio-features models becomes sufficiently mature, efficient and resistant to IoT attacks.

Another area where biometric identification methods are starting to be adopted is electronic IDs. Biometric identification cards such as the Estonian and Belgian national ID cards were used in order to identify and authenticate eligible voters during elections. Moving one step further, Estonia has introduced the Mobile-ID system that allows citizens to conduct Internet voting [2], that combines biometric identification and mobile devices. This system which was quite innovative when it was initialy introduced posses several threats to the electoral procedure and was criticized for being insecure [3].

Fig. 1: Types of communication for IoT devices in edge environments during the authentication and authorization, (a) users accessing IoT devices, (b) users accessing remote servers via IoT devices, (c) biometric-based authentication for IoT devices in a peer-to peer environment
Reference Deployment Scope Focus Biomtetric Area Threat models Countermeasures ML and DM
Gafurov (2007) [4] Not mobile Gait recognition No No No
Revett et al. (2008) [5] Not mobile Mouse dynamics No No No
Yampolskiy and Govindaraju (2008) [6] Not mobile Behavioral-based No No No
Shanmugapriya and Padmavathi (2009) [7] Not mobile Keystroke dynamics No No Yes
Karnan et al. (2011) [8] Not mobile Keystroke dynamics No No Yes
Banerjee and Woodard (2012) [9] Not mobile Keystroke dynamics No No Yes
Teh et al. (2013) [10] Not mobile Keystroke dynamics No No Yes
Bhatt et al. (2013) [11] Not mobile Keystroke dynamics No No Yes
Meng et al. (2015) [12] Mobile device All Yes Yes Partial
Teh et al. (2016) [13] Mobile device Touch dynamics No No Yes
Mahfouz et al. (2017) [14] Smartphone behavioral-based No No Yes
Mahadi et al. (2018) [15] Not mobile behavioral-based No No Yes
Sundararajan and Woodard (2018) [16] Not mobile All No No Yes
Rattani and Derakhshani (2018) [17] Mobile device Face recognition Yes Yes Yes
Our survey Mobile IoT device All Yes Yes Yes

ML and DM: Machine learning (ML) and data mining (DM) algorithms

TABLE I: Related surveys on Biometric Authentication

According to a survey by Javelin Strategy & Research, in 2014, $16 billion was stolen by 12.7 million people who were victims of identity theft, only in the US [18]. This amount is calculated without taking into account the economic problems and psychological oppression that victims of this fraud suffer. From the banking sector and businesses, to access to homes, cars, personal computers and mobile devices, biometric technology offers the highest level of security in terms of privacy and privacy protection and secure access.

Mobile devices are nowadays an essential part of our everyday life, as they are used for a variety of mobile applications. Performing biometric authentication through mobile devices can provide a stronger mechanism for identity verification as the two authentication factors: "something you have" and "something you are" are combined. Several solutions that include multi-biometric and behavioral authentication platforms for telecom carriers, banks and other industries were recently introduced [19].

In the literature, many authentication schemes based on bio-features models for mobile IoT devices have been proposed. As shown in Figure 1, the schemes can perform two different authentication operations: they either (a) authenticate the users to access the mobile devices, or (b) authenticate the users to access remotes servers through mobile devices. The main challenges that are facing biometric-based authentication schemes are: (1) how to design an authentication mechanism that is free from vulnerabilities, which can be exploited by adversaries to make illegal accesses, and (2) how to ensure that the user’s biometric reference templates are not compromised by a hacker at the device-level or the remote server-level.

Our contributions in this work are:

  • We classify the related surveys according to several criteria, including, deployment Scope, focus biometric area, threat models, countermeasures, and ML/DM algorithms.

  • We present the machine learning and data mining methods used by authentication and authorization schemes for mobile IoT devices, including, unsupervised, semi-supervised, and supervised approaches.

  • We present all the Bio-features used by authentication and authorization schemes for mobile IoT devices.

  • We provide a comprehensive analysis and qualitative comparison of the existing authentication and authorization schemes for mobile IoT devices.

  • We emphasize the challenges and open issues of authentication and authorization schemes for mobile IoT devices.

The rest of this paper is organized as follows. Section II gives the related surveys on biometric authentication. In Section III, we present the different machine learning and data mining algorithms used by authentication and authorization schemes for mobile IoT devices. In Section IV, we provide the new trends of biometric technologies including human physiological (e.g., face, eyes, fingerprints-palm, and electrocardiogram) and behavioral (e.g., signature, voice, gait, or keystroke). In Section V, we clearly highlight the pros and cons of the existing authentication and authorization schemes for mobile IoT devices. Then, we discuss the challenges and suggest future research directions in both Section VI and VI. Lastly, Section VIII presents conclusions.

Ii Related surveys on biometric authentication

In the literature, there are different related surveys that deal with user authentication. Although some of them covered different authentication methods [20, 21, 22], but we only consider those that were fully dedicated for biometric authentication. We classify the surveys according to the following criteria:

  • Deployment Scope: It indicate whether the authentication scheme is deployed on mobile devices or not.

  • Focus biometric area: It indicates whether the survey focused on all/specific biometric features.

  • Threat models: It indicates whether the survey considered the threats against the authentication schemes.

  • Countermeasures: It indicates whether the survey focused considered the countermeasures to defend the authentication schemes.

  • Machine learning (ML) and data mining (DM) algorithms: It indicates whether the survey mentions for each solution the used machine learning or data mining method.

Some surveys described the authentication schemes that only consider specific bio-features. For instance, the surveys [7, 8, 9, 11, 10] only focused on the keystroke dynamics. On the other hand, Gafurov [4] presented biometric gait recognition systems. Revett et al. [5] surveyed biometric authentication systems that rely on mouse movements. Yampolskiy and Govindaraju [6] presented a a comprehensive study on behavioral biometrics. Mahadi et al. [15] surveyed behavioral-based biometric user authentication, and determined the set of best classifiers for behavioral-based biometric authentication. Sundararajan and Woodard [16]

surveyed different 100 approaches that leveraged deep learning and various biometric modalities to identify users. Teh et al.

[13] presented different authentication solutions that rely on touch dynamics in mobile devices. Rattani and Derakhshani [17] provided the state-of-the-art related to face biometric authentication schemes that are designed for mobile devices. They also discussed the spoof attacks that target mobile face biometrics as well as the anti-spoofing methods. Mahfouz et al. [14] surveyed the behavioral biometric authentication schemes that are applied on smartphones. Meng et al. [12] surveys the authentication frameworks using biometric user on mobile phones. They identified eight potential attack against these authentication systems along with promising countermeasures. Our survey and [12] both focus on authentication schemes that are designed for mobile device, and consider all the biometric features, and deal with threat models and countermeasures. However, [12] do not give information related to the used machine learning or data mining method of all the surveyed solutions. In addition, [12] only covers papers up to 2014, whereas the coverage of our survey is up to 2018. To the best of our knowledge, this work is the first that thoroughly covers threats, models, countermeasures, and the machine learning algorithms of the biometric authentication schemes.

Machine learning and data mining methods Schemes
Agglomerative complete link clustering approach [23]

Support vector distribution estimation

[24] [25]
Gaussian mixture model [26]

Embedded hidden Markov model


k-nearest-neighbors (kNN)

[25] [27] [28] [29] [30]
Support-vector machine (SVM) [25] [31] [32] [33] [34] [35] [36] [27] [28] [37] [38] [39] [30]
A computation efficient statistical classifier [40]
Deep learning [41] [42] [43] [44] [45]
Local binary patterns algorithm [46]
Mel frequency cepstral coefficients [47]
Pupillary light reflex [48]
Euclidean distance, hamming distance [49]

Deep convolutional neural network

[32] [50] [51] [52]
Genetic algorithm [53]
Artificial neural network (ANN) [36]
Gauss-newton based neural network [54]
Radial integration transform [55]
Weibull distribution [56]
Online learning algorithms [57]
Counter-Propagation Artificial Neural Network (CPANN) [36]
Random Forest (RF) [58]
Neural Network (NN) [59] [28] [29]
Circular integration transform [55]
Decision Tree (DT) [27] [38] [60] [61] [62] [30]
Learning Algorithm for Multivariate Data Analysis (LAMDA) [63]
Bayesian network (BN) [38] [30]
Naive Bayes [39] [64] [30]

Pearson product-moment correlation coefficient (PPMCC)

Keyed random projections and arithmetic hashing [65]
One-dimensional multi-resolution local binary patterns [66]
TABLE II: Machine learning and data mining methods used by authentication and authorization schemes for mobile IoT devices

Iii Machine learning and data mining algorithms

In this section, we lists the different machine learning and data mining algorithms used by biometric-based authentication schemes for IoT devices, as presented in II .

