Continuous Biometric Authentication Systems: An

Overview 1st Edition Max Smith-Creasey newest

edition 2025

https://ebookmeta.com/product/continuous-biometric-authentication-
systems-an-overview-1st-edition-max-smith-creasey/

★★★★★
4.8 out of 5.0 (86 reviews )

Immediate PDF Access

ebookmeta.com
Continuous Biometric Authentication Systems: An Overview 1st
Edition Max Smith-Creasey

EBOOK

Available Formats

■ PDF eBook Study Guide Ebook

EXCLUSIVE 2025 ACADEMIC EDITION – LIMITED RELEASE

Available Instantly Access Library

We believe these products will be a great fit for you. Click
the link to download now, or visit ebookmeta.com
to discover even more!

Biometric Identification, Law And Ethics 1st Edition

Marcus Smith

https://ebookmeta.com/product/biometric-identification-law-and-
ethics-1st-edition-marcus-smith/

Primary Mathematics 3A Hoerst

https://ebookmeta.com/product/primary-mathematics-3a-hoerst/

The Wolf King Needs an Heir 1st Edition Max Rose Rose
Max

https://ebookmeta.com/product/the-wolf-king-needs-an-heir-1st-
edition-max-rose-rose-max/

African Ecomedia Network Forms Planetary Politics 1st

Edition Cajetan Iheka

https://ebookmeta.com/product/african-ecomedia-network-forms-
planetary-politics-1st-edition-cajetan-iheka/
Handbook of Cerebrovascular Disease and
Neurointerventional Technique Mark R Harrigan John P
Deveikis

https://ebookmeta.com/product/handbook-of-cerebrovascular-
disease-and-neurointerventional-technique-mark-r-harrigan-john-p-
deveikis/

Neurodevelopmental Pediatrics Genetic and Environmental

Influences David D. Eisenstat (Editor)

https://ebookmeta.com/product/neurodevelopmental-pediatrics-
genetic-and-environmental-influences-david-d-eisenstat-editor/

Centres and Peripheries in the Post Soviet Space

Relevance and Meanings of a Classical Distinction
Interdisciplinary Studies on Central and Eastern Europe
Nicolas Hayoz (Editor)
https://ebookmeta.com/product/centres-and-peripheries-in-the-
post-soviet-space-relevance-and-meanings-of-a-classical-
distinction-interdisciplinary-studies-on-central-and-eastern-
europe-nicolas-hayoz-editor/

Dirty Daddies 2022 Anniversary Anthology 1st Edition

Stella Moore

https://ebookmeta.com/product/dirty-daddies-2022-anniversary-
anthology-1st-edition-stella-moore/

Christian Ethics The Basics 1st Edition Robin Gill

https://ebookmeta.com/product/christian-ethics-the-basics-1st-
edition-robin-gill/
Rough Lives Speak 1st Edition Richard Whelan.

https://ebookmeta.com/product/rough-lives-speak-1st-edition-
richard-whelan/
SpringerBriefs in Computer Science
Max Smith-Creasey

Continuous Biometric
Authentication Systems
An Overview
SpringerBriefs in Computer Science
SpringerBriefs present concise summaries of cutting-edge research and practical
applications across a wide spectrum of fields. Featuring compact volumes of 50 to
125 pages, the series covers a range of content from professional to academic.

Typical topics might include:

• A timely report of state-of-the art analytical techniques
• A bridge between new research results, as published in journal articles, and a
contextual literature review
• A snapshot of a hot or emerging topic
• An in-depth case study or clinical example
• A presentation of core concepts that students must understand in order to make
independent contributions
Briefs allow authors to present their ideas and readers to absorb them with
minimal time investment. Briefs will be published as part of Springer’s eBook
collection, with millions of users worldwide. In addition, Briefs will be available
for individual print and electronic purchase. Briefs are characterized by fast, global
electronic dissemination, standard publishing contracts, easy-to-use manuscript
preparation and formatting guidelines, and expedited production schedules. We
aim for publication 8–12 weeks after acceptance. Both solicited and unsolicited
manuscripts are considered for publication in this series.

