Smartphones are the most popular and widespread personal devices. Apart from their conventional use, that is, calling and texting, they have also been used to perform multiple security sensitive activities, such as online banking and shopping, social networking, taking pictures, and e-mailing. On a positive side, smartphones have improved the quality of life by providing multiple services that users desire, for example, anytime-anywhere computing. However, on the other side, they also pose security and privacy threats to the users’ stored data. User authentication is the first line of defense to prevent unauthorized access to the smartphone. Several authentication schemes have been proposed over the years; however, their presentation might be perplexing to the new researchers to this domain, under the shade of several buzzwords, for example, active, continuous, implicit, static, and transparent, being introduced in academic papers without comprehensive description. Moreover, most of the reported authentication solutions were evaluated mainly in terms of accuracy, overlooking a very important aspect—the usability. This paper surveys various types and ways of authentication, designed and developed primarily to secure the access to smartphones and attempts to clarify correlated buzzwords, with the motivation to assist new researchers in understanding the gist behind those concepts. We also present the assessment of existing user authentication schemes exhibiting their security and usability issues.

1. Introduction

The birth of smartphones can be traced back to 1973, when Motorola launched their first phone—the Dynatac 8000X [1]. In the last 40 years, mobile device manufacturers have invested heavily in the innovation of mobile phones, transforming a device invented merely for calling and short text messaging into the personal, portable and powerful device of nowadays, equipped with many advanced software and hardware features.

Smartphones, undoubtedly, bring rich digital experiences to the users by offering personalized services, for example, chatting, e-mailing, GPS-navigation, net banking, online shopping, social networking, and video conferencing. Most of these services collect and store a large amount of the user’s personal data on the device; thus, any unauthorized access to the user’s data could have unfavorable consequences. Hence, it becomes extremely important to prevent any unauthorized access to the smartphone. Typically, access to modern smartphones is secured by enabling different authentication solutions, such as PINs/passwords, face recognition, and fingerprint.

By and large multiple terminologies in the field of authentication are being used by researchers not always with clear definitions, which is obviously disconcerting for students and new researchers. Triandopoulos et al. [2] described one-time authentication as “one-time passcodes” or “one-time password” (OTP) as the second authentication factor, although OTP is a more widely accepted term. Crouse et al. [3] described continuous authentication as a periodical composition of one-shot authentication. However, Feng et al. [4] mentioned periodic authentication as equivalent to automatic logouts due to user’s inactivity. Patel et al. [5] considered continuous authentication and active authentication systems as the same. Similarly, Dutt et al. [6] suggested the use of transparent modalities in conjunction with explicit authentication methods, such as passwords, PINs, or secret patterns for authenticating users, whereas the study by De Luca et al. [7] considered the use of a transparent modality with or without other schemes and termed it implicit authentication. That modality could be used as standalone or to complement the explicit authentication schemes to enhance their usability [8, 9]. More specifically the concept of transparent authentication is explained as implicitly fingerprinting the user’s device interaction logs to authenticate the user [10].

Causey [11] considered risk-based authentication similar to an adaptive authentication scheme. Traore et al. [12] described risk-based authentication on the basis of contextual and historical information, extracted from their activities, to build users’ risk profiles, for making later the authentication and authorization decisions. Ayed [13] patented the idea for adaptive authentication in mobile phones by specifying that adaptive authentication uses different authentication methods and different data protection methods depending on the user’s location, availability of the network, and the importance of the data. It is pretty much evident from the above discussion that these definitions are correlated, but there is need to relate them to each other by trying to provide consistent definitions for all these terms.

We start this paper by explaining the prevalent ways to authenticate humans along with different types of authentication mechanisms, in the context of smartphones. Then, we try to homogenize different terminologies used in the context of user authentication with the vision that it will benefit the new researchers in understanding existing approaches. Our contribution can help new researchers to get acquainted with different user authentication concepts along with the assessment of their solutions on the basis of modalities, usability, and security.

The rest of work is organized as follows: Section 2 presents the different ways and types of authentication mechanisms. Ways refer to the common factors used to authenticate humans, while types refer to different authentication mechanisms, for example, one-shot, multifactor, continuous, and multimodal, utilizing these factors. Also, we discuss design goals for usable authentication systems and usability evaluation methods. Section 3 surveys the different state-of-the-art solutions proposed over the years for user authentication on smartphones. The related work on the ways and types of user authentication concepts available for smartphones is evaluated on the basis of their usability and security. Finally, Section 4 concludes the paper.

2. Comprehensive Study

In this section, we explain the ways to authenticate the users and the types of authentication mechanisms developed using them, in the context of smartphones.

2.1. Ways to Authenticate Users

The ways in which humans can be authenticated are broadly categorized in three categories [14], that is, “Something you know,” “Something you have,” and “Something you are,” as depicted in Figure 1.

2.1.1. Something You Know

Knowledge-based authentication (KBA) schemes, that is, PINs (Figure 2(a)), graphical passwords (Figure 2(b)), and password (Figure 2(c)), are the most widely used schemes on the smartphones. KBA is based on some sort of a secret knowledge that user sets up earlier during the enrollment and needs to remember as long as he or she continues using the scheme.