Iii-a Support-vector machine (SVM)

The SVM is a popular and powerful binary classifier, which aims to find a hyperplane within the feature space that separates between two classes. SVM is used by seven authentication schemes for IoT devices in edge environments using bio-features

[25, 31, 32, 33, 34, 35, 36].

In [25], Frank et al. used two classifiers: K-Nearest-Neighbors (kNN), and SVM with an RBF-kernel. In this study, two classes are chosen, namely, i) user of interest and ii) the rest of users. In the training data phase, this study tune the two relevant parameters, i.e., and of the RBF-SVM, are tuned under five-fold cross-validation. The first parameter

is used for controlling the gaussian radial-basis function. The second parameter

is used for controlling the trade-off between maximizing the margin and minimizing the number of exceptions.

In Sitova et al. [31], an SVM classifier with scaled Manhattan (SM) and scaled Euclidian (SE) are used to perform verification experiments. For parameter tuning, the RBF kernel was selected to perform a grid search to find the parameter.

In order to detect faces of a particular size, Sarkar et al. [32]

introduced a face detection algorithm, wich is based on deep feature combined with a SVM classifier. Specifically, the study passes the image through a deep convolutional neural network, then they used train SVMs of different sizes in order to achieve scale invariance. Durang training step, Sarkar et al.’s scheme uses 5202 images from the UMD-AA database, which is a database of 720p videos and touch gestures of users on a mobile device (iPhone). The experimental results showed that the proposed idea can detect the partial or the extremely posed faces in IoT environment.

The approach described by Mahbub et al. [33] is a framework for authentication and authorization of users’ faces on Mobile IoT devices. Their approach trains a linear SVM with statistical features. The study used the Active Authentication Dataset, which contains the front-facing camera face video for 50 iPhone users (43 male, 7 female) with three different ambient lighting conditions, including, well-lit, dimly-lit, and natural daylight. Compared to Viola-Jones face detector, the Mahbub et al.’s framework can achieve superior performance.

In another study, the SVM classifier was attempted as the learning algorithm by Gunasinghe and Bertino [34]

, face as the bio-feature , and eigen faces as the feature extraction algorithm. The trained SVM classifier helps to the artifacts stored in the Mobile IoT devices. Compared to Mahbub et al.’s

[33] approach, the protocol [34] considers privacy preserving of the training data, which is uses three secrets in different phases of the scheme, including, of size , of size , and of size .

Chen et al. [35] introduced a two-factor authentication protocol using rhythm, which can be applied for mobile IoT devices. Specifically, Chen et al.’s protocol employs SVM as a machine learning classifier, and LibSVM in the implementation phase. The experimental results on Google Nexus 7 tablets, involving 22 legitimate users and 10 attackers, show an outstanding results. The false-positive and false-negative rates achieve 0.7% and 4.2%, respectively. In general, there are two behavioral biometric modalities in the construction of an authentication scheme based on the bio-feature, including, 1) Using one behavioral biometric model, which does not need any additional hardware to capture data, and 2) Using a combination of the behavioral biometric models.

Iii-B Deep learning approach

Actually, Deep learning is used to authenticate low-power devices in the IoT networks. Deep Learning approach is based on an artificial neural network (ANN), consisting of many layers of neurons, referred to as hidden layers, between two other layers: input and output. Each layer receiving and interpreting information from the previous layer. Unlike SVM, the learning runtime increases when the number of features in an ANN increases. Ferdowsi and Saad


proposed a deep learning method based on the long short-term memory (LSTM), which uses the fingerprints of the signal

generated by an IoT mobile device. In addition, LSTM algorithm is used to allow an IoT mobile device updating the bit stream by considering the sequence of generated data. The paper expressed that the findings were reported that dynamic LSTM watermarking is able to detect some attacks such as eavesdropping.

Das et al. [42] used a deep-learning based classifier to have a faster system against high-power adversaries. Similarly to the work [41], this study uses the long short-term memory (LSTM). The experiments used a testbed of LoRa low-power wireless, which consists of 29 Semtech SX1276 chips as LoRa transmitters and a Semtech SX1257 chip as the receiver. The experimental results showed that the classification performance is more promising with respect to state-of-the-art LoRa transmitters.

The work by Bazrafkan and Corcoran [67] used a deep U-shaped network with 13 layers for the segmentation task. The study used a 3x3 kernel that maps the input to the first convolutional hidden layer in order to enhance iris authentication for Mobile IoT devices. They used two databases, including, 1) CASIA Thousand, which contains 20k images, and 2) Bath 800, which contains 24156 images. The segmentation results are reported as 98.55% for the Bath 800 and 99.71% for CASIA Thousand. The paper also states the benefits of the deep learning technique such as efficient segmentation on large data sets.

In their study, Bayar and Stamm [44]

use a universal forensic approach using deep learning in order to detect multiple types of image forgery. For image recognition, the convolutional neural networks (CNNs) is used as tool from deep learning. Specifically, the CNN proposed contains eight layers, including, the proposed new convolutional layer, two convolutional layers, two max-pooling layers, and three fully-connected layers. The first layer of the network is 227

227 grayscale image. The proposed CNN is evaluated as a binary and multi-class classifier. Although the false positive rate is not reported, the Caffe deep learning framework is used, which shows that the CNN proposed model can distinguish between unaltered and manipulated images with at least 99.31% and 99.10% accuracy for a binary and multi-class classifier, respectively.

Iii-C Deep convolutional neural network

The deep convolutional neural networks (DCNNs) for face detection was attempted by Ranjan et al. [51], which can be classified into two categories, including, the region-based approach and the sliding-window approach. The DCNN can identify whether a given proposal contains a face or not.

Based on deep learning and random projections, Liu et al. [50] proposed a novel finger vein recognition algorithm, named FVR-DLRP, which could be used for Mobile IoT devices. The FVR-DLRP algorithm uses four main phases, namely, 1) feature extraction, 2) random projection, 3) training, and 4) matching. The finger vein feature extraction is based on

regions. The Johnson–Lindenstrauss theorem is used for the random projections. In the training phase, the Deep belief network is applied to generating the biometric template. The experimental results on finger vein laboratory database, named FV_NET64, involving 64 people’s finger vein image, and each of them contributes 15 acquisitions, show that the FVR-DLRP algorithm achieves 91.2% for recognition rate (GAR) and 0.3% for false acceptance rate (FAR). In the study by Sarkar et al.

[32], a deep convolutional neural network is proposed for mobile IoT devices. According to the study, the OpenCL and RenderScript based libraries for implementing deep convolutional neural networks are more suitable for mobile IoT devices compared to the CUDA based schemes.

Iii-D Decision Tree (DT)

DTs are a type of learn-by-example pattern recognition method, which were used by five studies [60] [27] [62] [38] [61]. In [60], Sheng et al. proposed a parallel decision trees based-system in order to authenticate users based on keystroke patterns, which could be applied for mobile IoT devices. According to the study, a parallel DT alone cannot solve the authentication on keystroke patterns. The training data contains 43 users, each of them typed a given common string of 37 characters. The study achieves 9.62% for FRR and 0.88% for FAR. Therefore, Kumar et al. [62] presented a fuzzy binary decision tree algorithm, named FBDT, for biometric-based personal authentication. The FBDT was able to detect with FAR=0.005% and FRR=3.027% on palmprint, and FAR=0.023% and FRR=8.1081% on iris, and FAR=0% and FRR=2.027% on the bimodal system. To enhance the network authentication in ZigBee devices, Patel et al. [61] presented an authentication system that employs ensemble decision tree classifiers. Specifically, the study applied Multi-Class AdaBoost ensemble classifiers and non-parametric Random Forest on the fingerprinting arena.

Iii-E k-nearest-neighbors (kNN)

The kNN algorithm identifies the training observations to belong to a group among a set of groups based on a distance function in a vector space to the members of the group [29]. In our study, we found that it is always combined with other classifiers in order to provides a fast classification. The study [25] uses the kNN algorithm and a support-vector machine with an rbf-kernel. The study [27] combines three classifiers, namely, the kNN algorithm, support vector machines, and decision trees. The study [28] combines three models, including, 1) a nearest-neighbor based detector model, 2) a neural network detector model, and 3) a support vector machine model. The study by Jagadeesan and Hsiao [29] incorporates statistical analysis, neural networks, and kNN algorithms, which the experimental results show that the identification accuracy is 96.4% and 82.2% in case of the application-based model and the the application-independent model, respectively.

Iii-F Statistical models

In order to perform authentication of the user’s identity on mobile IoT devices, Tasia et al. [40] used a computation efficient statistical classifier, which has low computational complexity compared to fuzzy logic classifiers and do not require comparison with other users’ samples for identification. Therefore, hidden Markov model is a statistical model where Kim and Hong [26] used an embedded hidden Markov model algorithm and the two-dimensional discrete cosine transform for teeth authentication. For the voice authentication on mobile IoT devices, the study use pitch and mel-frequency cepstral coefficients as feature parameters and a Gaussian mixture model algorithm to model the voice signal. In the experiment section, Kim’s study used an Hp iPAQ rw6100 mobile device equipped with a camera and sound-recording device. The study reported an ERR of 6.42% and 6.24% for teeth authentication and voice authentication, respectively.