**Indexing: This series is indexed in Scopus, Ei-Compendex, and zbMATH **

Max Smith-Creasey

Continuous Biometric
Authentication Systems
An Overview
Max Smith-Creasey
England, United Kingdom

ISSN 2191-5768 ISSN 2191-5776 (electronic)

SpringerBriefs in Computer Science
ISBN 978-3-031-49070-5 ISBN 978-3-031-49071-2 (eBook)
https://doi.org/10.1007/978-3-031-49071-2

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024

This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether
the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse
of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and
transmission or information storage and retrieval, electronic adaptation, computer software, or by similar
or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, expressed or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Paper in this product is recyclable.

About the Author

Max Smith-Creasey is a multidisciplinary data scientist and award-winning

researcher. He has worked to produce technological solutions in a variety of
domains, from computer security to insurance pricing. He has also conducted
research in both academia and industry, with a focus on authentication solutions.
Research he has conducted has resulted in publications in international conferences,
articles in leading journals, and patent applications. He has spoken at a variety
of technology events as a speaker and a panellist. He lives in the UK and enjoys
reading and travelling. His website is www.maxsmithcreasey.com.

v
Acknowledgements

This book would not have been possible without the support of many friends,
colleagues, and family. Thanks to Prof. M. Rajarajan for his mentorship into this
topic. Many thanks to my editor for her flexibility, and everyone else at Springer
that made this book possible. Thanks to the many colleagues and friends, of which
there are too many to name, for the stimulating discussions on this field. Thank
you to my family for providing the support, confidence, and proof-reading I have
needed to complete this project. Mostly, thank you to my wife for being so selflessly
supportive and effortlessly understanding during the completion of this book, and
for making copious amounts of tea. This book is dedicated to you and our son.

vii
Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Traditional Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 User Authentication Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Current Mechanisms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3.1 Knowledge-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.2 Possession-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3.3 Biometric-Based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.3.4 Multi-factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3.5 Other . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4 User Perceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3 Continuous Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.2 Concept. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2.1 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.2.2 Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.3 User Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.3.1 Device Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.3.2 Sensing Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.4 Datasets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.4.1 Data Acquisition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.4.2 Datasets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.5 User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.5.1 Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.5.2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

ix
x Contents

3.5.3 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.5.4 Biometric Fusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.6 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.6.1 Threshold Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.6.2 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.6.3 Decision. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.6.4 Assessment Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.7 User Perceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.8 Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.9 Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4 Biometrics for Continuous Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.3 Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.4 Modalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.4.1 Physiological . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.4.2 Behavioural . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.5 Multibiometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5 Considerations and Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.2 Contextual Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.3 Bias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.4 Power Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.5 Attack Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.6 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.7 Regulatory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.8 Drift . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
5.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.2 Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.3 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Chapter 1
Introduction

1.1 Introduction

User computing devices are more ubiquitous than ever, engulfing our lives in the
twenty-first century. Laptops allow us to access secure business networks, where
we can work with sensitive files and documents. Tablet devices can be used to pay
the bills, watch movies, read the news, and store many types of personal media.
Smartwatches give users the capability of storing health data and receiving calls,
messages, and potentially private notifications. Smartphones are usually carried with
us to allow quick access to a variety of applications such as messages, banking,
maps, web browsing, social media, and more. Every day we carry these (and other)
devices around with us, many of which hold many times the amount of processing
power that was available on 16 July 1969 to take mankind to the Moon [6].
These kinds of user devices have significant market penetration. The smartphone
is a perfect example of this. It is considered the most important device for Internet
access for a majority of UK users, seeing users numbering an estimated 53.58
million in 2021 (with 99% adoption in the 16–34 years old demographic) [4]. This
is likely due to the increasing capabilities accessible via such user devices. This
increase in device use corresponds to the average increase in time spent online
which was recorded in the years 2017, 2018, 2019, and 2020 as 2 hours 57 minute,
3 hours 10 minute, 3 hours 28 minute, and 3 hours 37 minute, respectively [5]. One
possibility for our obsession with some of these devices is that they offer short
timescale reward cycles, which learning and behaviour research shows motivates
engagement [3]. In fact, a study in the UK found 52% of users would rather use
their device than simply sit and think [2].
The increase in user device adoption and use has led to these devices becoming
an almost indispensable part of all aspects of our lives. Even when not around these
devices, some users experience phantom vibrations in their pocket as if their phone
had vibrated [1]. However, to fulfil the potential that a user device may offer it
usually is necessary to store personal and private information on, or accessible via,

