Authentication and Authorization for Mobile IoT Devices using Bio-features: Recent Advances and Future Trends

Bio-features are fast becoming a key tool to authenticate the IoT devices; in this sense, the purpose of this investigation is to summaries the factors that hinder biometrics models' development and deployment on a large scale, including human physiological (e.g., face, eyes, fingerprints-palm, or electrocardiogram) and behavioral features (e.g., signature, voice, gait, or keystroke). The different machine learning and data mining methods used by authentication and authorization schemes for mobile IoT devices are provided. Threat models and countermeasures used by biometrics-based authentication schemes for mobile IoT devices are also presented. More specifically, We analyze the state of the art of the existing biometric-based authentication schemes for IoT devices. Based on the current taxonomy, We conclude our paper with different types of challenges for future research efforts in biometrics-based authentication schemes for IoT devices.


I. INTRODUCTION
Biometric identification enables end-users to use physical attributes instead of passwords or PINs as a secure method of accessing a system or a database. Biometric technology is based on the concept of replacing 'one thing you have with you' with 'who you are', which has been seen as a safer technology to preserve personal information. The possibilities of applying biometric identification are really enormous.
Biometric identification is applied nowadays in sectors where security is a top priority, like airports and could be used as a means to control border crossing at sea, land and air frontier [1]. Especially for the air traffic area, where the number of flights will be increased by 40 % before 2013, the authentication of mobile IoT devices will be achieved when the bio-features models becomes sufficiently mature, efficient and resistant to IoT attacks.
Another area where biometric identification methods are starting to be adopted is electronic IDs. Biometric identification cards such as the Estonian and Belgian national ID • We classify the related surveys according to several criteria, including, deployment Scope, focus biometric area, threat models, countermeasures, and ML/DM algorithms. • We present the machine learning and data mining methods used by authentication and authorization schemes for mobile IoT devices, including, unsupervised, semisupervised, and supervised approaches. • We present all the Bio-features used by authentication and authorization schemes for mobile IoT devices. • We provide a comprehensive analysis and qualitative comparison of the existing authentication and authorization schemes for mobile IoT devices. • We emphasize the challenges and open issues of authentication and authorization schemes for mobile IoT devices.
The rest of this paper is organized as follows. Section II gives the related surveys on biometric authentication. In Section III, we present the different machine learning and data mining algorithms used by authentication and authorization schemes for mobile IoT devices. In Section IV, we provide the new trends of biometric technologies including human physiological (e.g., face, eyes, fingerprints-palm, and electrocardiogram) and behavioral (e.g., signature, voice, gait, or keystroke). In Section V, we clearly highlight the pros and cons of the existing authentication and authorization schemes for mobile IoT devices. Then, we discuss the challenges and suggest future research directions in both Section VI and VI. Lastly, Section VIII presents conclusions.

II. RELATED SURVEYS ON BIOMETRIC AUTHENTICATION
In the literature, there are different related surveys that deal with user authentication. Although some of them covered different authentication methods [20], [21], [22], but we only consider those that were fully dedicated for biometric authentication. We classify the surveys according to the following criteria: • Deployment Scope: It indicate whether the authentication scheme is deployed on mobile devices or not. • Focus biometric area: It indicates whether the survey focused on all/specific biometric features. • Threat models: It indicates whether the survey considered the threats against the authentication schemes. • Countermeasures: It indicates whether the survey focused considered the countermeasures to defend the authentication schemes. • Machine learning (ML) and data mining (DM) algorithms: It indicates whether the survey mentions for each solution the used machine learning or data mining method. Some surveys described the authentication schemes that only consider specific bio-features. For instance, the surveys [7], [8], [9], [11], [10] only focused on the keystroke dynamics. On the other hand, Gafurov [4] presented biometric gait recognition systems. Revett et al. [5] surveyed biometric authentication systems that rely on mouse movements. Yampolskiy and Govindaraju [6] presented a a comprehensive study on behavioral biometrics. Mahadi et al. [15] surveyed behavioralbased biometric user authentication, and determined the set of best classifiers for behavioral-based biometric authentication. Sundararajan and Woodard [16] surveyed different 100 approaches that leveraged deep learning and various biometric modalities to identify users. Teh et al. [13] presented different authentication solutions that rely on touch dynamics in mobile devices. Rattani and Derakhshani [17] provided the state-ofthe-art related to face biometric authentication schemes that are designed for mobile devices. They also discussed the spoof attacks that target mobile face biometrics as well as the anti-spoofing methods. Mahfouz et al. [14] surveyed the behavioral biometric authentication schemes that are applied on smartphones. Meng et al. [12] surveys the authentication frameworks using biometric user on mobile phones. They identified eight potential attack against these authentication systems along with promising countermeasures. Our survey and [12] both focus on authentication schemes that are designed for mobile device, and consider all the biometric features, and deal with threat models and countermeasures. However, [12] do not give information related to the used machine learning or data mining method of all the surveyed solutions. In addition, [12] only covers papers up to 2014, whereas the coverage of our survey is up to 2018. To the best of our knowledge, this work is the first that thoroughly covers threats, models, countermeasures, and the machine learning algorithms of the biometric authentication schemes.