Iii-G Naive Bayes

To map from the feature space to the decision space, Fridman et al. [39]

used the Naive Bayes classifier, which is based on the so-called Bayesian theorem. In the experiment section, the study reached a false acceptance rate of 0.004 and a false rejection rate of 0.01 after 30 seconds of user interaction with the device. Therefore, Traore et al.

[64] considered two different biometric modalities, namely, keystroke and mouse dynamics. Their study used a Bayesian network to build the user profile, and then use it to classify the monitored samples. The experimental results show that the mouse dynamics model has a reached an equal error rate (EER) of 22.41%, which is slightly lower than the keystroke dynamics that reached an EER of 24.78%. In addition, Bailey et al. [38] used a Bayesian network with two machine learning algorithms, including, LibSVM and J48. The results achieved a full fusion false acceptance rate of 3.76% and a false rejection rate of 2.51%.

To solve the problem of verifying a user, Buriro et al. [30] proposed AnswerAuth, an authentication mechanism, which is based on the extracted features from the data recorded using the built-in smartphone sensors. In effect, the AnswerAuth mechanism is tested using a dataset composing of 10, 200 patterns (120 from each sensor) from 85 users and six classification techniques are used, including, Bayes network, naive Bayes, SVM, kNN, J48, and Random Forest. According to the study, Random Forest classifier performed the best with a true acceptance rate of 99.35%.

Fig. 2: A voice-based authentication scheme
Bio-feature Schemes
Gaze gestures [68] [69] [70]
Electrocardiogram [71] [72]
Voice recognition [26] [35] [73] [45]
Signature recognition [24]
Gait recognition [74]
Behavior profiling [25][31][24][75]
Keystroke dynamics [23] [40] [76] [59] [64] [36] [60]
Touch dynamics [13] [70]
Fingerprint [77] [78] [79] [80] [81] [82] [62]
Smart card [83] [84] [85]
Multi-touch interfaces [86] [87]
Graphical password [88]
Face recognition [89] [32] [33] [90] [34]
Iris recognition [89] [91] [92] [43]
Rhythm [35]
Capacitive touchscreen [93]
Ear Shape [46]
Arm gesture [46]
Plantar biometrics [94]
Mouse dynamics [28] [37] [64] [36] [38]
Slap fingerprints [95]
Palm dorsal vein [95]
Hand geometry [95]
Behavioral biometric [57]
TABLE III: Bio-features used by authentication schemes for IoT devices in edge environments

Iv Bio-features

The Bio-features used by authentication and authorization schemes for mobile IoT devices can be classified in two types, including human physiological (e.g., face, eyes, fingerprints-palm, or electrocardiogram) and behavioral (e.g., signature, voice, gait, or keystroke). Tab. III presents the biometrics-based authentication schemes for mobile IoT devices with Bio-features used as a countermeasure.

  • Gaze gestures: By combining gaze and touch, Khamis et al. [68] introduced multimodal authentication for mobile IoT devices, which is more secure than single-modal authentication against against iterative attacks and side attacks.

  • Electrocardiogram: Electrocardiogram methods can conceal the biometric features during authentication, which are classified as either electrocardiogram with the fiducial features of segmented heartbeats or electrocardiogram with non-fiducial features as discussed in [71] [72]. Both studies proved that the electrical activity of the heart can be a candidate of Bio-features for user authentication on mobile IoT devices.

  • Voice recognition: The voice signal can be used in voice authentication with a characteristic of single-vowel. Kim and Hong [26] used mel-frequency cepstral coefficients and pitch as voice features, and the Gaussian mixture model in the voice authentication process for speaker recognition, as shown in Fig. 2. Note that voice-based authentication and authorization schemes for mobile IoT devices are vulnerable against attacks that use a pre-recorded voice.

  • Signature recognition: According to Shahzad et al. [24], a signature is defined as the conventional handwritten depiction of one’s name performed either using a finger. Therefore, existing signature-based authentication and authorization schemes for mobile IoT devices can be divided into three categories, namely, offline, online, and behavior. With the category of offline, authentication and authorization schemes use the form on an image as input signatures. With the category of online, authentication and authorization schemes use the form of time-stamped data points as input signatures. With the category of behavior, authentication and authorization schemes use the behavior of doing signatures with a finger.

  • Gait recognition: The gait templates can be used for user verification. Based on the biometric cryptosystem (BCS) approach with a fuzzy commitment scheme, Hoang et al. [74] introduced authentication and authorization scheme using gait recognition for mobile IoT devices.

  • Behavior profiling: Behavior profiling aims at building invariant features of the human behavior during different activities. Frank et al. [25] proposed authentication and authorization scheme using a touchscreen input as a behavioral biometric for mobile IoT devices.

    Fig. 3: A keystroke dynamics-based authentication scheme
  • Keystroke dynamics: Existing keystroke-based authentication and authorization schemes for mobile IoT devices can be classified into two types, including, 1) Static, which the keystroke analysis performed only at specific times; and 2) Continuous, which the keystroke analysis performed during a whole session. In order to improve the effectiveness of PIN-based authentication and authorization schemes, Tasia et al. [40] proposed three steps in the keystroke dynamics-based authentication systems, namely, 1) Enrollment step, 2) Classifier building step, and 3) User authentication step, as shown in Fig. 3.

    Fig. 4: An authentication and authorization scheme using touch dynamics for mobile IoT devices
  • Touch dynamics: The process of measuring and assessing human touch rhythm on mobile IoT devices is called touch dynamics. According to Teh et al. [13], the design of a touch dynamics authentication system is performed in three steps, namely, 1) User enrolment step, 2) User authentication step, and 3) Data retraining step, as shown in Fig. 4.

    Fig. 5: Authentication and authorization scheme using fingerprint for mobile IoT devices
  • Fingerprint: The fingerprint is used as a bio-key, dynamically to secure a communication channel between client and server after successful authentication on mobile IoT devices. [77, 78, 79, 80]. Currently, authentication and authorization schemes use public key infrastructure framework, such as elliptic curve cryptography, in order to protect the fingerprint biometric, as shown in Fig. 5.

  • Smart card: According to Li and Hwang [83], the authentication and authorization for mobile IoT devices using smart cards are one of the simplest and the most effective schemes for IoT authentication compared to traditional password-based authentication schemes. Specifically, the user inputs his/her personal bio-features on mobile IoT device during the registration step. Then, the registration center stores the personal bio-features on the user’s smart card.

  • Multi-touch refers to the ability to sense the input simultaneously from more points of contact with a touchscreen [87]. According to Sae-Bae et al. [86], authentication and authorization for mobile IoT devices using multi-touch gesture are based on classifying movement characteristics of the center of the fingertips and the palm.

  • Graphical password: To withstand dictionary attacks, researchers proposed graphical-based password authentication schemes, which can be classified into two types 1) authentication and authorization using recognition and 2) authentication and authorization using recall.

    Fig. 6: A face-based authentication scheme using the Support Vector Machine (SVM)
    Time Scheme Method Goal Mobile device Performance (+) and limitation (-) Complexity
    2007 Clarke and Furnell [96] - Keystroke analysis - Introducing the concept of advanced user authentication - Sony Ericsson T68;
    - HP IPAQ H5550;
    + Keystroke latency
    - Process of continuous and non-intrusive authentication
    2007 Clarke and Furnell [97] - Keystroke analysis - Enable continuous and transparent identity verification - Nokia 5110 + GRNN has the largest spread of performances
    - The threat model is not defined
    2008 Khan et al. [77] - Fingerprint - Introducing the chaotic hash-based fingerprint - N/A + Can prevent from server spoofing attack
    - The proposed scheme is not tested on mobile devices
    2010 Li and Hwang [83] - Smart card - Providing the non-repudiation - N/A + Can prevent from parallel session attacks
    - Storage costs are not considered

    2011 Xi et al. [78] - Fingerprint - Providing the authentication using bio-cryptographic - Mobile device with Java Platform + Secure the genuine biometric feature
    - Server-side attack is not considered
    at FAR=0.1% , GAR=78.69%
    2012 Chen et al. [79] - Fingerprint - Using only hashing functions - N/A + Solve asynchronous problem
    - Privacy-preserving is not considered
    2013 Frank et al. [25] - Touchscreen - Providing a behavioral biometric for continuous authentication - Google Nexus One + Sufficient to authenticate a user
    - Not applicable for long-term authentication
    11 to 12 strokes, EER=2%–3%
    2014 Khan et al. [80] - Fingerprint - Improve the Chen et al.’s scheme - N/A + Quick wrong password detection
    - Location privacy is not considered