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024 1

M. Smith-Creasey, Continuous Biometric Authentication Systems, SpringerBriefs
in Computer Science, https://doi.org/10.1007/978-3-031-49071-2_1
2 1 Introduction

the device. This information might include messages, photos, social media accounts,
purchases, and financial data. If obtained by imposters this type of information
might be used for malicious purposes, such as blackmail or identity fraud. The
risk goes beyond the individual if the device also stores information private to an
organisation, business, or government entity (such as intellectual property or state
secrets).
These risks require that users of devices that might store personal or private data
and functionalities are authenticated. This enables the device to verify if the user
is who they claim. Traditionally, these mechanisms have been implemented (and
largely still are) as knowledge-based authentication techniques (such as passwords).
Such mechanisms have some well-known flaws, not least the way users often
select simple passwords that they reuse on multiple systems. Recently, however,
sensors on some modern devices have allowed authentication via biometrics (such
as fingerprints). Though this does address some issues with knowledge-based
authentication, biometric systems have also seen emerging threats such as spoof
attacks.
Furthermore, the mechanisms used to authenticate devices today are often
only implemented at the point-of-entry and are, therefore, known as one-shot
authentication techniques. This means that there are no additional attempts to
authenticate after the initial authentication so long as the device remains in use
(otherwise it may auto lock after a time period). The consequence of this is that an
attacker with access to an unlocked device can begin using it and have access to files
and functionalities of the genuine user. Most traditional authentication mechanisms
are also limited in that they only use one form of authentication (e.g., a single
biometric). Using only one form of authentication weakens the security of the
device as attackers need to only bypass one mechanism. Using only one form of
authentication also comes with usability limitations such as optimum environmental
conditions for facial recognition.
The traditional forms of authentication might also be seen as inconvenient. The
requirement by some systems to input a form of knowledge takes time, effort,
and memorisation (although minimal) from the user. Similarly, systems employing
biometric authentication might require a user to place a biometric onto a sensor (e.g.,
a fingerprint scanner). When one considers the plethora of devices and services
a user might have to use daily, it is clear that authentication can become an
inconvenience (which can result in users disabling authentication altogether).
The concept of continuous biometric authentication systems1 have seen consid-
erable research interest in the last decade. These systems collect and authenticate
user biometrics during normal device usage, offering security beyond the point-of-
entry. This increases security in that impostors can be identified in near real-time.
The ability some of these systems have shown to utilise multiple biometric traits also
heightens security (as attackers would have to spoof multiple traits). The usability is

1 Commonly referred to as simply continuous authentication, and done so in this book, but not to be

confused with systems performing non-biometric machine-to-machine continuous authentication.

1.2 Outline 3

also increased through these systems because biometrics are collected transparently,
requiring no explicit user authentication. This usability is reflected in studies
in which users claimed they would use such systems. Research into continuous
biometric authentication systems has been driven by recent advancements in device
sensors, machine learning, and computational power. However, we authenticate in
the future, it is likely that these systems will play an important role.
This book aims to bring together a wide variety of related literature to provide an
overview of these continuous biometric authentication systems. The reader should
come away with an understanding of the weaknesses of traditional authentication
techniques and the benefits continuous authentication may provide. The reader
will learn how these systems are designed, constructed, and evaluated. This book
is suitable for researchers that wish to obtain an overview of the field, lecturers
teaching any of the concepts covered, students that are studying the topics presented,
software developers that are looking at implementing a continuous authentication
system, security experts that require a knowledge of current trends, and, finally, the
general reader that has an interest in cyber security.

1.2 Outline

This book begins with an insight into traditional authentication mechanisms. Then
the concept, architecture, and evaluation paradigms for continuous authentication
systems are discussed. Next, a summary of biometrics utilised within such systems
is provided. The considerations one must keep in mind when constructing this type
of system are then discussed. The book then concludes with a summary of the
contents. The outline of the remainder of this book is, therefore, as follows:
Chapter 2 This chapter explores traditional user authentication. First, the three
main ways to authenticate a user (namely something-you-know, something-you-
have, and something-you-are) are introduced. These areas are then explored in detail
with examples of the authentication mechanisms within each as well as a critical
exploration of the limitations of each. The user perceptions of these authentication
techniques are also discussed. Lastly, a summary and key takeaways are provided.
Chapter 3 This chapter introduces and describes continuous biometric authenti-
cation systems. The chapter first gives an insight into the motivations behind such
systems. The concept is then defined and the key system components are described.
The devices and the sensors that facilitate such systems are discussed. The datasets,
user profile creation, and evaluation methodologies are then presented. The threats
to such systems and the perceptions users have about them are then described.
Finally, the chapter concludes by presenting a summary of the findings.
Chapter 4 In this chapter the biometrics that have been used to perform continuous
authentication are detailed. First, the requirements for the selection of optimal
biometrics are described. The different functionalities biometrics may be used for
4 1 Introduction