2.1.2. Something You Have

This mechanism is also referred as token-based authentication. Many service providers and financial institutions are offering sensitive services, such as net banking, e-wallet, and e-commerce, adopting 2-factor authentication, that is, one-time passcodes (OTPs) along with usual username/password for authentication purpose. Service providers usually supply a small security device to each of their users for generating the one-time passcodes.

OTP schemes can be easily implemented on smartphones (Figure 3(a)) which could be sent either via SMS on the registered number or user could generate this OTP offline (Figure 3(b)) on the mobile apps provided by service providers. Additionally, wearable devices (Figure 3(c)) could be used for receiving the OTPs via SMS.

2.1.3. Something You Are

This authentication mechanism relies on the measurement of biometric characteristics of users and is further classified as physiological and behavioral biometrics. Figure 4 illustrates the commonly available authentication ways for smartphone users under this category.

On smartphones, physical traits, that is, ear and face, can be collected using the built-in hardware, that is, camera; however, fingerprint and iris recognition require additional dedicated hardware. Similarly, behavioral biometric modalities, such as gait, grip, swipe, pickup, touch, and voice, can be profiled unobtrusively, using various built-in sensors [15], namely, accelerometer, gyroscope, magnetometer, proximity sensor, touch screens, and microphone. Touch-based solutions authenticate users based on their unique interactions with the device, while they perform a specific task. Additionally, behavioral biometric-based authentication is cost-effective; they generally do not require any special hardware and are considered lightweight in implementation [8].

2.2. Types of Authentication Mechanisms

Researchers have been investigating the utilization of different ways, that is, PIN, passwords, OTP, face, touch, and so on, to design and develop the different types of authentication solutions. These types are briefly explained below:

2.2.1. One-Shot Authentication

One-shot authentication is a type of authentication mechanism in which users’ credentials are verified at the beginning of the session [1618]. This is simply a process where a user claims his or her identity by providing the correct credentials or fulfilling the challenges in order to gain the access to a device. For example, PINs, passwords, graphical patterns, fingerprints, face, and iris are some of the commonly used modalities on the smartphones, for authenticating users. If the verification is successful (e.g., right password is entered), the access is granted; otherwise, the access is denied. Session remains valid until the user signs off or closes the session.

2.2.2. Periodic Authentication

Periodic authentication is simply the variant of “one-shot authentication” in which idle timeout duration is set, for closing the session, automatically [4, 19]. If a user remains inactive for more than the idle timeout duration, the device locks itself.

2.2.3. Single Sign-On (SSO) Authentication

Single sign-on (SSO) is a long-term or persistent authentication type in which a user remains signed on till the time he or she revokes or terminates the session. In case, if the system observes any discrepancy with respect to fix set of attributes, for example, change in location, network connection, and anomaly in usage pattern, the session is terminated or the user is asked for reauthentication [2022]. VMware identity manager provides APIs to implement mobile sign-on authentication for airwatch-managed Android devices [23]. Similarly, Google offers G Suite apps for single sign-on for Android devices which can be done by pairing smartphones with smartwatches [24].

2.2.4. Multifactor Authentication

Multifactor authentication utilizes the concept of combining 2 or more authentication ways, that is, e-mail verification, OTP via SMS, phone call to the predefined numbers, push notification to the paired device, smart tokens, and so on, along with the usual method of authentication [2527]. A very common practice is registering ones mobile number with service providers, and whenever the corresponding user accesses that service for sensitive operation, for example, online banking, service provider sends the one-time passcodes (OTPs) via SMS, getting assured that a legitimate user has requested access to that service.

2.2.5. Static and Dynamic Authentication

The static authentication mechanism presents the fixed set of challenges to the users, whereas dynamic authentication mechanism capitalizes the concept in which diverse set of prestored challenges are presented every time users unlock their smartphones [28, 29].

2.2.6. Continuous Authentication

As the name implies, continuous authentication mechanisms are developed to authenticate a legitimate owner throughout their entire session. If any anomaly is detected by the device, the access to the device is stopped, immediately, and the device asks for explicit reauthentication [4, 29, 30]. In other words, the users are passively and periodically monitored throughout their interactive session with any device or system [5]. This concept seems to promise higher security as compared to the other authentication mechanisms, such as one-shot authentication, one-time authentication, and periodic authentication, but at the same time much more complex to implement. Additionally, it is desirable that a continuous authentication system should not interrupt the user’s normal activity and be lightweight, that is, on battery consumption.

2.2.7. Transparent Authentication

This concept stresses more on the procedure of collecting and analyzing user authentication identifiers [4, 10]. More specifically, if the system performs authentication steps in background (without requiring explicitly user cooperation) [10, 31], they are termed as implicit, transparent, or unobtrusive authentication systems. However, various authentication types (one-shot, risk-based, or continuous) could collect input transparently.