    2015 Hoang et al. [74] - Gait recognition - Employing a fuzzy commitment scheme - Google Nexus One + Efficient against brute force attacks
    - Privacy model is not defined
    2016 Arteaga-Falconi et al. [71] - Electrocardiogram - Introducing the concept of electrocardiogram-based authentication - AliveCor + Concealing the biometric features during authentication
    - Privacy model is not considered.
    TAR=81.82% and FAR=1.41%
    2017 Abate et al. [46] - Ear Shape - Implicitly authenticate the person authentication - Samsung Galaxy S4 smartphone + Implicit authentication
    - Process of continuous and non-intrusive authentication
    2017 Khamis et al. [70] - Gaze and Touch - Protect multimodal and authorization on mobile IoT devices - N/A + Secure against the side attack model and the iterative attack model
    - Vulnerable to video attacks
    2017 Feng et al. [85] - Fingerprints or iris scans - Introduced a biometrics-based authentication with key distribution - Google Nexus One + Anonymity and unlinkability
    - Interest privacy in not considered

    2017 Ghosh et al. [81] - Fingerprint - Proposing a near-field communication with biometric authentication - N/A + Authentication and authorization for P2P payment
    - Threat model is not defined
    2017 Mishra et al. [98] - Biometric identifier - Removing the drawback of the Li et al. scheme [99] - N/A + Efficient password change
    + Off-line password guessing
    - Location privacy in not considered
    2018 Li et al. [82] - Fingerprint - Introduced three-factor authentication using fingerprint identification - N/A + Quickly detection for wrong password
    + Traceability of mobile user
    - Backward privacy is not considered
    2018 Yeh et al. [94] - Plantar biometrics - Introduced critical characteristics of new biometrics - Raspberry PI platform + High verification accuracy
    - Threat model is not defined
    2018 Bazrafkan and Corcoran [43] - Iris - Use deep learning for enhancing Iris authentication - N/A + The iris segmentation task on mobile IoT devices
    - Privacy preserving is not considered

    Notations: TAR: True acceptance rate; FAR: False acceptance rate; FPR: False-positive rate; EER: Equal error rate; GAR: Genuine acceptance rate; : Time of executing a one-way hash function : Shoulder surfing attack rate; : Computational cost of client and server (total); : Time of executing an elliptic curve point multiplication ; : Time complexity of symmetric key encryption/decryption; : Time of executing a bilinear pairing operation; : Accuracy ratio of entity verification; : Segmentation accuracy.

    TABLE IV: Biometric-based authentication schemes for Mobile IoT devices
    Scheme Bio-feature Threat model Data attacked Countermeasure
    Khamis et al. [68] Gaze gestures - Iterative attacks
    - Side attacks
    - Observe the user several times from different viewpoints - Multimodal authentication based on combining gaze and touch
    Khamis et al. [69] Gaze gestures - Shoulder surfing
    - Thermal attacks
    - Smudge attacks
    - Uncover a user’s password - Multimodal authentication based on combining gaze and touch
    Arteaga-Falconi et al. [71] Electrocardiogram

    - Adversarial machine learning

    - Attacking ECG data sensors - ECG authentication algorithm
    Kang et al. [72] Electrocardiogram - Adversarial machine learning - Attacking ECG data sensors - Cross-correlation of the templates extracted
    Chen et al. [35] Voice recognition - Random-guessing attack - Malicious bystanders try to observe the password of the legitimate user - Rhythm-based two-factor authentication
    Shahzad et al. [24] Signature recognition - Shoulder surfing attack
    - Smudge attack
    - Malicious bystanders try to observe the password of the legitimate user - behavior-based user authentication using gestures and signatures
    Sitova et al. [31] Behavior profiling - Population attacks - Guess the user’s feature vector - Using the notion of guessing distance
    Shahzad et al. [24] Behavior profiling - Shoulder surfing attack
    - Smudge attack
    - Spying on the owner when he performs an action - Authentication scheme based on the gesture and signature behavior
    Khamis et al. [70] Touch dynamics - Side attack model
    - Iterative attack model
    - Spying on the owner when he performs an action - Multimodal authentication
    Ferdowsi and Saad [41] N/A - Eavesdropping attacks - Extract the watermarked information - Deep learning algorithm with long short-term memory
    Khan et al. [77] Fingerprint - Replay attacks, forgery attack and impersonation attack, server spoofing attack - Replaying of an old login message - Chaotic hash-based authentication
    TABLE V: Threat models and countermeasures
  • Face recognition: Mahbub et al. [33] introduced an authentication and authorization scheme using face recognition, which can be applied for mobile IoT devices. Based on the Support Vector Machine (SVM), the Mahbub et al.’s scheme is based on three steps, namely, 1) Step of segment clustering, 2) Step of learning SVM, and 3) Step of face detection, As shown in Fig. 6.

    Fig. 7: A Iris-based authentication scheme
  • Iris recognition: Iris-based authentication scheme refers to a comparison with the iris template of the person owning the mobile computing device. This process could be used to unlock a mobile computing device or to validate banking transactions. According to De Marsico et al. [89], an Iris-based authentication scheme can be repeated in a cyclic process to ensure continuous reidentification, as shwon in Fig. 7.

  • Rhythmic taps/slides: A rhythm-based authentication scheme refers to user identification by a series of rhythmic taps/slides on a device screen. Chen et al. [35] proposed an authentication and authorization scheme using rhythmic taps/slides, which can be applied for mobile IoT devices. Chen et al.’s scheme is based on two step, namely, 1) Enrollment step and 2) Verification step.

  • Capacitive touchscreen: In order to scan body parts on mobile IoT devices, Holz et al. [93] introduced an authentication and authorization scheme using the capacitive touchscreen. Specifically, the Holz et al.’s scheme appropriates the capacitive touchscreen as an image sensor.

  • Ear Shape: Ear shape-based authentication scheme refers to capturing a sequence of ear images, which are used for extraction of discriminant features, in order to authenticate the users on mobile IoT devices. [46].

  • Arm gesture: The arm gesture is usually combined with a physical biometric to authenticate users for mobile IoT devices, e.g. Ear shape [46].

V Authentication and authorization schemes for mobile IoT devices using bio-features

The surveyed papers of Authentication and authorization schemes for mobile IoT devices using bio-features are shown in Table IV. In addition, threat models and countermeasures are shown in Table V.

The manner and rhythm in which an individual types characters when writing a text message is called keystroke analysis, which can be classified as either static or continuous. For authenticating users based on the keystroke analysis, Clarke and Furnell [96] introduced an authentication and authorization scheme, which is based on three interaction scenarios, namely, 1) Entry of 11-digit telephone numbers, 2) Entry of 4-digit PINs, and 3) Entry of text messages. The Clarke and Furnell’s scheme [96] can provide not only transparent authentication of the user, but it is also efficient in terms of FRR and FAR under three types of mobile IoT devices, namely, Sony Ericsson T68, HP IPAQ H5550, and Sony Clie PEG NZ90. To demonstrate the ability of neural network classifiers, the same authors in [97]

proposed an authentication framework based on mobile handset keypads in order to support keystroke analysis. The three pattern recognition approaches used in this framework are, 1) Feed forward multi-layered perceptron network, 2) Radial basis function network, and 3) Generalised regression neural network. Therefore, Maiorana et al.

[23] proved that it is feasible to employ keystroke dynamics on mobile phones with the statistical classifier for keystroke recognition in order to employ it as a password hardening mechanism. In addition, the combination of pressure and time features is proved by Tasia et al. in [40] that is is among the effective solutions for authentication and authorization.

The passwords have been widely used by the remote authentication schemes, which they can be easily guessed, hacked, and cracked. However, to deal with the drawbacks of only-password-based remote authentication, Khan et al. [77] proposed the concept of chaotic hash-based fingerprint biometrics remote user authentication scheme. Theoretically, the scheme [77] can prevent from fives attacks, namely, parallel session attack, reflection attack, Forgery attack, impersonation attack, DoS attack, and server spoofing attack, but it is not tested on mobile devices and may be vulnerable to biometric template attacks.

In order to avoid the biometric template attack, Xi et al. [78] proposed an idea based on the transformation of the locally matched fuzzy vault index to the central server for biometric authentication using the public key infrastructure. Compared to [100], [77], and [78], Chen et al. [79] proposed an idea that uses only hashing functions on fingerprint biometric remote authentication scheme to solve the asynchronous problem on mobile devices. In 2014, Khan et al. [80] improved the Chen et al.’s scheme and Truong et al.’s scheme with quick wrong password detection, but location privacy is not considered.