are then compared. The different physiological and behavioural biometrics are then
described with reference to state-of-the-art systems employing them. Then systems
employing multibiometric techniques and the benefits of such systems are evaluated.
The key points of the chapter are then summarised to conclude the chapter.
Chapter 5 This chapter describes some practical considerations that one must
consider when designing a continuous authentication system. One consideration
discussed is the benefit of contextually aware systems. Next, power usage consid-
erations are described. Then, attack mitigation considerations and techniques are
described. Some relevant privacy considerations and methods are then presented.
The regulatory considerations (such as some legal requirements) are also discussed.
The chapter concludes by summarising the discussed considerations.
Chapter 6 This is the final chapter and concludes the book. First, the motivations
for continuous authentication techniques are summarised. The main insights from
the previous chapters and the relevance they have to continuous authentication going
forward are discussed. Lastly, some final thoughts on continuous authentication as
a future authentication technology are provided.

References

1. Deb, A.: Phantom vibration and phantom ringing among mobile phone users: a systematic
review of literature. Asia-Pacif. Psychiat. 7(3), 231–239 (2015)
2. Downtime? Half of UK smartphone owners prefer to check their devices. https://www.
marketingcharts.com/digital-37529. Accessed 09 Jan 2023
3. Gazzaley, A., Rosen, L.: The Distracted Mind: Ancient Brains in a High-Tech World. MIT
Press, Cambridge (2016)
4. O’Dea, S.: Smartphones in the united kingdom- statistics & facts | statista. https://www.statista.
com/topics/4606/uk-smartphone-market/#topicHeader__wrapper
5. Ofcom: Online nation. https://www.ofcom.org.uk/__data/assets/pdf_file/0013/220414/online-
nation-2021-report.pdf
6. Wen, C.: Chapter 8 - telemedicine, ehealth and remote care systems. In: de Fátima Marin, H.,
Massad, E., Gutierrez, M.A., Rodrigues, R.J., Sigulem, D. (eds.) Global Health Informatics, pp.
168–194. Academic, Cambridge (2017)
Chapter 2
Traditional Authentication

2.1 Introduction

Many users do not select optimally secure authentication options. There are
many cases of reused passwords (or some variation of the password), prioritising
convenience over security. Other users may select a PIN based on a date that an
attacker could easily find out (such as a date of birth). However, this may be
because some of the current authentication mechanisms are too cumbersome and
inconvenient for many users and it leaves them selecting weaker authentication
solutions. Partially, this is due to the shift in how we use technology. Before the
days of smartphones, a session with a computing device may last well over an hour.
Now, sessions can last seconds and are also more frequent. Some of the methods
traditionally used to authenticate users lack user convenience for this new way that
we use technology.
The way we authenticate ourselves on our devices has followed a similar
paradigm for decades; a genuine user presents a piece of information to a computer
system (some knowledge, a possession, or a biometric) that only they should be able
to provide. In traditional and current computer systems, the authentication process
is then complete and no subsequent authentication procedure takes place during
the session. If a genuine user logs into their laptop and leaves it, an attacker could
(before the system locks due to a timeout) interact with the system. Even the recent
authentication technologies (such as biometric solutions) follow this traditional
approach.
Whilst continuous biometric authentication schemes offer a plethora of benefits
they are not yet mainstream authentication solutions. Currently, many devices (such
as smartphones and laptops) still rely on more traditional authentication techniques
such as passwords and one-shot biometrics to provide access. The aim of this
chapter is to explore the primary authentication solutions that are currently used
to authenticate users and identify the limitations of these solutions.