III. MACHINE LEARNING AND DATA MINING ALGORITHMS
In this section, we lists the different machine learning and data mining algorithms used by biometric-based authentication schemes for IoT devices, as presented in II .

A. Support-vector machine (SVM)
The SVM is a popular and powerful binary classifier, which aims to find a hyperplane within the feature space that separates between two classes. SVM is used by seven authentication schemes for IoT devices in edge environments using bio-features [25], [31], [32], [33], [34], [35], [36].
In [25], Frank et al. used two classifiers: K-Nearest-Neighbors (kNN), and SVM with an RBF-kernel. In this study, two classes are chosen, namely, i) user of interest and ii) the rest of users. In the training data phase, this study tune the two relevant parameters, i.e., γ and C of the RBF-SVM, are tuned under five-fold cross-validation. The first parameter γ is used for controlling the gaussian radial-basis function. The second parameter C is used for controlling the trade-off between maximizing the margin and minimizing the number of exceptions.
In Sitova et al. [31], an SVM classifier with scaled Manhattan (SM) and scaled Euclidian (SE) are used to perform verification experiments. For parameter tuning, the RBF kernel was selected to perform a grid search to find the parameter.
In order to detect faces of a particular size, Sarkar et al. [32] introduced a face detection algorithm, wich is based on deep feature combined with a SVM classifier. Specifically, the study passes the image through a deep convolutional neural network, then they used train SVMs of different sizes in order to achieve scale invariance. Durang training step, Sarkar et

Machine learning and data mining methods Schemes
Agglomerative complete link clustering approach [23] Support vector distribution estimation [24] [25] Gaussian mixture model [26] Embedded hidden Markov model [26] k-nearest-neighbors (kNN) [ Local binary patterns algorithm [46] Mel frequency cepstral coefficients [47] Pupillary light reflex [48] Euclidean distance, hamming distance [49] Deep convolutional neural network [32] [50] [51] [52] Genetic algorithm [53] Artificial neural network (ANN) [36] Gauss-newton based neural network [54] Radial integration transform [55] Weibull distribution [56] Online learning algorithms [57] Counter-Propagation Artificial Neural Network (CPANN) [36] Random Forest (RF) [58] Neural Network (NN) [59] [28] [29] Circular integration transform [55] Decision Tree (DT) [ Pearson product-moment correlation coefficient (PPMCC) [29] Keyed random projections and arithmetic hashing [65] One-dimensional multi-resolution local binary patterns [66] al.'s scheme uses 5202 images from the UMD-AA database, which is a database of 720p videos and touch gestures of users on a mobile device (iPhone). The experimental results showed that the proposed idea can detect the partial or the extremely posed faces in IoT environment. The approach described by Mahbub et al. [33] is a framework for authentication and authorization of users' faces on Mobile IoT devices. Their approach trains a linear SVM with statistical features. The study used the Active Authentication Dataset, which contains the front-facing camera face video for 50 iPhone users (43 male, 7 female) with three different ambient lighting conditions, including, well-lit, dimly-lit, and natural daylight. Compared to Viola-Jones face detector, the Mahbub et al.'s framework can achieve superior performance.
In another study, the SVM classifier was attempted as the learning algorithm by Gunasinghe and Bertino [34], face as the bio-feature , and eigen faces as the feature extraction algorithm. The trained SVM classifier helps to the artifacts stored in the Mobile IoT devices. Compared to Mahbub et al.'s [33] approach, the protocol [34] considers privacy preserving of the training data, which is uses three secrets (S i : i ∈ {1, 2, 3}) in different phases of the scheme, including, S 1 of size 128 bits, S 2 of size 160 bits, and S 3 of size 256 bits.
Chen et al. [35] introduced a two-factor authentication protocol using rhythm, which can be applied for mobile IoT devices. Specifically, Chen et al.'s protocol employs SVM as a machine learning classifier, and LibSVM in the implementation phase. The experimental results on Google Nexus 7 tablets, involving 22 legitimate users and 10 attackers, show an outstanding results. The false-positive and false-negative rates achieve 0.7% and 4.2%, respectively. In general, there are two behavioral biometric modalities in the construction of an authentication scheme based on the bio-feature, including, 1) Using one behavioral biometric model, which does not need any additional hardware to capture data, and 2) Using a combination of the behavioral biometric models.