Biometric keys have some advantages, namely, 1) cannot be lost, 2) very difficult to copy, 3) hard to distribute, and 4) cannot be easily guessed. In 2010, Li and Hwang [83] proposed a biometric-based remote user authentication scheme using smart cards, in order to provide non-repudiation. Without using identity tables and storing password tables in the authentication system, Li and Hwang’s scheme [83] can resist masquerading attacks, replay attacks, and parallel session attacks. Authors did not specify the application environment of their scheme, but it can be applied to mobile IoT devices as the network model is not too complicated. Note that Li and Hwang’s scheme was cryptanalyzed for several times.

Touch dynamics for user authentication are initialed on desktop machines and finger identification applications. In 2012, Meng et al. [101] focused on authentication and authorization using user behavioral bio-features such as touch duration and touch direction. Specifically, they proposed an authentication scheme that uses touch dynamics on touchscreen mobile IoT devices. To classify users, Meng et al.’s scheme performs an experiment with 20 users using Android touchscreen phones and applies known machine learning algorithms (e.g. Decision Tree, Naive Bayes). Through simulations, the results show that Meng et al.’s scheme succeeds to reduce the average error rate down to 2.92% (FAR of 2.5% and FRR of 3.34%). The question we ask here: is it possible to use the multi-touch as an authentication mechanism? Sae-Bae et al. [86] in 2012, introduced an authentication approach based on multi-touch gestures using an application on the iPad with version 3.2 of iOS. Compared with Meng et al.’s scheme [101], Sae-Bae et al.’s approach is efficient with 10% EER on average for single gestures, and 5% EER on average for double gestures. Similar to Sae-Bae et al.’s approach [86], Feng et al. [102] proposed an authentication and authorization scheme using multi-touch gesture for mobile IoT devices, named FAST, that incurs FAR=4.66% and FRR= 0.13% for the continuous post-login user authentication. In addition, the FAST scheme can provide a good post-login access security, but the threat model is very limited and privacy-preservation is not considered.

Arteaga-Falconi et al. [71] introduced the concept of authentication and authorization using electrocardiogram for mobile IoT devices. Specifically, the authors considered five factors, namely, the number of electrodes, quality of mobile ECG sensors, time required to gain access to the phone, FAR, and TAR. Before applying the ECG authentication algorithm, the preprocessing stages for the ECG signal pass by the fiducial point detection. The ECG authentication algorithms is based on two aspects: 1) employing feature-specific percentage of tolerance and 2) employing of a hierarchical validation framework. The results reveal that the algorithm [71] has 1.41% FAR and 81.82% TAR with 4 of signal acquisition. Note that ECG signals from mobile IoT devices may be affected by noise due to the type of motion and signal acquisition, as discussed by Kang et al. [72]. However, the advantage of using ECG authentication is concealing the biometric features during authentication, but it is a serious problem if privacy preservation is not considered.

Vi Future Directions

Several challenges still remain that opens interesting research opportunities for future work, including, doppler radar, vocal resonance, mobile malware threats, and adversarial machine learning.

Vi-a Doppler radar

A team of researchers at Buffalo University, led by Wenyao Xu, developed a system that exploits a Doppler radar capable of "reading" the human heart! It works roughly like any other radar, emitting microwaves and analyzing the return signal in order to detect changes in motion [103]. As scientists say, the process of identifying a person through the method takes about eight seconds, and radar power is just 5 milliwatts - which means that radiation is not dangerous to the body. This method can be a basis for future biometric systems that can be fast, efficient and recognize unique characteristics of the human body.

Vi-B Vocal Resonance

In [104], the authors proposed using vocal resonance, that is, the sound of the person’s voice as it travels through the person’s body. Vocal resonance can be used as a passive biometric, and it achieves high accuracy in terms of identification and verification problems. It is a method that is suitable for devices worn on the chest, neck, or initially but could also be used in the near future for recognizing any device that a user posses.

Vi-C Mobile malware threats against biometric reference template

In 2016 [105, 106], an Android malware succeeded in bypassing the two-factor authentication scheme of many banking mobile applications that are installed on the user’s mobile device. The malware can intercept two-factor authentication code (i.e., verification code sent through SMS), and forward it the attacker. In case of biometric-based authentication, this threat can be evolved to access the biometric reference template, which are stored at the mobile device, and send it to the attacker. One research direction to prevent this kind of attacks is to employ policy-enforcement access control mechanisms that are appropriate for resource-constrained mobile devices.

Vi-D Adversarial machine learning against biometric-based authentication schemes

Some biometric-based authentication mechanisms, and especially behavioral-based ones, use machine learning techniques for extracting features and building a classifier to verify the user’s identity. Adversarial machine learning aims to manipulate the input data to exploit specific vulnerabilities of the learning algorithms. An adversary using adversarial machine learning methods tries to compromise biometric-based authentication schemes and gain illegal access to the system or the mobile device. The future research efforts should focus on dealing with this kind of threats.

Vi-E Machine learning and blockchain-based authentication

The blockchain technology is being used in different application domains beyond the cryptocurrencies, e.g., SDN, Internet of Things, Fog computing, etc.[107]. To developing a machine learning and blockchain-based solution for authenticating mobile IoT devices, we have to take in mind the specific requirements of the blockchain, e.g., 1) when IoT data needed to be checked by the IoT entities without any central authority, 2) the ledger copies are required to be synchronized across all of the IoT entities etc. In addition, the vulnerabilities of the peer-to-peer blockchain networks during the authentication need to be considered, including, private key leakage, double spending, transaction privacy leakage, 51% vulnerability, and selfish and reputation-based behaviors. Hence, the machine learning-based authentication schemes using the blockchain technology should be investigated in the future.

Vi-F Developing a novel authentication scheme

For developing a novel authentication scheme for mobile IoT devices using bio-features, we propose the following six-step process:

  1. Definition of IoT network components (Cloud computing, Fog computing, IoT devices, …etc),

  2. Choose the threat models (e.g., iterative attacks, shoulder surfing attacks, thermal attacks, smudge attacks, eavesdropping attacks),

  3. Choose the bio-features (e.g., face, eyes, fingerprints-palm, electrocardiogram, signature, voice, gait, keystroke, …etc).

  4. Choose the machine learning and data mining methods (unsupervised, semi-supervised, or supervised),

  5. Proposition of the main steps (e.g., Enrollment steps, Classifier building step, and user authentication step),

  6. Evaluate the scheme’s performance using classification metrics, including, TAR, FAR, FPR, EER,…etc.

Vii Discussion

There is a big discussion regarding the use of biometric characteristics of the users from new systems or technologies. Biometric technology can be used to protect privacy, since only a minimum amount of information is required to determine whether someone is authorized, for example, to enter a specific area. On the other hand, since biometrics can reveal sensitive information about a person, controlling the usafe of information may be tricky, especially now that the technology has reached the stage of being applied in mobile devices which can be easily lost or stolen [108]. Those who are against the use of such features raise concerns about how these data are going to be used. These concerns could be mitigated by making clear to people that their data is only stored for a limited time, and explaining who will process this data and for what purposes [109]. To that sense, the General Data Protection Regulation (GDPR) for European Member States addresses biometric data storage and processes in terms of data protection and privacy. EU countries are affected including the UK and all companies that store or process data of EU citizens. On the other hand, in the United States, there is no single comprehensive federal law regulating the collection and processing of biometric data. Only three states Washington, Texas, and Illinois, which have a biometric privacy law in spite that US regulators are also increasingly focusing on the protection of biometric data. Moreover, In August 2017, India’s supreme court decision about a landmark case that named privacy a "fundamental right"showcased that biometric data protection is top on regulators’ agenda.

Except from data use issues, general terms such as and also provide established accounts of individuals resistance to use new and unfamiliar information technologies, especially for elder people [110]. Moving one step further, companies that produce applications or methods that use biometric characteristics must comply with a code of ethics or a consistent legal framework governing this kind of data collection which is still absent. For that reason IEEE P7000, is the first standard IEEE is ever going to publish on ethical issues in system design in the next couple of years [111].