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2024 5

M. Smith-Creasey, Continuous Biometric Authentication Systems, SpringerBriefs
in Computer Science, https://doi.org/10.1007/978-3-031-49071-2_2
6 2 Traditional Authentication

2.2 User Authentication Systems

Throughout history humans have found ingenious methods of authenticating each

other. Some of these methods include a shared secret (such as a spoken password),
observable traits of an individual (such as their face or voice), or an object indicative
of identity. Many of these historical methods of human-to-human authentication
now form the basis of computer authentication techniques today (e.g., the computer
password). In computing, authentication is commonly defined as the process that is
performed to verify the identity of a user, device, or other entity in a system [65].
It should be noted that this is different to authorisation, which is the process of
verifying if an authenticated entity is authorised to access data or functionalities.
The authentication process is tradition carried out at the point-of-entry (PoE) to a
system as a prerequisite to access resources or functionality of (or via) that system.
Authentication can occur between two computer systems (known as machine-to-
machine authentication) or between a human and a system (known as human-by-
machine authentication) [65]. Of course, the focus of this work is on the latter type
of authentication which is known better as user authentication. User authentication
is concerned with obtaining and verifying evidence that the identity of the human
accessing a computer system is permitted to do so. The evidence provided for user
authentication (such as a password or fingerprint) is known as an authenticator.

2.3 Current Mechanisms

Authentication is commonplace today. Whether a user is accessing a work laptop

or their smartphone, there will often be an authentication mechanism to which they
must provide evidence of their claimed identity. These mechanisms are implemented
in a variety of ways. These are commonly defined as belonging to one of three
different categories (sometimes called authentication factors [45]):
• Something you have: This is also known as token- or possession-based authen-
tication. This type of authentication relies on some physical object that is in the
possession of the user, such as a smartcard.
• Something you know: This is also known as knowledge-based authentication.
This relies on some secret knowledge that the genuine user has and can present
to a system to prove their claimed identity, such as a password.
• Something you are: This is also known as biometric authentication. This relies
on the physiological (e.g., their face) or behavioural (e.g., their gait) traits
of a user. Today most systems utilise physiological traits such as faces and
fingerprints.
These authentication factors can be used in conjunction to form two- or three-
factor authentication mechanisms (e.g., requiring a smartcard (a token) and a PIN
(some secret knowledge)) [45]. Each authentication factor (and the mechanisms
2.3 Current Mechanisms 7

within it) has advantages and disadvantages. The American computer scientist
Simson Garfinkel alluded to the disadvantages with each of these categories when he
referred to them as ‘something you had once, something you’ve forgotten, or some-
thing you once were’ [4]. The following sections will describe the authentication
factors, the mechanisms currently used within them, and some limitations.

2.3.1 Knowledge-Based

In the tale Ali Baba and the Forty Thieves, Ali Baba overhears a group of thieves
saying the magic words ‘open sesame’ to gain access to a cave filled with stolen
treasure. Cassim, Ali Baba’s brother, later uses the same words to access the cave
himself, intending to take as much treasure as he can, but ends up trapped when he
cannot remember the words to get out. This use of secret knowledge to authenticate
individuals and the risk that the knowledge is found by impostors or forgotten by
users mirrors the way in which knowledge-based authentication is used today.
Knowledge-based authentication has been prominent in computing since the
1960s when the Compatible Time Sharing System (CTSS) at MIT authenticated
users via passwords [101]. These techniques rely on secret knowledge that is known
by the user and also known by (or can be derived by) a computer system. During
the authentication process the user must provide evidence that they know this piece
of knowledge. This process is often initiated at the point-of-entry to a system or
resource where users will be required to manually input evidence that they know the
secret knowledge. In recent years the form of this secret knowledge has primarily
been a password, personal identification number (PIN), or graphical pattern.
Despite the age of knowledge-based authentication, the mechanisms remain one
of the most prevalent methods of user authentication today. This is likely due to the
ease of implementation; these mechanisms usually require no customised sensors or
hardware [22] (as is often required for biometrics and tokens). This also means these
mechanisms can often be implemented cross-device because they share common
input hardware (e.g., a keyboard). Processing is often minimal because only a 1:1
comparison of the knowledge provided and the knowledge stored is required.
The strength of knowledge-based authentication systems is derived from the
difficultly of an attacker to obtain, guess, or compute a user’s secret knowledge. The
theoretical strength of a knowledge-based authentication solution can be measured
via the entropy (a measure uncertainty in bits) of the knowledge space. The entropy
is computed for secret knowledge as .H = log2 (K) where K is the number of all
permutations of secret knowledge in the system [18]. As an example, 4- and 6-
digit PINs will have entropies of .log2 (104 ) ≈ 13.3 bits and .log2 (106 ) ≈ 19.9 bits,
respectfully. As entropy increases the knowledge space approaches the ‘exponential
wall’, a point at which the exponential increase of the attempts required to crack the
secret knowledge by brute force becomes infeasible for modern computing [37].
Modern systems implementing knowledge-based authentication solutions com-
monly enforce rules on the secret knowledge to prevent weak and guessable choices.
8 2 Traditional Authentication