2.2.8. Risk-Based Authentication

Risk-based authentication schemes are mostly based on nonstatic authentication decision engine, where the decision to accept or reject authentication is based on a risk score computed in real-time, which is compared with the stored risk profiles of the users, and then the system challenges the users for authentication [32], accordingly. For instance, if a user is checking a bank account balance from a verified secure location (home or workplace), verification of identity should not be required. While in case of nonverified location, for example, the service requires additional evidence about the identity of the user thus asking for the authentication credentials. Nowadays, risk-based authentication schemes tend to offer frictionless authentication providing user experience, that could be tailored as per threats observed by the service providers [11, 12, 33, 34].

2.2.9. Adaptive Authentication

Adaptive user authentication boasts the concept having ability to change and to prepare for different conditions and situations, while securing any unauthorized access [13, 35, 36]. It entails for multifactor user authentication mechanisms which should be readily configurable and deployable.

2.2.10. Unimodal and Multimodal Authentication

This term is typically used for biometric authentication schemes. The literal meaning of modality (https://dictionary.cambridge.org/dictionary/english/modality) is a particular way of doing or experiencing something. This concept is based on the number of modalities or traits being used in the authentication systems [3739]. Unimodal authentication systems leverage only a single biometric modality or trait, whereas multimodal systems are developed by combining two or more modalities. Multimodal authentication systems demonstrate several advantages, such as higher recognition rate, accuracy, and universality [39].

2.3. Usable Authentication System Design Goals

Usability along with security plays a pivotal role in evaluating user authentication schemes. This leads to an important question—how to trade-off between security and usability [40]? We present the guidelines described by Yee for usable security designs [41]. Yee’s work focused on addressing valid and nontrivial concerns specific to usable security. We explain below the design goals from usability perspective as suggested in [41]:(i)Appropriate boundaries: this goal is based on the principle of boundaries [42]. In order to distinguish among objects and actions along the boundaries, which are relevant to users, system should expose the boundaries and must acknowledge the users. For example, in the context of mobile devices, popular Operating Systems (OS), such as Android (Ver. 6 onwards) and iOS, allow users to grant permissions to the applications and services accessing resources while installing them. Here, the object could be assumed as the apps or services for the devices and actions could be defined as the indicators that the apps or services demand from users to serve them and to use the system’s resources. However, boundaries are the thin line that defines the users’ decisions affecting the security of system due to human factors.(ii)Path of least resistance: choosing the most natural method in granting the authority is the most secure way.(iii)Explicit authorization: any authorization to other actors must only be granted in accordance with user actions which should be well understood by a user while acknowledging the consent.(iv)Visibility: a user should be aware of others’ active authority affecting any security-relevant decisions.(v)Revocability: a user should be able to revoke others’ authority to access the system.(vi)Self-awareness: maintain accurate awareness of the user’s own authority to control the system.(vii)Trusted path: protect the user’s channels to any entity that manipulate authority on the user’s behalf.(viii)Identifiability: any specific objects and specific actions must be clearly identifiable and apparent to the user.(ix)Expressiveness: enable the user to express safe security policies in terms that fit the user’s goals.(x)Clarity: notify the consequences of any security-relevant decisions precisely that the user is most likely to perform.

2.4. Usability Evaluation

System usability scale (SUS) questionnaire [43] is utilized to gather subjective assessments about the usability of the proposed systems [8]. The questionnaire consists of 10 questions or statements. The response to each question/statement is measured on a 5-point scale ranging from “strongly disagree” to “strongly agree.” The final SUS score ranges between 0 and 100, where a higher value indicates a more usable system. The system usability scale (SUS) template for questionnaire and scoring is available online [44].

3. Literature Review and Analysis

In this section, we review the recent literature emphasizing on the types of authentication mechanisms and the ways on which they are developed and analyze them from security and usability point of view. More specifically, we present the assessment of commonly used user authentication mechanisms on smartphones, focusing on the security and usability issues.

3.1. Ways of Authentication

The usability of authentication mechanisms is one of the dominant attributes that influence users’ acceptance of a particular authentication scheme [45]. The ISO standard:13407 defines usability as “the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction, in a specified context of use” [46]. Further, the study [47] suggests that the usability can be done on the basis of three criteria: task performance, user satisfaction, and user cost.

Conventional authentication schemes, that is, PIN, passwords, and graphical patterns, are no more considered secure and convenient [48] because they are not able to distinguish between the users, rather they authorize everyone (regardless of whether that person is the legitimate owner of the device or not) who enter the correct credentials. Physiological biometric-based solutions are considered more secure because it is assumed that human body traits cannot be shared, copied, lost or stolen. Moreover, they genuinely authenticate their users by forcing them to present themselves physically to the system. However, they are less preferable on smartphones due to their inherent usability issues [49]. As such, security experts are focusing on developing the usable authentication systems because they believe that behavioral biometrics will restructure the authentication landscape in the next 5–8 years [50].