Viii Conclusion

In this article, we have presented a comprehensive literature review, focusing on authentication and authorization for mobile IoT devices using bio-features, which were published between 2007 and 2018. We presented the machine learning and data mining algorithms used by authentication and authorization schemes for mobile IoT devices, including, unsupervised, semi-supervised, and supervised approaches. We reviewed all the Bio-features used by authentication and authorization schemes for mobile IoT devices. We presented the pitfalls and limitations of the existing authentication and authorization schemes for mobile IoT devices. Several challenging research areas (e.g., doppler radar, vocal resonance, mobile malware threats, adversarial machine learning, machine learning and blockchain-based authentication) will open doors for possible future research directions for mobile IoT devices.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


  • [1] J. S. del Rio, D. Moctezuma, C. Conde, I. M. de Diego, and E. Cabello, “Automated border control e-gates and facial recognition systems,” computers & security, vol. 62, pp. 49–72, 2016.
  • [2] P. Vinkel and R. Krimmer, “The how and why to internet voting an attempt to explain e-stonia,” in International Joint Conference on Electronic Voting.   Springer, 2016, pp. 178–191.
  • [3] D. Springall, T. Finkenauer, Z. Durumeric, J. Kitcat, H. Hursti, M. MacAlpine, and J. A. Halderman, “Security analysis of the estonian internet voting system,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.   ACM, 2014, pp. 703–715.
  • [4] D. Gafurov, “A survey of biometric gait recognition: Approaches, security and challenges,” in Annual Norwegian computer science conference, 2007, pp. 19–21.
  • [5] K. Revett, H. Jahankhani, S. T. de Magalhães, and H. M. Santos, “A survey of user authentication based on mouse dynamics,” in Global E-Security.   Springer, 2008, pp. 210–219.
  • [6] R. V. Yampolskiy and V. Govindaraju, “Behavioural biometrics: a survey and classification,” International Journal of Biometrics, vol. 1, no. 1, pp. 81–113, 2008.
  • [7] D. Shanmugapriya and G. Padmavathi, “A survey of biometric keystroke dynamics: Approaches, security and challenges,” arXiv preprint arXiv:0910.0817, 2009.
  • [8] M. Karnan, M. Akila, and N. Krishnaraj, “Biometric personal authentication using keystroke dynamics: A review,” Applied soft computing, vol. 11, no. 2, pp. 1565–1573, 2011.
  • [9] S. P. Banerjee and D. L. Woodard, “Biometric authentication and identification using keystroke dynamics: A survey,” Journal of Pattern Recognition Research, vol. 7, no. 1, pp. 116–139, 2012.
  • [10] P. S. Teh, A. B. J. Teoh, and S. Yue, “A survey of keystroke dynamics biometrics,” The Scientific World Journal, vol. 2013, 2013.
  • [11] S. Bhatt and T. Santhanam, “Keystroke dynamics for biometric authentication—a survey.”
  • [12] W. Meng, D. S. Wong, S. Furnell, and J. Zhou, “Surveying the Development of Biometric User Authentication on Mobile Phones,” IEEE Commun. Surv. Tutorials, vol. 17, no. 3, pp. 1268–1293, jan 2015.
  • [13] P. S. Teh, N. Zhang, A. B. J. Teoh, and K. Chen, “A survey on touch dynamics authentication in mobile devices,” Comput. Secur., vol. 59, pp. 210–235, jun 2016.
  • [14] A. Mahfouz, T. M. Mahmoud, and A. S. Eldin, “A survey on behavioral biometric authentication on smartphones,” Journal of Information Security and Applications, vol. 37, pp. 28–37, 2017.
  • [15] N. A. Mahadi, M. A. Mohamed, A. I. Mohamad, M. Makhtar, M. F. A. Kadir, and M. Mamat, “A survey of machine learning techniques for behavioral-based biometric user authentication,” in Recent Advances in Cryptography and Network Security.   IntechOpen, 2018.
  • [16] K. Sundararajan and D. L. Woodard, “Deep learning for biometrics: A survey,” ACM Computing Surveys (CSUR), vol. 51, no. 3, p. 65, 2018.
  • [17] A. Rattani and R. Derakhshani, “A survey of mobile face biometrics,” Computers & Electrical Engineering, vol. 72, pp. 39–52, 2018.
  • [18] R. Sen and S. Borle, “Estimating the contextual risk of data breach: An empirical approach,” Journal of Management Information Systems, vol. 32, no. 2, pp. 314–341, 2015.
  • [19] “United biometrics,”, accessed: 2018-30-11.
  • [20] M. Alizadeh, S. Abolfazli, M. Zamani, S. Baharun, and K. Sakurai, “Authentication in mobile cloud computing: A survey,” J. Netw. Comput. Appl., vol. 61, pp. 59–80, feb 2016.
  • [21] M. U. Aslam, A. Derhab, K. Saleem, H. Abbas, M. Orgun, W. Iqbal, and B. Aslam, “A survey of authentication schemes in telecare medicine information systems,” Journal of medical systems, vol. 41, no. 1, p. 14, 2017.
  • [22] D. Kunda and M. Chishimba, “A survey of android mobile phone authentication schemes,” Mobile Networks and Applications, pp. 1–9, 2018.
  • [23] E. Maiorana, P. Campisi, N. González-Carballo, and A. Neri, “Keystroke dynamics authentication for mobile phones,” in Proc. 2011 ACM Symp. Appl. Comput. - SAC ’11.   New York, New York, USA: ACM Press, 2011, p. 21.
  • [24] M. Shahzad, A. X. Liu, and A. Samuel, “Behavior Based Human Authentication on Touch Screen Devices Using Gestures and Signatures,” IEEE Trans. Mob. Comput., vol. 16, no. 10, pp. 2726–2741, oct 2017.
  • [25] M. Frank, R. Biedert, E. Ma, I. Martinovic, and D. Song, “Touchalytics: On the Applicability of Touchscreen Input as a Behavioral Biometric for Continuous Authentication,” IEEE Trans. Inf. Forensics Secur., vol. 8, no. 1, pp. 136–148, jan 2013.
  • [26] D.-S. Kim and K.-S. Hong, “Multimodal biometric authentication using teeth image and voice in mobile environment,” IEEE Trans. Consum. Electron., vol. 54, no. 4, pp. 1790–1797, nov 2008.
  • [27] C.-C. Lin, C.-C. Chang, and D. Liang, “A new non-intrusive authentication approach for data protection based on mouse dynamics,” in Biometrics and Security Technologies (ISBAST), 2012 International Symposium on.   IEEE, 2012, pp. 9–14.
  • [28] C. Shen, Z. Cai, and X. Guan, “Continuous authentication for mouse dynamics: A pattern-growth approach,” in Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on.   IEEE, 2012, pp. 1–12.
  • [29] H. Jagadeesan and M. S. Hsiao, “A novel approach to design of user re-authentication systems,” in Biometrics: Theory, Applications, and Systems, 2009. BTAS’09. IEEE 3rd International Conference on.   IEEE, 2009, pp. 1–6.
  • [30] A. Buriro, B. Crispo, and M. Conti, “Answerauth: A bimodal behavioral biometric-based user authentication scheme for smartphones,” Journal of Information Security and Applications, vol. 44, pp. 89–103, 2019.