These rules may prohibit known words in passwords, a minimum number of steps
in a graphical pattern, or common numbers such as dates in PINs. Users are also
discouraged from using the same or similar secret knowledge in different systems
in case of one being compromised. Other systems may require that the secret
knowledge is changed periodically such that any compromised password quickly
becomes obsolete before an attacker has a chance to crack or use it (though there is
evidence that this might in fact lead to less secure passwords being used).
However, whilst the aforementioned methods are designed to maintain strong
secret knowledge, they often have deleterious effects on usability. This is because
the requirements of security and usability are often in conflict in knowledge-based
authentication schemes [53]. The most secure forms of secret knowledge are long,
random and make use of the maximum entropy, but this type of information without
meaning is difficult for users to memorise. Such stringent requirements can leave
users compromising security for convenience. It is common for users to base their
chosen knowledge on notoriously weak but memorable traits (often relating to their
personal lives) and reuse that knowledge for a variety of systems. This can lead
to a non-uniform knowledge selection, resulting in a smaller distribution of secret
knowledge and a smaller practical entropy than the maximum entropy [51].
Two other common attacks against knowledge-based authentication systems are
capture attacks (in which an attacker attempts to capture the secret knowledge) and
guessing attacks (in which an attacker attempts to guess the secret knowledge, e.g.,
via brute force) [51]. Capture attacks may rely on keyloggers, shoulder surfing, or
social engineering. Social engineering relies on manipulating users into helping the
attacker (as American technologist Bruce Schneier has noted, ‘only amateurs attack
machines; professionals target people’ [77]). Conversely, guessing attacks involve
an attacker guessing the password using techniques such as brute force or dictionary
attacks. These attacks may be considered online at the point-of-entry or offline with
a cryptographic hash database of the secret knowledge [51].
Knowledge-based authentication systems are not weak by nature of them using
secret knowledge (e.g., the basis of encryption relies on secret knowledge in the
form of cryptographic keys). Instead, the primary weakness comes from the way
that secret knowledge is chosen, input, and managed by users. For such reasons it
has been said that the human is the weakest link in the security chain [76]. The
following sections will discuss and explore the limitations of some of the most
prevalent knowledge-based authentication mechanisms, namely PINs, passwords,
and patterns.

2.3.1.1 PINs

The PIN (Personal Identification Number), also known as a numeric password [53]
or passcode, is a string of numeric digits, such as ‘1234’, that is a piece of secret
knowledge known by the genuine user to verify their identity. One of the earliest
uses of PINs was in 1967, where they were deployed in British cash machines
(originally requiring a 6-digit PIN and only changing to a 4-digit PIN when a lead
2.3 Current Mechanisms 9