In each subsections, we have included tables presenting the synopsis of each authentication ways being used as different authentication types along with the references that either indicating usability pros and cons or reporting security solutions and concerns.

3.1.1. Something You Know

As per the web report [51], average smartphone users get themselves engaged in 76 separate phone sessions, while heavy users (the top 10%) peaked to 132 sessions per day. PIN/passwords, and graphical patterns, require users to memorize their text, they had set earlier, to unlock their devices, every time they need to initiate the session (76 times a day). The capacity of the human brain to process the information varies from person to person [52]. Zhang et al. [53] found that users faced problems in remembering their passwords and more especially, to memorize and correctly recall numerous passwords. This encouraged users going for an easy or simple password which is quick to remember [54], but this opens plenty of opportunities for attackers to guess or crack their passwords, easily [55]. When the system enforces stringent password policies, users due to memorability issues [56], allow their browsers or password managers to save their username/password information to make future logins easier. However, users trusting their browsers or password managers are more likely to be a victim of a wide variety of attacks [57, 58]. Overall, 82% of end users are frustrated with managing passwords [59]. Clearly, this indicates the lack of usability, and a result, nearly, 75 million smartphones users in the US do not use any of PIN, pattern, or passwords because they consider them annoying and an obstacle in quick access to their smartphones [60].

From security perspective, PINs and passwords are vulnerable to various attacks, for example, guessing [61], because users choose date of births [57], easier digits (1111, 2222, etc.,) [62] to set up their PIN. Alternatively, Android users (40% of them) prefer graphical patterns for device unlocking. But this approach too requires users to remember them; hence users choose simple and less secure patterns, that is, if a user connects at least four dots without repeating any of them in their patterns, the maximum number of combinations are 389,112 which could be easily cracked by brute force [63]. Ye at al. [64] managed to crack 95% of 120 unique patterns collected from 215 independent users within just five attempts by recording their smartphone screen, remotely, while they were unlocking their devices. In addition, these schemes are more vulnerable to shoulder surfing than textual passwords [65].

Knowledge-based authentication schemes are generally used as one-shot, static, or unimodal authentication types (refer Table 1) due to usability issues they are prone to several attacks, such as smudge attacks [66], shoulder surfing or observation attacks [61, 67], dictionary-based attacks, or rainbow table password attacks [68]. Recently, Mehrnezhad et al. [69] demonstrated the recovery of entered PIN or password from the sensory data collected, while the users were entering their secrets. They installed PINlogger.js—a JavaScript-based side-channel attack, capable of recording motion and orientation sensor streams without requiring any user permission from the user. The attack resulted in 94% accuracy in recovering the correct PIN number in just three rounds of tries. Similarly, Sarkisyan et al. [70] demonstrated an approach to exploit smartwatch motion sensors to recover the entered PINs. They infested smartwatches with malware to get access to the smartwatch motion sensors and inferred user activities and PINs. In a controlled scenario, authors obtained PIN numbers within 5 guesses with an accuracy of at least 41% using random forest classifier over a dataset of 21 users.

3.1.2. Something You Have

As defined in Section 2.1.2, smartphones are being utilized for authentication purposes in several sensitive operations by the means of OTP via SMS, offline OTP using Apps, or pairing the wearable devices, for example, smartwatches, smartglasses, and smartcards. However, this idea of enhancing security with multifactor authentication, that is, topping knowledge-based authentication with token-based authentication (one-time passcode), eventually perishes too due to side-channel attacks, for example, MITM (man-in-the-middle) and MITPC/Phone (man-in-the-PC/phone) [73]. Software-based OTP solutions also do not guarantee the confidentiality of the generated passwords or the seeds as the mobile OS could be compromised, at the same time, could also suffer from denial-of-service attacks on the account of mobile OS crashes [74].

The adversaries by the means of real-time phishing or intercept attacks could reveal the users’ secret information and valid OTP by breaking into their smartphones [75]. As per the Verizon Data Breach Investigations Report [76], NIST stopped recommending the users for two-factor authentication via SMS, as malicious code infesting mobile endpoints could surreptitiously capture second factors delivered by SMS or offline OTP generated using apps. Secure device pairing schemes allow access to the smartphones by pairing it with a trusted Bluetooth device like a smartwatch and use the same to unlock the phone. This concept from the usability point of view is a very elegant solution but not safe from insider attacks or sniffing attacks [77, 78].

Token-based authentication (TBA) schemes are used in multifactor, adaptive, dynamic, and risk-based authentication types (Table 2). Unfortunately, they could not add too much to the usability because the users are required to manage always an additional hardware for the sole purpose of authentication. As a result, Braz and Robert [40] gave usability rating 3 (out of 5) to one-time generator acquisition devices. Additionally, Belk mentioned that token-based authentication mechanism incurred more cost to users and are comparatively slower [79]. According to a study by Zink and Waldvogel [82], 83.3% users considered that SMS-based transaction authentication number is not a usable solution. Another in-depth usability study by Krol et al. [81] evaluated 2-factor authentication on 21 online banking customers (16 among 21 were having multiple accounts with more than one bank). Total 90 separate login sessions of all the participants were collected meticulously, over the period of 11 days. Their analysis showed approximately 13.3% faced problems due to mistyped credentials, misplaced token, forgotten credentials and so on.