  • [31] Z. Sitova, J. Sedenka, Q. Yang, G. Peng, G. Zhou, P. Gasti, and K. S. Balagani, “HMOG: New Behavioral Biometric Features for Continuous Authentication of Smartphone Users,” IEEE Trans. Inf. Forensics Secur., vol. 11, no. 5, pp. 877–892, may 2016.
  • [32] S. Sarkar, V. M. Patel, and R. Chellappa, “Deep feature-based face detection on mobile devices,” in 2016 IEEE Int. Conf. Identity, Secur. Behav. Anal.   IEEE, feb 2016, pp. 1–8.
  • [33] U. Mahbub, V. M. Patel, D. Chandra, B. Barbello, and R. Chellappa, “Partial face detection for continuous authentication,” in 2016 IEEE Int. Conf. Image Process.   IEEE, sep 2016, pp. 2991–2995.
  • [34] H. Gunasinghe and E. Bertino, “PrivBioMTAuth: Privacy Preserving Biometrics-Based and User Centric Protocol for User Authentication From Mobile Phones,” IEEE Trans. Inf. Forensics Secur., vol. 13, no. 4, pp. 1042–1057, apr 2018.
  • [35] Y. Chen, J. Sun, R. Zhang, and Y. Zhang, “Your song your way: Rhythm-based two-factor authentication for multi-touch mobile devices,” in 2015 IEEE Conf. Comput. Commun.   IEEE, apr 2015, pp. 2686–2694.
  • [36] S. Mondal and P. Bours, “A study on continuous authentication using a combination of keystroke and mouse biometrics,” Neurocomputing, vol. 230, pp. 1–22, 2017.
  • [37] N. Zheng, A. Paloski, and H. Wang, “An efficient user verification system via mouse movements,” in Proceedings of the 18th ACM conference on Computer and communications security.   ACM, 2011, pp. 139–150.
  • [38] K. O. Bailey, J. S. Okolica, and G. L. Peterson, “User identification and authentication using multi-modal behavioral biometrics,” Computers & Security, vol. 43, pp. 77–89, 2014.
  • [39] L. Fridman, A. Stolerman, S. Acharya, P. Brennan, P. Juola, R. Greenstadt, and M. Kam, “Multi-modal decision fusion for continuous authentication,” Computers & Electrical Engineering, vol. 41, pp. 142–156, 2015.
  • [40] C.-J. Tasia, T.-Y. Chang, P.-C. Cheng, and J.-H. Lin, “Two novel biometric features in keystroke dynamics authentication systems for touch screen devices,” Secur. Commun. Networks, vol. 7, no. 4, pp. 750–758, apr 2014.
  • [41] A. Ferdowsi and W. Saad, “Deep learning-based dynamic watermarking for secure signal authentication in the internet of things,” in 2018 IEEE International Conference on Communications (ICC).   IEEE, 2018, pp. 1–6.
  • [42] R. Das, A. Gadre, S. Zhang, S. Kumar, and J. M. Moura, “A deep learning approach to iot authentication,” in 2018 IEEE International Conference on Communications (ICC).   IEEE, 2018, pp. 1–6.
  • [43] S. Bazrafkan and P. Corcoran, “Enhancing iris authentication on handheld devices using deep learning derived segmentation techniques,” in 2018 IEEE Int. Conf. Consum. Electron.   IEEE, jan 2018, pp. 1–2.
  • [44] B. Bayar and M. C. Stamm, “A deep learning approach to universal image manipulation detection using a new convolutional layer,” in Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security.   ACM, 2016, pp. 5–10.
  • [45] M. Alhussein and G. Muhammad, “Voice pathology detection using deep learning on mobile healthcare framework,” IEEE Access, vol. 6, pp. 41 034–41 041, 2018.
  • [46] A. F. Abate, M. Nappi, and S. Ricciardi, “I-Am: Implicitly Authenticate Me Person Authentication on Mobile Devices Through Ear Shape and Arm Gesture,” IEEE Trans. Syst. Man, Cybern. Syst., pp. 1–13, 2017.
  • [47] Z. Yan and S. Zhao, “A usable authentication system based on personal voice challenge,” in Advanced Cloud and Big Data (CBD), 2016 International Conference on.   IEEE, 2016, pp. 194–199.
  • [48] V. Yano, A. Zimmer, and L. L. Ling, “Extraction and application of dynamic pupillometry features for biometric authentication,” Measurement, vol. 63, pp. 41–48, 2015.
  • [49] K. Annapurani, M. Sadiq, and C. Malathy, “Fusion of shape of the ear and tragus–a unique feature extraction method for ear authentication system,” Expert Systems with Applications, vol. 42, no. 1, pp. 649–656, 2015.
  • [50] Y. Liu, J. Ling, Z. Liu, J. Shen, and C. Gao, “Finger vein secure biometric template generation based on deep learning,” Soft Computing, vol. 22, no. 7, pp. 2257–2265, 2018.
  • [51] R. Ranjan, S. Sankaranarayanan, A. Bansal, N. Bodla, J.-C. Chen, V. M. Patel, C. D. Castillo, and R. Chellappa, “Deep learning for understanding faces: Machines may be just as good, or better, than humans,” IEEE Signal Processing Magazine, vol. 35, no. 1, pp. 66–83, 2018.
  • [52] A. Rattani, N. Reddy, and R. Derakhshani, “Multi-biometric convolutional neural networks for mobile user authentication,” in 2018 IEEE International Symposium on Technologies for Homeland Security (HST).   IEEE, 2018, pp. 1–6.
  • [53] A. B. Khalifa, S. Gazzah, and N. E. B. Amara, “Multimodal biometric authentication using choquet integral and genetic algorithm,” arXiv preprint arXiv:1804.00528, 2018.
  • [54] O. Alpar, “Frequency spectrograms for biometric keystroke authentication using neural network based classifier,” Knowledge-Based Systems, vol. 116, pp. 163–171, 2017.
  • [55] C. Ntantogian, S. Malliaros, and C. Xenakis, “Gaithashing: a two-factor authentication scheme based on gait features,” Computers & Security, vol. 52, pp. 17–32, 2015.
  • [56] H. Gamboa, A. Fred, and A. Jain, “Webbiometrics: User verification via web interaction,” in Proceedings of Biometrics Symposium, 2007, pp. 1–6.
  • [57] Y. Cai, H. Jiang, D. Chen, and M.-C. Huang, “Online learning classifier based behavioral biometric authentication,” in 2018 IEEE 15th International Conference on Wearable and Implantable Body Sensor Networks (BSN).   IEEE, March 2018, pp. 62–65.
  • [58] C. Feher, Y. Elovici, R. Moskovitch, L. Rokach, and A. Schclar, “User identity verification via mouse dynamics,” Information Sciences, vol. 201, pp. 19–36, 2012.
  • [59] A. A. Ahmed and I. Traore, “Biometric recognition based on free-text keystroke dynamics,” IEEE transactions on cybernetics, vol. 44, no. 4, pp. 458–472, 2014.
  • [60] Y. Sheng, V. V. Phoha, and S. M. Rovnyak, “A parallel decision tree-based method for user authentication based on keystroke patterns,” IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics), vol. 35, no. 4, pp. 826–833, 2005.
  • [61] H. J. Patel, M. A. Temple, and R. O. Baldwin, “Improving zigbee device network authentication using ensemble decision tree classifiers with radio frequency distinct native attribute fingerprinting,” IEEE Transactions on Reliability, vol. 64, no. 1, pp. 221–233, 2015.
  • [62] A. Kumar, M. Hanmandlu, and H. Gupta, “Fuzzy binary decision tree for biometric based personal authentication,” Neurocomputing, vol. 99, pp. 87–97, 2013.
  • [63]