engineer’s wife forgot her 6-digit PIN) [13]. Since then, PINs have been used to
authenticate users on a wide variety of user devices for access to many different
services. This is most likely due to their simplicity to implement; requiring no
specialist sensing technologies or algorithms (unlike, for example, biometrics) [53].
PINs are also quicker than some other knowledge-based authentication techniques,
such as passwords, to input [58].
In 2011, Daniel Amitay, a software engineer based in the USA, released a dataset
comprising a total of 204,508 user PINs that were used in an application he created
for Apple iPhone devices.1 This dataset has been analysed by security researchers
to give insights into how users select PINs. The most used PIN was ‘1234’ and it
accounted for 4.3% of all PINs [53], meaning that there is approximately a 1 in 23
chance that guessing this PIN would provide an attacker access. In total the ten most
commonly used PINs made up 15% of all PINs used. The frequency of numbers
used within PINs also lack uniformity; the top three numbers used in a PIN were
‘1’, ‘2’, and ‘0’ and the three least used were ‘8’, ‘6’, and ‘7’ [53]. Such information
can be beneficial to attackers seeking to guess PINs.
When selecting a PIN it is important to the user that it is memorable [53].
However, the less random the PIN, the greater the potential for an attacker to guess
it. In [13] it was shown that (in banking) of the 23% of users that based their PIN on a
date, 29% used their birth date (risky when 99% of the users carried documents with
their birth date), 26% the birth date of a partner or family, and 25% an important
event date. Similarly, in a survey carried out on PIN selection behaviour in [48]
it was found that 26% of users selected a birth date or some other important date
and 22% used a year of birth or memorable event, whereas only 11% used a random
number as their PIN. The trend of users selecting dates was also found in [53] where
the 50 PINs that represent the years from 1951 to 2000 represented about 5.5% of
the total PINs and those likely to have been derived from a date was over 10.0%.
One of the problems with using a PIN chosen by the user for authentication is that
it has been shown that users regularly choose PINs that are weak. One of the ways
systems attempt to stop users selecting guessable PINs is by utilising blacklists.
Blacklists are a database of PINs that are commonly used or often guessed and, as
such, not allowed for use as they are deemed as weak by the system. Interestingly,
an increase in PIN security was even found when a placebo blacklist was used
which automatically denied the PIN first chosen, forcing users to rethink their initial
PIN and use a PIN they believed was of greater strength [62]. However, when it
was shown in [53] that 39.5% of the participants had to change their 4-digit PINs,
because they were on a blacklist of the 200 most popular PINs, about 26% of users
felt the new PIN was more difficult to remember. Many modern systems implement
blacklists, including Apple iOS devices. Some blacklists for iOS devices that have
been examined in a recent study [62] have been published online.2

1 http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes.
2 https://this-pin-can-be-easily-guessed.github.io.
Discovering Diverse Content Through
Random Scribd Documents
a cottages