3.1.3. Something You Have: Insertable Biometrics

Insertable biometrics [8385] (Table 3) including implantable medical devices (IMDs) [86] and emerging technologies such as Bespoke devices [87, 88], neodymium magnets [89], NFC or RFID chips [90, 91], smart piercings [92, 93], and smart tattoos [93] are the newer addition to biometrics that potentially can be used to provide increased usability over the existing solutions [94]. Researches are exploring the further possibilities of insertable biometrics as go-to solution for improving digital security and usability in smartphones.

3.1.4. Something You Are: Physiological Biometrics

Mobile device manufacturers have started embedding biometric sensors in their flagship smartphones for reliable and convenient user authentication with the intuition that biometric approaches are better than their conventional authentication schemes. For example, Apple, Huawei, Lenovo (Motorola), Microsoft (Nokia), Samsung, and many other leading manufacturers have integrated fingerprint sensors, iris scanners, and face recognition algorithms, in some of their high-end devices. These advancements are akin to replacing a hay castle with a glass house to ward off attacks from sophisticated cyber pirates.

Physiological biometrics, for example, face, fingerprint, iris, and eyes, are commonly used as one-shot or multifactor/multimodel (combining with other modalities) authentication schemes for smartphones (Table 4). Unexpectedly, biometric systems have shown to be exposed to different types of attacks, for example, impersonation, replay, spoofing, and hill climbing [95], exposing their security loopholes. These schemes suffer from their data leakage; that is, a user’s face can be easily found on social media websites, or his or her fingerprints can be extracted from the photos from their gestures, to mount a presentation attack [96] against them. Additionally, these solutions also suffer from lack of secrecy [97] and vulnerability to various spoofing attacks [98].

Recent research has shown that these schemes can be hacked very easily with almost negligible investment and efforts. For example, iPhone X face ID was hacked with 3D-printed mask costing just $150 approximately [100], while Samsung S8 facial recognition technology [99] was simply fooled with a photo of the owner. Similarly, German Chaos Computer Club cracked the Samsung Galaxy S8 iris scanner [102] with a dummy eye made from pictures of the iris, taken by a digital camera in a night mode, and covered it with a contact lens to match the curvature of the eye, within a month of S8 launch. The same club earlier cracked the iPhone 5S fingerprint sensor protection within two days after the device went on sale worldwide [103]. Their hacking team photographed the glass surface containing the fingerprint of a user and created a “fake fingerprint” using a thin film to unlock the phone. Japan’s National Institute of Informatics (NII) researcher Isao Echizen [104] demonstrated that fingerprints can easily be recreated from photos, taken just from three meters distance, without the use of any sophisticated process and warned casually making a peace sign in front of a camera, which could lead to fingerprint theft.

From the usability perspective, smartphone users have not shown optimistic inclination to physiological biometric-based authentication schemes. For example, De Luca et al. [49] determined smartphone users felt like as if they are taking selfies all day to authenticate themselves. Additionally, the performance of these schemes is affected by several exogenous factors, such as accessories, camera movement, capturing distance, clothing, illumination, interoperability of the sensors, noise, occlusion, operators, postures, and training, which makes the authentication process more challenging and less usable to the user [106109].

3.1.5. Something You Are: Behavioral Biometrics

Behavioral biometrics [111] is described as the future of user authentication. Thus, the focus of the research has been shifted to develop newer behavioral biometric-based solutions. For example, applications like e-wallet, m-commerce, and mobile banking are some of the sensitive domains, where behavioral biometric-based solutions have shown to be handy in authenticating the customers on their smartphones.

Although the behavioral modalities are not considered to be unique enough for identification purposes, they have proved to be sufficiently unique for user authentication [112, 113]. One or more modalities can be combined to increase their accuracy and enhance their usability. These schemes could be stitched to the existing user authentication mechanisms as an additional transparent authentication layer [8, 9, 114] enhancing the reliability of whole authentication process without affecting the usability. Behavioral biometric techniques could be deployed as adaptive, continuous, multimodal, risk-based, transparent authentication (Table 5).

Gait recognition is a process of identifying or verifying individuals on the basis of their walking style. In clinical applications, human gait was already getting utilized for the studies related to the health of a person, and nearly 25 key patterns from gait were detected using different techniques like image processing, floor sensors, and sensors placed on the body [118]. Recently, smartphones and wearable devices have also started utilizing it for authentication purposes [128]. As users are not required to perform any explicit interaction with their devices, gait modality can be collected unobtrusively, and this leads to making it convenient for a user-friendly access system [116]. Muaaz and Mayrhofer [116] evaluated the security strength of a smartphone-based gait recognition system against zero-effort and live-minimal-effort impersonation attacks under realistic scenarios and achieved an equal error rate (EER) of 13% on a dataset of 35 participants. However, more testing is required to check the robustness against impersonation attacks. Hestbek et al. [117] introduced a method using wearable sensors and noncyclic feature extraction and achieved 18.92% half total error rate (HTER) on a dataset of 36 users. Similarly, the grip is another natural way to authenticate users. It is robust too as the finger movements and pressure applied while gripping the mobile device are visibly unseen and difficult to be replicated or imitated by the impostor. Murao et al. [124] proposed a grip-based authentication solution, which profiles grip gestures using pressure sensors mounted on the lateral and back sides of a smartphone and achieved a 2% ERR, which is equivalent to face recognition-based authentication.