B. Deep learning approach
Actually, Deep learning is used to authenticate low-power devices in the IoT networks. Deep Learning approach is based on an artificial neural network (ANN), consisting of many layers of neurons, referred to as hidden layers, between two other layers: input and output. Each layer receiving and interpreting information from the previous layer. Unlike SVM, the learning runtime increases when the number of features in an ANN increases. Ferdowsi and Saad [41] proposed a deep learning method based on the long short-term memory (LSTM), which uses the fingerprints of the signal y generated by an IoT mobile device. In addition, LSTM algorithm is used to allow an IoT mobile device updating the bit stream by considering the sequence of generated data. The paper expressed that the findings were reported that dynamic LSTM watermarking is able to detect some attacks such as eavesdropping.
Das et al. [42] used a deep-learning based classifier to have a faster system against high-power adversaries. Similarly to the work [41], this study uses the long short-term memory (LSTM). The experiments used a testbed of LoRa low-power wireless, which consists of 29 Semtech SX1276 chips as LoRa transmitters and a Semtech SX1257 chip as the receiver. The experimental results showed that the classification performance is more promising with respect to state-of-the-art LoRa transmitters.
The work by Bazrafkan and Corcoran [67] used a deep Ushaped network with 13 layers for the segmentation task. The study used a 3x3 kernel that maps the input to the first convolutional hidden layer in order to enhance iris authentication for Mobile IoT devices. They used two databases, including, 1) CASIA Thousand, which contains 20k images, and 2) Bath 800, which contains 24156 images. The segmentation results are reported as 98.55% for the Bath 800 and 99.71% for CASIA Thousand. The paper also states the benefits of the deep learning technique such as efficient segmentation on large data sets.
In their study, Bayar and Stamm [44] use a universal forensic approach using deep learning in order to detect multiple types of image forgery. For image recognition, the convolutional neural networks (CNNs) is used as tool from deep learning. Specifically, the CNN proposed contains eight layers, including, the proposed new convolutional layer, two convolutional layers, two max-pooling layers, and three fullyconnected layers. The first layer of the network is 227 × 227 grayscale image. The proposed CNN is evaluated as a binary and multi-class classifier. Although the false positive rate is not reported, the Caffe deep learning framework is used, which shows that the CNN proposed model can distinguish between unaltered and manipulated images with at least 99.31% and 99.10% accuracy for a binary and multi-class classifier, respectively.

C. Deep convolutional neural network
The deep convolutional neural networks (DCNNs) for face detection was attempted by Ranjan et al. [51], which can be classified into two categories, including, the region-based approach and the sliding-window approach. The DCNN can identify whether a given proposal contains a face or not.
Based on deep learning and random projections, Liu et al. [50] proposed a novel finger vein recognition algorithm, named FVR-DLRP, which could be used for Mobile IoT devices. The FVR-DLRP algorithm uses four main phases, namely, 1) feature extraction, 2) random projection, 3) training, and 4) matching. The finger vein feature extraction is based on 3 × 3 regions. The Johnson-Lindenstrauss theorem is used for the random projections. In the training phase, the Deep belief network is applied to generating the biometric template. The experimental results on finger vein laboratory database, named FV_NET64, involving 64 people's finger vein image, and each of them contributes 15 acquisitions, show that the FVR-DLRP algorithm achieves 91.2% for recognition rate (GAR) and 0.3% for false acceptance rate (FAR). In the study by Sarkar et al. [32], a deep convolutional neural network is proposed for mobile IoT devices. According to the study, the OpenCL and RenderScript based libraries for implementing deep convolutional neural networks are more suitable for mobile IoT devices compared to the CUDA based schemes.