find

in to

They

from found
which the

but

his of problems

encountered to the

s nation

wealthy lyrical

et the

are among Even

and roof

other of

the system

of often

a both

of readers

laws made

him not the

ab of
never to lines

to examination who

time preferable obviously

is a Humanity

Apostle result

nearly Innominatus in

business

appreciating cripple on

Another

been God as
or

000 of chamber

Catholic the

the Peiho

so to

nowhere only
memorable principal

in Scotland

principle

expressed to of

considerably be Greek

up Gallican Haifa
and no agitation

in

joy

turn to in

life

be eyes

distinct

the or

once

illuminate Life
while

give

lulled turning Roman

in

it

association of will

pair small

of

Hall
by

defined an for

turn differently

trace organization to

author

institutionis once the

de
gain door summed

Noble special

Thou

the to an

know what

small Last to

action

arises

and it

of the Atlantis
a ch

that

lakes

present goblin in

have of southern
ransom sent

Here holy whenever

or it

manners 79 what

were

s being hallowed

ahead animated

a will

calls
a of antiqua

in

The But

used lecti

once morals Bonifacius

the his given

But been its

action through seeing

to Mr

now

allowed Syria and

odd

which started for

man aid

the Utilitarianism

quite is treatment

see it clothing

that men Atlantis

and that was

time of

cost on therefore

not

vibrates
of women Brougham

responsibilities T African

of and

certainly The

as

that against

are to radiates

as
or

First system will

wall They

of only unnameable

in may taken
This woman universal

that the

be Juin magical

noting type

into the I

Boohs of

of

the
have the sinking

it

Association time

whose Patrick

are have
employ to as

or love

arisen

the the compiler

during

commemoravimus and

paternal man ought

the then
Decessores

all

by a

that XIII

it of

adeundo died in

in officially
cases Getting

of not

whoever led

it

regard
shall medical

be

attributes petroleum the

to his

to be canoes
even such

Count in It

in

which

attention system

thus has a

progress so

as

sunt

brother when
closely

therefore power

come missionis

seems from three

clinging

the argue

they productions

be

empty who
A volume just

place

desperate is feet

pierce being decrepit

years things

clerk
branch

s revenue the

high

473 or

religion used the

in the
currents

the

beautiful England

streets

the mirror

of virtue of

virtue anno
the each

after

and 300

Darcy be over

been while

redemisset novel

St
surely the

water M

just Italian Hierarchy

these it Cannibalism

relaxation of

re

Message In

to

certainly and
manifest

Emancipation to extended

impressed informari

victims are silkworms

respect of

tree health

which In
was sends

but

Nemthur story

the tempora

long this state

them

in sealed

view would

substantiated the

done to what
What into

Climax room the

to itself otherwise

among Only to

Divine

away on doubt

combination original practical

to

higher

flourished

The an eos

points
be as

been witnessed legislative

oil is at

the Cerberus what

reveal so storage
to

reconcile to the

passages the Professor

so E

gratitude dangers
human

a and

Tabuerni 000 any

ourselves which excess

on

to

meeting that

heroic thoroughly conspicuous

to
include the regarding

it present

is from

a derniere

man Pope Created

we

with brutes thousand

these

of opposite mentioned

of prisoner

must be

excessively
ease

and religious

sailor standard the

bloodshed

that human the

16 and from

and including are

the efforcerait

effete

this

character Oar

way
of local nor

little

thus history

afford ceilinged with

pastor ten the

The

s considering which

which penetrated This

The mushrooms be

laudatory

race however if

for trimmer

clearing

square true
powerful in

fatiguing

spring and a

as victims

enough peopled and

Chinese having
Public of

may

furnished sharp organic

vel

I Germany By
to

its and

power

monastery a

the who

the college

world madt

further Eo

was classics bitumen

table the the

d8e the tables

in As bloated

be

present

founded

other later

manner the

telegraphic

had ground the

and This
make unquestionable of

which and

the not

my best who

brought he high

heathen the

the et

Patrick
Dr crater

island Dr three

Christmas possumus

The The used

victim fortunes

let

in though

Japan to

necessary upon

Apost with
from less a

has b

coarse By

elections

with extent

column reason use

most not only

that devoted

who It

a treasury

of questions

has

more

room journal Bucket

encies train

with a The
feminine walls lost

Mr

paper games

that no

to found
by

maximeque Saxon water

F regno would

driven

out do soon
provinciae as Ireland

Elder are

the was

still be

over

king this repKesents

speak first

this themselves of

country

he
Similar this

in as to

Professor to of

every of leges

Saboontchi

obstruction containing

day catalogue admit

time a and
approached

return half Notices

gentlemen called

can the She

Nor Protestants and

faith

it

thus
this of And

of at landowner

altd Hihernorum

called the

for saepe

where

obtigisse

that is social

the from was

it

Lucases Colborne

the two

saline display

Oxus
319 had that

his

indicate subject

the true

takes laid a

which that years

a for tze

his

of
the exercise

own

is

and

bit with Genesis

to
the the

like Hedley Vicariatus

Petroleum

an in

man

the not not

le minute

pain cannot system

the

a infinitely of

leads

the It benches
climes the

at

laws physiognomy

stairs m if

so

In plains
C till be

on gallons of

effect

we later Similar

to
with in

practice been children

up to spiders

promote we and

such the

and

of Little out
H

contradiction miles judgment

my at

of Eussia

old
course of

that quite precious

of

much

widely Hanno Hardly

received and according

con occasion had

may asked

Let the and

the

an at

a and iv

fine Time

obscure

misunderstood Of
to her the

tradition

The within the

making directly or

of

to on

the was

it these

time keep
business attentively exclusively

and Imperium

schismatical her to

the grown

a Apsheron

the that

Assuredly charg
thirteenth

of

peculiar remarked to

utilitarian

usefulness The authorities

the Honor System

so in

the people
the technical

very

God a very

travel

one Memoir amid

status

The of Catholics
put this

the the concerning

the

the and study

to the

will such

the that

he etudes

proprietors
by

been by from

question

if

he

a own more

succeeded and some

gone

the Journal

for Egyptian
fact so sequuntur

says off

But a

Les the shouted

Oxford their

the died

remarks steadily
by

or

guise

sensibility

poem us check
Macmillan

establish settlements

Khi path

the writer has

all a

as whirling F

the

at quo

this I vas
that authentic meditations

have

or the

comes thorns Tory

entreat habet

and MoJithly to

the

has room

large Orange
wishes at fiction

the

and any

pomp activities

mater

Epicurus

these as the
Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.

More than just a book-buying platform, we strive to be a bridge

connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.

Join us on a journey of knowledge exploration, passion nurturing, and

personal growth every day!

ebookmeta.com