Keystroke or touch dynamics refers to the typing characteristics (due to the timing differences) of individuals to fingerprint their identity. Researchers have proved its effectiveness in both fixed text and text independent scenarios. Since designing such systems does not require any additional dedicated hardware and data can be collected, unobtrusively, they have been widely tested and evaluated [9, 114]. Zheng et al. [115] proposed authentication mechanism based on tapping; they collected tapping data from over 80 users; and their system achieved high accuracy with averaged 3.65% EER. Another bimodal authentication scheme developed using client-server architecture for online financial environments achieved 96% true acceptance rate (TAR) and 0.01% false acceptance rate (FAR) using 15 training samples on a dataset of 95 users [9]. This scheme used motion-based touch-types biometrics, that is, touch typing and phone movements by users and collected data, transparently, while users entering their credentials to sign in to their banking apps using 8-digit PIN/password [9], while the “touchstroke” scheme used 4-digit PIN/password [114]. Buriro et al. [8], proposed, implemented, and evaluated the “Hold and Sign” scheme on commercially available smartphones and achieved 95% TAR on a dataset of 30 volunteers. This was a bimodal behavioral biometric based on user’s smartphone holding style, by examining the hand and finger micromovements of users, while the users were signing on device’s touchscreen. In an another approach, Buriro et al. [113] proposed multimodal behavioral biometrics (swipe, pickup movement, and voice) for user authentication on smartphones and reported 7.57% HTER in an experiment involving 26 participants.

Brunet et al. [123] experimented on voice modality for user authentication on a public database (Sphinx Database of the Carnegie Mellon University [129]). They digitized the user’s voice and extracted Mel Frequency Cepstral Coefficients (MFCCs) features and computed the Euclidean distance to authenticate the user and reported an EER of 4.52%. Behavior profiling techniques were based on the applications, and the services utilized in past for generating a user profile and compared it against the current activity of a user in real-time [5]. If any significant variation is observed, the system could take action for a possible intrusion. Sultana et al. [119] combined social behavioral information of individuals that was extracted from the online social networks to fuse with traditional face and ear biometrics, to enhance the performance of the traditional biometric systems.

Studies suggest that no single biometric trait can ideally fit all the scenarios; however, by trying multimodal biometric approaches, most of the limitation of unimodal systems can be addressed [121, 122, 125]. The selection of proper modalities and combining them, systematically, most of the times increase the accuracy, usability, and security. In a study conducted by Saevanee et al. [126], the unimodal systems, namely, behavior profiling, keystroke dynamics, and linguistic profiling, were proved less accurate; they yielded an EER of 20%, 20%, and 22%, respectively. However, by applying matching-level fusion, the error rate was decreased, significantly (EER 8%). Additionally, the use of users’ transparent characteristics for data collection and classification also increases the usability of the system. Thus, in order to furnish users with an adequate security, a better usability is also required to design the authentication solutions for smartphones.

3.2. Authentication Types
3.2.1. One-Shot Authentication

One-shot authentication schemes are designed to authenticate a user at the initiation of a session (subject’s identity is verified only once, just before allowing access to the resources) [16, 18]. Roth et al. [18] also discussed the limitations of one-shot authentication, such as short sensing time, inability to rectify decisions, and enabling the access for potentially unlimited periods of time. Meng et al. [17] introduced the term one-off authentication for one-shot authentication. They also concluded that authenticating just once leaves the possibilities for impostors to gain the access to the current session and retrieve sensitive information from mobile phones.

3.2.2. Periodic Authentication

Bertino et al. [19] defined periodic authorization with a mathematical expression “{[begin, end], P, auth}” holding of 3 prime attributes, where “begin” is authorization start date, “end” is either the constant , or a deauthorization date after the start date, “P” is the duration of a session, and “auth” is an authorization function. Feng et al. [4] determined that periodic authentication or automatic logouts are more detrimental while one-shot authentication solutions are prone to a wide variety of attacks. Typing an error-free username and/or password on smartphone’s keyboard is really a tedious task, especially when an average user initiates 76 phone sessions a day [51]. Single sign-on (SSO) has been seen as the solution to the problem.