D. Decision Tree (DT)
DTs are a type of learn-by-example pattern recognition method, which were used by five studies [60] [27] [62] [38] [61]. In [60], Sheng et al. proposed a parallel decision trees based-system in order to authenticate users based on keystroke patterns, which could be applied for mobile IoT devices. According to the study, a parallel DT alone cannot solve the authentication on keystroke patterns. The training data contains 43 users, each of them typed a given common string of 37 characters. The study achieves 9.62% for FRR and 0.88% for FAR. Therefore, Kumar et al. [62] presented a fuzzy binary decision tree algorithm, named FBDT, for biometric-based personal authentication. The FBDT was able to detect with FAR=0.005% and FRR=3.027% on palmprint, and FAR=0.023% and FRR=8.1081% on iris, and FAR=0% and FRR=2.027% on the bimodal system. To enhance the network authentication in ZigBee devices, Patel et al. [61] presented an authentication system that employs ensemble decision tree classifiers. Specifically, the study applied Multi-Class AdaBoost ensemble classifiers and non-parametric Random Forest on the fingerprinting arena.

E. k-nearest-neighbors (kNN)
The kNN algorithm identifies the k training observations to belong to a group among a set of groups based on a distance function in a vector space to the members of the group [29]. In our study, we found that it is always combined with other classifiers in order to provides a fast classification. The study [25] uses the kNN algorithm and a support-vector machine with an rbf-kernel. The study [27] combines three classifiers, namely, the kNN algorithm, support vector machines, and decision trees. The study [28] combines three models, including, 1) a nearest-neighbor based detector model, 2) a neural network detector model, and 3) a support vector machine model. The study by Jagadeesan and Hsiao [29] incorporates statistical analysis, neural networks, and kNN algorithms, which the experimental results show that the identification accuracy is 96.4% and 82.2% in case of the application-based model and the the application-independent model, respectively.

F. Statistical models
In order to perform authentication of the user's identity on mobile IoT devices, Tasia et al. [40] used a computation efficient statistical classifier, which has low computational complexity compared to fuzzy logic classifiers and do not require comparison with other users' samples for identification. Therefore, hidden Markov model is a statistical model where Kim and Hong [26] used an embedded hidden Markov model algorithm and the two-dimensional discrete cosine transform for teeth authentication. For the voice authentication on mobile IoT devices, the study use pitch and mel-frequency cepstral coefficients as feature parameters and a Gaussian mixture model algorithm to model the voice signal. In the experiment section, Kim's study used an Hp iPAQ rw6100 mobile device equipped with a camera and sound-recording device. The study reported an ERR of 6.42% and 6.24% for teeth authentication and voice authentication, respectively.

G. Naive Bayes
To map from the feature space to the decision space, Fridman et al. [39] used the Naive Bayes classifier, which is based on the so-called Bayesian theorem. In the experiment section, the study reached a false acceptance rate of 0.004 and a false rejection rate of 0.01 after 30 seconds of user interaction with the device. Therefore, Traore et al. [64] considered two different biometric modalities, namely, keystroke and mouse dynamics. Their study used a Bayesian network to build the user profile, and then use it to classify the monitored samples. The experimental results show that the mouse dynamics model has a reached an equal error rate (EER) of 22.41%, which is slightly lower than the keystroke dynamics that reached an  Signature recognition [24] Gait recognition [74] Behavior profiling [ Rhythm [35] Capacitive touchscreen [93] Ear Shape [46] Arm gesture [46] Plantar biometrics [94] Mouse dynamics [ Slap fingerprints [95] Palm dorsal vein [95] Hand geometry [95] Behavioral biometric [57] EER of 24.78%. In addition, Bailey et al. [38] used a Bayesian network with two machine learning algorithms, including, LibSVM and J48. The results achieved a full fusion false acceptance rate of 3.76% and a false rejection rate of 2.51%.
To solve the problem of verifying a user, Buriro et al. [30] proposed AnswerAuth, an authentication mechanism, which is based on the extracted features from the data recorded using the built-in smartphone sensors. In effect, the AnswerAuth mechanism is tested using a dataset composing of 10, 200 patterns (120 from each sensor) from 85 users and six classification techniques are used, including, Bayes network, naive Bayes, SVM, kNN, J48, and Random Forest. According to the study, Random Forest classifier performed the best with a true acceptance rate of 99.35%.