    Y. Nakkabi, I. Traoré, and A. A. E. Ahmed, “Improving mouse dynamics biometric performance using variance reduction via extractors with separate features,”

    IEEE Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans, vol. 40, no. 6, pp. 1345–1353, 2010.
  • [64] I. Traore, I. Woungang, M. S. Obaidat, Y. Nakkabi, and I. Lai, “Combining mouse and keystroke dynamics biometrics for risk-based authentication in web environments,” in Digital Home (ICDH), 2012 Fourth International Conference on.   IEEE, 2012, pp. 138–145.
  • [65] S. H. Khan, M. A. Akbar, F. Shahzad, M. Farooq, and Z. Khan, “Secure biometric template generation for multi-factor authentication,” Pattern Recognition, vol. 48, no. 2, pp. 458–472, 2015.
  • [66] W. Louis, M. Komeili, and D. Hatzinakos, “Continuous authentication using one-dimensional multi-resolution local binary patterns (1dmrlbp) in ecg biometrics,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 12, pp. 2818–2832, 2016.
  • [67] Y.-P. Liao and C.-M. Hsiao, “A novel multi-server remote user authentication scheme using self-certified public keys for mobile clients,” Futur. Gener. Comput. Syst., vol. 29, no. 3, pp. 886–900, mar 2013.
  • [68] M. Khamis, F. Alt, M. Hassib, E. von Zezschwitz, R. Hasholzner, and A. Bulling, “GazeTouchPass,” in Proc. 2016 CHI Conf. Ext. Abstr. Hum. Factors Comput. Syst. - CHI EA ’16.   New York, New York, USA: ACM Press, 2016, pp. 2156–2164.
  • [69] M. Khamis, R. Hasholzner, A. Bulling, and F. Alt, “GTmoPass,” in Proc. 6th ACM Int. Symp. Pervasive Displays - PerDis ’17.   New York, New York, USA: ACM Press, 2017, pp. 1–9.
  • [70] M. Khamis, M. Hassib, E. von Zezschwitz, A. Bulling, and F. Alt, “GazeTouchPIN: protecting sensitive data on mobile devices using secure multimodal authentication,” in Proc. 19th ACM Int. Conf. Multimodal Interact. - ICMI 2017.   New York, New York, USA: ACM Press, 2017, pp. 446–450.
  • [71] J. S. Arteaga-Falconi, H. Al Osman, and A. El Saddik, “ECG Authentication for Mobile Devices,” IEEE Trans. Instrum. Meas., vol. 65, no. 3, pp. 591–600, mar 2016.
  • [72] S. J. Kang, S. Y. Lee, H. I. Cho, and H. Park, “ECG Authentication System Design Based on Signal Analysis in Mobile and Wearable Devices,” IEEE Signal Process. Lett., vol. 23, no. 6, pp. 805–808, jun 2016.
  • [73] Z. Ali, M. S. Hossain, G. Muhammad, I. Ullah, H. Abachi, and A. Alamri, “Edge-centric multimodal authentication system using encrypted biometric templates,” Future Generation Computer Systems, vol. 85, pp. 76–87, 2018.
  • [74] T. Hoang, D. Choi, and T. Nguyen, “Gait authentication on mobile phone using biometric cryptosystem and fuzzy commitment scheme,” Int. J. Inf. Secur., vol. 14, no. 6, pp. 549–560, nov 2015.
  • [75] Y. Yang and J. Sun, “Energy-efficient W-layer for behavior-based implicit authentication on mobile devices,” in IEEE INFOCOM 2017 - IEEE Conf. Comput. Commun.   IEEE, may 2017, pp. 1–9.
  • [76] S.-s. Hwang, S. Cho, and S. Park, “Keystroke dynamics-based authentication for mobile devices,” Comput. Secur., vol. 28, no. 1-2, pp. 85–93, feb 2009.
  • [77] M. K. Khan, J. Zhang, and X. Wang, “Chaotic hash-based fingerprint biometric remote user authentication scheme on mobile devices,” Chaos, Solitons & Fractals, vol. 35, no. 3, pp. 519–524, feb 2008.
  • [78] K. Xi, T. Ahmad, F. Han, and J. Hu, “A fingerprint based bio-cryptographic security protocol designed for client/server authentication in mobile computing environment,” Secur. Commun. Networks, vol. 4, no. 5, pp. 487–499, may 2011.
  • [79] C.-L. Chen, C.-C. Lee, and C.-Y. Hsu, “Mobile device integration of a fingerprint biometric remote authentication scheme,” Int. J. Commun. Syst., vol. 25, no. 5, pp. 585–597, may 2012.
  • [80] M. K. Khan, S. Kumari, and M. K. Gupta, “More efficient key-hash based fingerprint remote authentication scheme using mobile device,” Computing, vol. 96, no. 9, pp. 793–816, sep 2014.
  • [81] S. Ghosh, A. Majumder, J. Goswami, A. Kumar, S. P. Mohanty, and B. K. Bhattacharyya, “Swing-Pay: One Card Meets All User Payment and Identity Needs: A Digital Card Module using NFC and Biometric Authentication for Peer-to-Peer Payment,” IEEE Consum. Electron. Mag., vol. 6, no. 1, pp. 82–93, jan 2017.
  • [82] X. Li, J. Niu, S. Kumari, F. Wu, and K.-K. R. Choo, “A robust biometrics based three-factor authentication scheme for Global Mobility Networks in smart city,” Futur. Gener. Comput. Syst., vol. 83, pp. 607–618, jun 2018.
  • [83] C.-T. Li and M.-S. Hwang, “An efficient biometrics-based remote user authentication scheme using smart cards,” J. Netw. Comput. Appl., vol. 33, no. 1, pp. 1–5, jan 2010.
  • [84] D. He, M. Ma, Y. Zhang, C. Chen, and J. Bu, “A strong user authentication scheme with smart cards for wireless communications,” Comput. Commun., vol. 34, no. 3, pp. 367–374, mar 2011.
  • [85] Q. Feng, D. He, S. Zeadally, and H. Wang, “Anonymous biometrics-based authentication scheme with key distribution for mobile multi-server environment,” Futur. Gener. Comput. Syst., aug 2017.
  • [86] N. Sae-Bae, K. Ahmed, K. Isbister, and N. Memon, “Biometric-rich gestures,” in Proc. 2012 ACM Annu. Conf. Hum. Factors Comput. Syst. - CHI ’12.   New York, New York, USA: ACM Press, 2012, p. 977.
  • [87] J. Sun, R. Zhang, J. Zhang, and Y. Zhang, “TouchIn: Sightless two-factor authentication on multi-touch mobile devices,” in 2014 IEEE Conf. Commun. Netw. Secur.   IEEE, oct 2014, pp. 436–444.
  • [88] T.-Y. Chang, C.-J. Tsai, and J.-H. Lin, “A graphical-based password keystroke dynamic authentication system for touch screen handheld mobile devices,” J. Syst. Softw., vol. 85, no. 5, pp. 1157–1165, may 2012.
  • [89] M. De Marsico, C. Galdi, M. Nappi, and D. Riccio, “FIRME: Face and Iris Recognition for Mobile Engagement,” Image Vis. Comput., vol. 32, no. 12, pp. 1161–1172, dec 2014.
  • [90] E. Vazquez-Fernandez and D. Gonzalez-Jimenez, “Face recognition for authentication on mobile devices,” Image Vis. Comput., vol. 55, pp. 31–33, nov 2016.
  • [91] D. Gragnaniello, C. Sansone, and L. Verdoliva, “Iris liveness detection for mobile devices based on local descriptors,” Pattern Recognit. Lett., vol. 57, pp. 81–87, may 2015.
  • [92] C. Galdi, M. Nappi, and J.-L. Dugelay, “Multimodal authentication on smartphones: Combining iris and sensor recognition for a double check of user identity,” Pattern Recognit. Lett., vol. 82, pp. 144–153, oct 2016.
  • [93] C. Holz, S. Buthpitiya, and M. Knaust, “Bodyprint: Biometric user identification on mobile devices using the capacitive touchscreen to scan body part,” in Proc. 33rd Annu. ACM Conf. Hum. Factors Comput. Syst. - CHI ’15.   New York, New York, USA: ACM Press, 2015, pp. 3011–3014.
  • [94] K.-H. Yeh, C. Su, W. Chiu, and L. Zhou, “I Walk, Therefore I Am: Continuous User Authentication with Plantar Biometrics,” IEEE Commun. Mag., vol. 56, no. 2, pp. 150–157, feb 2018.
  • [95] P. Gupta and P. Gupta, “Multibiometric authentication system using slap fingerprints, palm dorsal vein, and hand geometry,” IEEE Transactions on Industrial Electronics, vol. 65, no. 12, pp. 9777–9784, 2018.
  • [96] N. Clarke and S. Furnell, “Advanced user authentication for mobile devices,” Comput. Secur., vol. 26, no. 2, pp. 109–119, mar 2007.
  • [97] N. L. Clarke and S. M. Furnell, “Authenticating mobile phone users using keystroke analysis,” Int. J. Inf. Secur., vol. 6, no. 1, pp. 1–14, dec 2006.
  • [98] D. Mishra, S. Kumari, M. K. Khan, and S. Mukhopadhyay, “An anonymous biometric-based remote user-authenticated key agreement scheme for multimedia systems,” Int. J. Commun. Syst., vol. 30, no. 1, p. e2946, jan 2017.
  • [99] X. Li, J. Niu, M. K. Khan, J. Liao, and X. Zhao, “Robust three-factor remote user authentication scheme with key agreement for multimedia systems,” Security and Communication Networks, vol. 9, no. 13, pp. 1916–1927, 2016.
  • [100] Hyun-A Park, Jong Wook Hong, Jae Hyun Park, J. Zhan, and Dong Hoon Lee, “Combined Authentication-Based Multilevel Access Control in Mobile Application for DailyLifeService,” IEEE Trans. Mob. Comput., vol. 9, no. 6, pp. 824–837, jun 2010.
  • [101] Y. Meng, D. S. Wong, R. Schlegel, and L.-f. Kwok, “Touch Gestures Based Biometric Authentication Scheme for Touchscreen Mobile Phones,” in Int. Conf. Inf. Secur. Cryptol.   Springer, Berlin, Heidelberg, 2013, pp. 331–350.
  • [102] T. Feng, Z. Liu, K.-A. Kwon, W. Shi, B. Carbunar, Y. Jiang, and N. Nguyen, “Continuous mobile authentication using touchscreen gestures,” in 2012 IEEE Conf. Technol. Homel. Secur.   IEEE, nov 2012, pp. 451–456.
  • [103] F. Lin, C. Song, Y. Zhuang, W. Xu, C. Li, and K. Ren, “Cardiac scan: A non-contact and continuous heart-based user authentication system,” in Proceedings of the 23rd Annual International Conference on Mobile Computing and Networking.   ACM, 2017, pp. 315–328.
  • [104] R. Liu, C. Cornelius, R. Rawassizadeh, R. Peterson, and D. Kotz, “Vocal resonance: Using internal body voice for wearable authentication,” Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, vol. 2, no. 1, p. 19, 2018.
  • [105] “Android malware defeats two-factor authentication,”, accessed: 2018-03-11.
  • [106] “Android banking trojan masquerades as flash player and bypasses 2fa,”, accessed: 2018-03-11.
  • [107] M. A. Ferrag, M. Derdour, M. Mukherjee, A. Derhab, L. Maglaras, and H. Janicke, “Blockchain technologies for the internet of things: Research issues and challenges,” IEEE Internet of Things Journal, 2018.
  • [108] L. Royakkers, J. Timmer, L. Kool, and R. van Est, “Societal and ethical issues of digitization,” Ethics and Information Technology, vol. 20, no. 2, pp. 127–142, 2018.
  • [109] A.-M. Oostveen, “Non-use of automated border control systems: identifying reasons and solutions,” in Proceedings of the 28th International BCS Human Computer Interaction Conference on HCI 2014-Sand, Sea and Sky-Holiday HCI.   BCS, 2014, pp. 228–233.
  • [110] N. Selwyn, “Apart from technology: understanding people’s non-use of information and communication technologies in everyday life,” Technology in society, vol. 25, no. 1, pp. 99–116, 2003.
  • [111] S. Spiekermann, “Ieee p7000 the first global standard process for addressing ethical concerns in system design,” Multidisciplinary Digital Publishing Institute Proceedings, vol. 1, no. 3, p. 159, 2017.