3.2.3. Single Sign-On

Single sign-on (SSO) enables users to sign in to an app using a single or federated identity, for example, Facebook, Twitter, and Google+. But this concept is severely risky for mobile devices as they are more likely to be misplaced or could be inadvertently shared with someone. In an SSO system, the user is authenticated to a single identity provider (IDP) which acts as a trusted party between the user and multiple service providers (SPs), and on the demand of the user, IDP generates an authentication token for a specific SP asserting the users’ identity; in turn, SP allows the user to access the services [20]. Users can access different applications using SSO, once they are authenticated to the system. SSO is further divided into two categories, that is, Enterprise Single Sign-ON (ESSO) and Reduced Sign-ON (RSSO) [21]. ESSO enables a user to enter the same id and password to sign into multiple applications within an enterprise domain. The system is considered the least secure because there could be potential curious adversary which can try to spoof and consequently resulting in an identity theft. Therefore, it is also known as RSSO.

3.2.4. Multifactor Authentication

Security experts also suggest the use of multifactor authentication by processing multiple factors, simultaneously, for the verification purposes [27]. In multifactor authentication, generally, a PIN or password is the baseline authentication standard, while more factors can be augmented from a wide variety of available sources to verify users (Figure 5). It could be observed in Figure 5 that as the number of factors increases, the level of authentication also increases. For an instance, if only PIN is used, the authentication level is minimum, but when other factors like tokens and fingerprints are added, the authentication level tends to increase proportionally.

The most common authentication mechanism is the secondary code that can be delivered either via SMS to the registered mobile number or can be obtained directly from a secure authenticator mobile app. Other forms of multifactor authentication involve the use of a smart card or smart token entitled to the user, biometrics like the face or fingerprint scans, or a dedicated code generator linked to user’s account [25]. This concept is mainly influenced by the notions that not all the authentication factors could be hacked at the same time. Stanislav [26] in his paper explained various technical methods by which two-factor authentication can be implemented.

3.2.5. Static versus Dynamic Authentication

Static authentication process, like other authentication types, mainly consists of three steps: enrollment, presentation, and evaluation as illustrated in Figure 6, and the outcome of the evaluation is a binary decision [29]. In the enrollment step, system generates a feature template by processing the information gathered from the user, profiles the feature vectors with the label of the user, and saves it for the evaluation or matching. During the presentation step, system asks the user to confirm his or her credentials. In the final step, that is, evaluation, information given by the user is compared with the stored templates of the claimed identity. Conclusively, the access is granted or denied as per the match result.

Static authentication verifies the individual’s identity only at the start of a session like one-shot authentication does, whereas in dynamic authentication the user is presented with a varying set of challenges to enable the dynamic scaling of access controls. Ren and Wu [28] explained dynamic authentication as a scheme that utilizes one-time password derived from the user’s password, the authenticating time, and a unique attribute only known to the user.

3.2.6. Continuous Authentication

Continuous authentication is a mechanism to repeatedly verify the identity of a user for the entire duration of an authorized session as illustrated in Figure 7 [29]. More specifically a continuous authentication is an approach that constantly verifies a user’s identity and locks the system once the change in users’ identity is observed [29]. Continuous authentication process dynamically iterates in between the three steps involved (Figure 6) throughout the session. However, these iterations can be event-based or can be adjusted at fix intervals (periodically) or randomly [29]. A continuous authentication is an approach that constantly verifies a user’s identity and locks the system once the change in user identity is observed. Thus, overcoming the limitations of one-shot authentication, where authentication happens only at the time of login, and any future changes in user identity go undetected [130]. Behavioral biometric-based continuous authentication solutions have shown to be more attractive to the researchers of the domain because these behavioral modalities can be collected and utilized, unobtrusively, for authentication purposes [30].

However, continuous authentication, active authentication, implicit authentication, and transparent authentication have been interchangeably used in many papers [10, 120, 131, 132]. Patel et al. [5] considered continuous authentication and active authentication systems as similar and explained it as continuous monitoring of the user activities after the initial access to the mobile device. Active authentication, as defined by Stolerman et al. [132], is the process of continuously verifying users based on their on-going interaction with the device. The Defense Advanced Research Projects Agency (DARPA) started Active Authentication program [133] in order to seek solutions by shifting the focus during authentication from the password to people themselves. The first phase of their Active Authentication program focused on the behavioral traits, that is, cognitive fingerprint, which could be processed without the need for additional sensors.

According to Fridman et al. [134], active authentication is the problem of continuously verifying the identity of an individual. They conducted an experiment using Android mobile devices and collected several biometric modalities, namely, text entered via soft keyboard, applications used, websites visited, physical location of the device as determined from GPS (when outdoors) or WiFi (when indoors), and stylometry, of 200 volunteers approximately for a period of at least 30 days. Their authentication system achieved an ERR of 0.05 (5%) after 1 minute of user interaction with the device, and an EER of 0.01 (1%) after 30 minutes in identifying a legitimate user. In another stylometric-based continuous authentication, an EER of 12.42% for message blocks of 500 characters is achieved using support vector machine (SVM) for classification [135]. However, stylometry-based authentication schemes must improve the accuracy, delays, and forgery.