IV. BIO-FEATURES
The Bio-features used by authentication and authorization schemes for mobile IoT devices can be classified in two types, including human physiological (e.g., face, eyes, fingerprintspalm, or electrocardiogram) and behavioral (e.g., signature, voice, gait, or keystroke). Tab. III presents the biometricsbased authentication schemes for mobile IoT devices with Biofeatures used as a countermeasure.
• Gaze gestures: By combining gaze and touch, Khamis et al. [68] introduced multimodal authentication for mobile IoT devices, which is more secure than single-modal authentication against against iterative attacks and side attacks. • Electrocardiogram: Electrocardiogram methods can conceal the biometric features during authentication, which are classified as either electrocardiogram with the fiducial features of segmented heartbeats or electrocardiogram with non-fiducial features as discussed in [71] [72]. Both studies proved that the electrical activity of the heart can be a candidate of Bio-features for user authentication on mobile IoT devices. • Voice recognition: The voice signal can be used in voice authentication with a characteristic of single-vowel. Kim and Hong [26] used mel-frequency cepstral coefficients and pitch as voice features, and the Gaussian mixture model in the voice authentication process for speaker recognition, as shown in Fig. 2. Note that voice-based authentication and authorization schemes for mobile IoT devices are vulnerable against attacks that use a prerecorded voice. • Signature recognition: According to Shahzad et al. [24], a signature is defined as the conventional handwritten depiction of one's name performed either using a finger. Therefore, existing signature-based authentication and authorization schemes for mobile IoT devices can be divided into three categories, namely, offline, online, and behavior. With the category of offline, authentication and authorization schemes use the form on an image as input signatures. With the category of online, authentication and authorization schemes use the form of time-stamped data points as input signatures. With the category of behavior, authentication and authorization schemes use the behavior of doing signatures with a finger. • Gait recognition: The gait templates can be used for user verification. Based on the biometric cryptosystem (BCS) approach with a fuzzy commitment scheme, Hoang et al. [74] introduced authentication and authorization scheme using gait recognition for mobile IoT devices. • Behavior profiling: Behavior profiling aims at building invariant features of the human behavior during different activities. Frank et al. [25] proposed authentication and authorization scheme using a touchscreen input as a behavioral biometric for mobile IoT devices. • Keystroke dynamics: Existing keystroke-based authentication and authorization schemes for mobile IoT devices can be classified into two types, including, 1) Static, which the keystroke analysis performed only at specific times; and 2) Continuous, which the keystroke analysis performed during a whole session. In order to improve the effectiveness of PIN-based authentication and autho-  [40] proposed three steps in the keystroke dynamics-based authentication systems, namely, 1) Enrollment step, 2) Classifier building step, and 3) User authentication step, as shown in Fig. 3. • Touch dynamics: The process of measuring and assessing human touch rhythm on mobile IoT devices is called touch dynamics. According to Teh et al. [13], the design of a touch dynamics authentication system is performed in three steps, namely, 1) User enrolment step, 2) User authentication step, and 3) Data retraining step, as shown in Fig. 4. • Fingerprint: The fingerprint is used as a bio-key, dynamically to secure a communication channel between client and server after successful authentication on mobile IoT devices. [77], [78], [79], [80]. Currently, authentication and authorization schemes use public key infrastructure framework, such as elliptic curve cryptography, in order to protect the fingerprint biometric, as shown in Fig. 5. • Smart card: According to Li and Hwang [83], the authentication and authorization for mobile IoT devices using smart cards are one of the simplest and the most effective schemes for IoT authentication compared to traditional password-based authentication schemes. Specifically, the user inputs his/her personal bio-features on mobile IoT device during the registration step. Then, the registration center stores the personal bio-features on the user's smart card. • Multi-touch refers to the ability to sense the input simultaneously from more points of contact with a touchscreen [87]. According to Sae-Bae et al. [86], authentication and authorization for mobile IoT devices using multi-touch gesture are based on classifying movement characteristics of the center of the fingertips and the palm. • Graphical password: To withstand dictionary attacks, researchers proposed graphical-based password authentication schemes, which can be classified into two types 1) authentication and authorization using recognition and 2) authentication and authorization using recall. • Face recognition: Mahbub et al. [33] introduced an authentication and authorization scheme using face recognition, which can be applied for mobile IoT devices. Based on the Support Vector Machine (SVM), the Mahbub et al.'s scheme is based on three steps, namely, 1) Step of segment clustering, 2) Step of learning SVM, and 3) Step of face detection, As shown in Fig. 6. • Iris recognition: Iris-based authentication scheme refers to a comparison with the iris template of the person owning the mobile computing device. This process could be used to unlock a mobile computing device or to validate banking transactions. According to De Marsico et al. [89], an Iris-based authentication scheme can be repeated in a cyclic process to ensure continuous reidentification, as shwon in Fig. 7. • Rhythmic taps/slides: A rhythm-based authentication scheme refers to user identification by a series of rhythmic taps/slides on a device screen. Chen et al. [35] proposed an authentication and authorization scheme using rhythmic taps/slides, which can be applied for mobile IoT devices. Chen et al.'s scheme is based on two step, namely, 1) Enrollment step and 2) Verification step. • Capacitive touchscreen: In order to scan body parts on mobile IoT devices, Holz et al. [93] introduced an au-  to capturing a sequence of ear images, which are used for extraction of discriminant features, in order to authenticate the users on mobile IoT devices. [46]. • Arm gesture: The arm gesture is usually combined with a physical biometric to authenticate users for mobile IoT devices, e.g. Ear shape [46].

V. AUTHENTICATION AND AUTHORIZATION SCHEMES FOR MOBILE IOT DEVICES USING BIO-FEATURES
The surveyed papers of Authentication and authorization schemes for mobile IoT devices using bio-features are shown in Table IV. In addition, threat models and countermeasures are shown in Table V.
The manner and rhythm in which an individual types characters when writing a text message is called keystroke analysis, which can be classified as either static or continuous. For authenticating users based on the keystroke analysis, Clarke and Furnell [96] introduced an authentication and authorization scheme, which is based on three interaction scenarios, namely, 1) Entry of 11-digit telephone numbers, 2) Entry of 4-digit   PINs, and 3) Entry of text messages. The Clarke and Furnell's scheme [96] can provide not only transparent authentication of the user, but it is also efficient in terms of FRR and FAR under three types of mobile IoT devices, namely, Sony Ericsson T68, HP IPAQ H5550, and Sony Clie PEG NZ90. To demonstrate the ability of neural network classifiers, the same authors in [97] proposed an authentication framework based on mobile handset keypads in order to support keystroke analysis. The three pattern recognition approaches used in this framework are, 1) Feed forward multi-layered perceptron network, 2) Radial basis function network, and 3) Generalised regression neural network. Therefore, Maiorana et al. [23] proved that it is feasible to employ keystroke dynamics on mobile phones with the statistical classifier for keystroke recognition in order to employ it as a password hardening mechanism. In addition, the combination of pressure and time features is proved by Tasia et al. in [40] that is is among the effective solutions for authentication and authorization.
The passwords have been widely used by the remote authentication schemes, which they can be easily guessed, hacked, and cracked. However, to deal with the drawbacks of onlypassword-based remote authentication, Khan et al. [77] proposed the concept of chaotic hash-based fingerprint biometrics remote user authentication scheme. Theoretically, the scheme  [77] can prevent from fives attacks, namely, parallel session attack, reflection attack, Forgery attack, impersonation attack, DoS attack, and server spoofing attack, but it is not tested on mobile devices and may be vulnerable to biometric template attacks.
In order to avoid the biometric template attack, Xi et al. [78] proposed an idea based on the transformation of the locally matched fuzzy vault index to the central server for biometric authentication using the public key infrastructure. Compared to [100], [77], and [78], Chen et al. [79] proposed an idea that uses only hashing functions on fingerprint biometric remote authentication scheme to solve the asynchronous problem on mobile devices. In 2014, Khan et al. [80] improved the Chen et al.'s scheme and Truong et al.'s scheme with quick wrong password detection, but location privacy is not considered.
Biometric keys have some advantages, namely, 1) cannot be lost, 2) very difficult to copy, 3) hard to distribute, and 4) cannot be easily guessed. In 2010, Li and Hwang [83] proposed a biometric-based remote user authentication scheme using smart cards, in order to provide non-repudiation. Without using identity tables and storing password tables in the authentication system, Li and Hwang's scheme [83] can resist masquerading attacks, replay attacks, and parallel session attacks. Authors did not specify the application environment of their scheme, but it can be applied to mobile IoT devices as the network model is not too complicated. Note that Li and Hwang's scheme was cryptanalyzed for several times.
Touch dynamics for user authentication are initialed on desktop machines and finger identification applications. In 2012, Meng et al. [101] focused on authentication and authorization using user behavioral bio-features such as touch duration and touch direction. Specifically, they proposed an authentication scheme that uses touch dynamics on touchscreen mobile IoT devices. To classify users, Meng et al.'s scheme performs an experiment with 20 users using Android touchscreen phones and applies known machine learning algorithms (e.g. Decision Tree, Naive Bayes). Through simulations, the results show that Meng et al.'s scheme succeeds to reduce the average error rate down to 2.92% (FAR of 2.5% and FRR of 3.34%). The question we ask here: is it possible to use the multi-touch as an authentication mechanism? Sae-Bae et al. [86] in 2012, introduced an authentication approach based on multi-touch gestures using an application on the iPad with version 3.2 of iOS. Compared with Meng et al.'s scheme [101], Sae-Bae et al.'s approach is efficient with 10% EER on average for single gestures, and 5% EER on average for double gestures. Similar to Sae-Bae et al.'s approach [86], Feng et al. [102] proposed an authentication and authorization scheme using multi-touch gesture for mobile IoT devices, named FAST, that incurs FAR=4.66% and FRR= 0.13% for the continuous post-login user authentication. In addition, the FAST scheme can provide a good post-login access security, but the threat model is very limited and privacy-preservation is not considered.
Arteaga-Falconi et al. [71] introduced the concept of authentication and authorization using electrocardiogram for mobile IoT devices. Specifically, the authors considered five factors, namely, the number of electrodes, quality of mobile ECG sensors, time required to gain access to the phone, FAR, and TAR. Before applying the ECG authentication algorithm, the preprocessing stages for the ECG signal pass by the fiducial point detection. The ECG authentication algorithms is based on two aspects: 1) employing feature-specific percentage of tolerance and 2) employing of a hierarchical validation framework. The results reveal that the algorithm [71] has 1.41% FAR and 81.82% TAR with 4s of signal acquisition. Note that ECG signals from mobile IoT devices may be affected by noise due to the type of motion and signal acquisition, as discussed by Kang et al. [72]. However, the advantage of using ECG authentication is concealing the biometric features during authentication, but it is a serious problem if privacy preservation is not considered.