Khan et al. [120] mentioned that implicit authentication employs behavioral biometrics in a continuous and transparent manner to recognize and validate smartphone users’ identity and conducted a field study on implicit authentication usability and security perceptions with 37 participants. Their experiment indicated that 91% of participants found implicit authentication to be convenient and 81% perceived defined the protection level to be satisfactory.

3.2.7. Transparent Authentication

Transparent authentication [10] was suggested as an alternative authentication mechanism with minimal or no noticeable involvement of users. Transparent authentication implicitly authenticates the users on the basis of their unique interactions with the device and creates a logic for authentication decisions. Feng et al. [4] utilized the term transparent and continuous for their Finger-gestures Authentication System using Touchscreen (FAST) to protect the mobile system. The approach transparently captures the touch data without intervening to user’s normal user-device interactions. After the user’s login, FAST continues to authenticate the mobile user in the background using intercepted touch data from their normal user-smartphone interactions.

3.2.8. Risk-Based Authentication

ClearLogin [136] defines risk-based user authentication as a method which adapts authentication levels based on the apparent risks, to mitigate the potential intrusion, before they happen. Existing risk-based user authentication schemes generate a risk profile to determine the complexity of challenge to authenticate a user during a session, that is, higher-risk profiles lead to stronger authentication, whereas usual authentication scheme should be sufficient in normal scenarios [137]. Identity Automation [138] considers risk-based user authentication similar to adaptive authentication because they adapt to the stringency of authentication processes based on the likelihood that access to a given system could result in its compromise.

Earlier risk-based user authentication mechanisms were mainly based on contextual or historical user information or both [139]. Furthermore, these systems use ad hoc or simplistic risk management models based on some rule-based techniques, which are proved to be ineffective due to human factors [140]. However, nowadays as NuData Security [34] mentioned risk-based authentication schemes are getting fueled by behavior piercing technology that gives maximum security with minimal interruption to the user experience. Risk-based user authentication can be applied from two different perspectives: proactive or re-active [12]. When applied proactively, risk-based authentication actively anticipates the genesis of potential attacks, failures, or any kind of security issues and takes prompt action. In contrast, re-active risk-based authentication accepts some of the risks until the risk score goes beyond the permissible threshold level, and consequently, reauthentication is required.

3.2.9. Adaptive Authentication

Adaptive authentication [141] is a way by which two- or multifactor authentication can be configured and deployed by doing risk assessment. Thus, it is a method for selecting the appropriate authentication factors accustomed to the situation accordingly to the user risk profile and tendencies. It can be deployed as follows:(i)By setting static policies based on risk levels for different factors, such as user role, resource importance, location, time of day, or day of the week(ii)By learning day-to-day activities of users based on their habits to generate dynamic policies(iii)Lastly, by combing of both static and dynamic policies

Hulsebosch et al. [35] exploited the ability to sense and use context information to augment or replace the traditional static security measures by making them more adaptable to a given context and thereby less intrusive to derive context sensitive adaptive authentication. RSA Risk Engine [36] used self-learning risk model and adapts itself on the basis of received feedback. The feedback loop includes case resolution and genuine or failed authentication results as well as chargeback files for adaptive authentication for e-commerce (Figure 8).

3.2.10. Unimodal and Multimodal Authentication Systems

Unimodal authentication systems use single modality for establishing user identity, whereas multimodal authentication systems include multiple modalities (sources of information) [39]. Unimodal and multimodal terms are more associated with biometric systems where person recognition is based on distinctive personal traits or characteristics [37]. Unimodal physiological biometric based on face, fingerprint, and iris are already deployed on the smartphones; however, multimodal systems are yet to be deployed. Behavioral biometric-based solutions based on touch-stroke dynamics, voice, gait, and so on have been widely tested and evaluated by researchers; however, their deployment to the smartphones is still awaited.

Jain et al. [38] showed that multimodal biometric systems driven by multiple biometric sources perform, generally, better recognition performance as compared to unimodal systems. As per the type of multiple modalities being used, multimodal biometric systems can be further divided into three categories: (1) multiphysiological, (2) multibehavioral, and (3) hybrid multimodal systems [142]. The multiphysiological category includes multimodal biometric systems, where only physiological traits, such as face, fingerprint, and iris, are fused at different levels, whereas the multibehavioral system combines data from keyboard, mouse, and graphical user interface interactions. Hybrid multimodal system [143] fused face, ear, and signature with social network analysis at the decision level to enhance the biometric recognition performance.

Researchers have been actively working on combining different modalities to develop multimodal solutions; however, these systems have yet to appear on the real products.

4. Conclusion

In this paper, we presented the gist of ways and types of user authentication concepts in the context of smartphones. We surveyed the different state-of-the-art solutions proposed over the years and attempted to homogenize correlated buzzwords used in this field, with the motivation to assist new researchers in understanding these concepts. Then, we evaluated the related work on the ways and types of user authentication mechanisms available for smartphones, on the basis of their usability and security. Also, we discussed design goals for usable authentication systems and usability evaluation methods.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Sklodowska-Curie grant agreement no. 675320.