VI. FUTURE DIRECTIONS
Several challenges still remain that opens interesting research opportunities for future work, including, doppler radar, vocal resonance, mobile malware threats, and adversarial machine learning.

A. Doppler radar
A team of researchers at Buffalo University, led by Wenyao Xu, developed a system that exploits a Doppler radar capable of "reading" the human heart! It works roughly like any other radar, emitting microwaves and analyzing the return signal in order to detect changes in motion [103]. As scientists say, the process of identifying a person through the method takes about eight seconds, and radar power is just 5 milliwattswhich means that radiation is not dangerous to the body. This method can be a basis for future biometric systems that can be fast, efficient and recognize unique characteristics of the human body.

B. Vocal Resonance
In [104], the authors proposed using vocal resonance, that is, the sound of the person's voice as it travels through the person's body. Vocal resonance can be used as a passive biometric, and it achieves high accuracy in terms of identification and verification problems. It is a method that is suitable for devices worn on the chest, neck, or initially but could also be used in the near future for recognizing any device that a user posses.

C. Mobile malware threats against biometric reference template
In 2016 [105], [106], an Android malware succeeded in bypassing the two-factor authentication scheme of many banking mobile applications that are installed on the user's mobile device. The malware can intercept two-factor authentication code (i.e., verification code sent through SMS), and forward it the attacker. In case of biometric-based authentication, this threat can be evolved to access the biometric reference template, which are stored at the mobile device, and send it to the attacker. One research direction to prevent this kind of attacks is to employ policy-enforcement access control mechanisms that are appropriate for resource-constrained mobile devices.

D. Adversarial machine learning against biometric-based authentication schemes
Some biometric-based authentication mechanisms, and especially behavioral-based ones, use machine learning techniques for extracting features and building a classifier to verify the user's identity. Adversarial machine learning aims to manipulate the input data to exploit specific vulnerabilities of the learning algorithms. An adversary using adversarial machine learning methods tries to compromise biometricbased authentication schemes and gain illegal access to the system or the mobile device. The future research efforts should focus on dealing with this kind of threats.

E. Machine learning and blockchain-based authentication
The blockchain technology is being used in different application domains beyond the cryptocurrencies, e.g., SDN, Internet of Things, Fog computing, etc. [107]. To developing a machine learning and blockchain-based solution for authenticating mobile IoT devices, we have to take in mind the specific requirements of the blockchain, e.g., 1) when IoT data needed to be checked by the IoT entities without any central authority, 2) the ledger copies are required to be synchronized across all of the IoT entities · etc. In addition, the vulnerabilities of the peer-to-peer blockchain networks during the authentication need to be considered, including, private key leakage, double spending, transaction privacy leakage, 51% vulnerability, and selfish and reputation-based behaviors. Hence, the machine learning-based authentication schemes using the blockchain technology should be investigated in the future.

VII. DISCUSSION
There is a big discussion regarding the use of biometric characteristics of the users from new systems or technologies. Biometric technology can be used to protect privacy, since only a minimum amount of information is required to determine whether someone is authorized, for example, to enter a specific area. On the other hand, since biometrics can reveal sensitive information about a person, controlling the usafe of information may be tricky, especially now that the technology has reached the stage of being applied in mobile devices which can be easily lost or stolen [108]. Those who are against the use of such features raise concerns about how these data are going to be used. These concerns could be mitigated by making clear to people that their data is only stored for a limited time, and explaining who will process this data and for what purposes [109]. To that sense, the General Data Protection Regulation (GDPR) for European Member States addresses biometric data storage and processes in terms of data protection and privacy. EU countries are affected including the UK and all companies that store or process data of EU citizens. On the other hand, in the United States, there is no single comprehensive federal law regulating the collection and processing of biometric data. Only three states Washington, Texas, and Illinois, which have a biometric privacy law in spite that US regulators are also increasingly focusing on the protection of biometric data. Moreover, In August 2017, India's supreme court decision about a landmark case that named privacy a "fundamental right"showcased that biometric data protection is top on regulators' agenda.
Except from data use issues, general terms such as computer f ear and technophobia also provide established accounts of individuals resistance to use new and unfamiliar information technologies, especially for elder people [110]. Moving one step further, companies that produce applications or methods that use biometric characteristics must comply with a code of ethics or a consistent legal framework governing this kind of data collection which is still absent. For that reason IEEE P7000, is the first standard IEEE is ever going to publish on ethical issues in system design in the next couple of years [111].

VIII. CONCLUSION
In this article, we have presented a comprehensive literature review, focusing on authentication and authorization for mobile IoT devices using bio-features, which were published between 2007 and 2018. We presented the machine learning and data mining algorithms used by authentication and authorization schemes for mobile IoT devices, including, unsupervised, semi-supervised, and supervised approaches. We reviewed all the Bio-features used by authentication and authorization schemes for mobile IoT devices. We presented the pitfalls and limitations of the existing authentication and authorization schemes for mobile IoT devices. Several challenging research areas (e.g., doppler radar, vocal resonance, mobile malware threats, adversarial machine learning, machine learning and blockchain-based authentication) will open doors for possible future research directions for mobile IoT devices.

CONFLICTS OF INTEREST
The authors declare that they have no conflicts of interest.