Demystifying Authentication Concepts in Smartphones: Ways and Types to Secure Access

Smartphones are themost popular and widespread personal devices. Apart from their conventional use, that is, calling and texting, they have also been used to performmultiple security sensitive activities, such as online banking and shopping, social networking, taking pictures, and e-mailing. On a positive side, smartphones have improved the quality of life by providing multiple services that users desire, for example, anytime-anywhere computing. However, on the other side, they also pose security and privacy threats to the users’ stored data. User authentication is the first line of defense to prevent unauthorized access to the smartphone. Several authentication schemes have been proposed over the years; however, their presentation might be perplexing to the new researchers to this domain, under the shade of several buzzwords, for example, active, continuous, implicit, static, and transparent, being introduced in academic papers without comprehensive description. Moreover, most of the reported authentication solutions were evaluated mainly in terms of accuracy, overlooking a very important aspect—the usability.(is paper surveys various types and ways of authentication, designed and developed primarily to secure the access to smartphones and attempts to clarify correlated buzzwords, with the motivation to assist new researchers in understanding the gist behind those concepts. We also present the assessment of existing user authentication schemes exhibiting their security and usability issues.


Introduction
e birth of smartphones can be traced back to 1973, when Motorola launched their first phone-the Dynatac 8000X [1].In the last 40 years, mobile device manufacturers have invested heavily in the innovation of mobile phones, transforming a device invented merely for calling and short text messaging into the personal, portable and powerful device of nowadays, equipped with many advanced software and hardware features.
Smartphones, undoubtedly, bring rich digital experiences to the users by offering personalized services, for example, chatting, e-mailing, GPS-navigation, net banking, online shopping, social networking, and video conferencing.Most of these services collect and store a large amount of the user's personal data on the device; thus, any unauthorized access to the user's data could have unfavorable consequences.Hence, it becomes extremely important to prevent any unauthorized access to the smartphone.Typically, access to modern smartphones is secured by enabling different authentication solutions, such as PINs/passwords, face recognition, and fingerprint.
By and large multiple terminologies in the field of authentication are being used by researchers not always with clear definitions, which is obviously disconcerting for students and new researchers.Triandopoulos et al. [2] described one-time authentication as "one-time passcodes" or "onetime password" (OTP) as the second authentication factor, although OTP is a more widely accepted term.Crouse et al. [3] described continuous authentication as a periodical composition of one-shot authentication.However, Feng et al. [4] mentioned periodic authentication as equivalent to automatic logouts due to user's inactivity.Patel et al. [5] considered continuous authentication and active authentication systems as the same.Similarly, Dutt et al. [6] suggested the use of transparent modalities in conjunction with explicit authentication methods, such as passwords, PINs, or secret patterns for authenticating users, whereas the study by De Luca et al. [7] considered the use of a transparent modality with or without other schemes and termed it implicit authentication.at modality could be used as standalone or to complement the explicit authentication schemes to enhance their usability [8,9].More speci cally the concept of transparent authentication is explained as implicitly ngerprinting the user's device interaction logs to authenticate the user [10].
Causey [11] considered risk-based authentication similar to an adaptive authentication scheme.Traore et al. [12] described risk-based authentication on the basis of contextual and historical information, extracted from their activities, to build users' risk pro les, for making later the authentication and authorization decisions.Ayed [13] patented the idea for adaptive authentication in mobile phones by specifying that adaptive authentication uses di erent authentication methods and di erent data protection methods depending on the user's location, availability of the network, and the importance of the data.It is pretty much evident from the above discussion that these de nitions are correlated, but there is need to relate them to each other by trying to provide consistent de nitions for all these terms.
We start this paper by explaining the prevalent ways to authenticate humans along with di erent types of authentication mechanisms, in the context of smartphones.en, we try to homogenize di erent terminologies used in the context of user authentication with the vision that it will bene t the new researchers in understanding existing approaches.Our contribution can help new researchers to get acquainted with di erent user authentication concepts along with the assessment of their solutions on the basis of modalities, usability, and security.
e rest of work is organized as follows: Section 2 presents the di erent ways and types of authentication mechanisms.Ways refer to the common factors used to authenticate humans, while types refer to di erent authentication mechanisms, for example, one-shot, multifactor, continuous, and multimodal, utilizing these factors.Also, we discuss design goals for usable authentication systems and usability evaluation methods.Section 3 surveys the di erent state-of-the-art solutions proposed over the years for user authentication on smartphones.e related work on the ways and types of user authentication concepts available for smartphones is evaluated on the basis of their usability and security.Finally, Section 4 concludes the paper.

Comprehensive Study
In this section, we explain the ways to authenticate the users and the types of authentication mechanisms developed using them, in the context of smartphones.

Ways to Authenticate Users.
e ways in which humans can be authenticated are broadly categorized in three categories [14], that is, "Something you know," "Something you have," and "Something you are," as depicted in Figure 1.

Something You Know.
Knowledge-based authentication (KBA) schemes, that is, PINs (Figure 2(a)), graphical passwords (Figure 2(b)), and password (Figure 2(c)), are the most widely used schemes on the smartphones.KBA is based on some sort of a secret knowledge that user sets up earlier during the enrollment and needs to remember as long as he or she continues using the scheme.

Something You Have.
is mechanism is also referred as token-based authentication.Many service providers and nancial institutions are o ering sensitive services, such as net banking, e-wallet, and e-commerce, adopting 2-factor authentication, that is, one-time passcodes (OTPs) along with usual username/password for authentication purpose.Service providers usually supply a small security device to each of their users for generating the one-time passcodes.
OTP schemes can be easily implemented on smartphones (Figure 3

Something You Are.
is authentication mechanism relies on the measurement of biometric characteristics of users and is further classified as physiological and behavioral biometrics.Figure 4 illustrates the commonly available authentication ways for smartphone users under this category.
On smartphones, physical traits, that is, ear and face, can be collected using the built-in hardware, that is, camera; however, fingerprint and iris recognition require additional dedicated hardware.Similarly, behavioral biometric modalities, such as gait, grip, swipe, pickup, touch, and voice, can be profiled unobtrusively, using various built-in sensors [15], namely, accelerometer, gyroscope, magnetometer, proximity sensor, touch screens, and microphone.Touch-based solutions authenticate users based on their unique interactions with the device, while they perform a specific task.Additionally, behavioral biometric-based authentication is costeffective; they generally do not require any special hardware and are considered lightweight in implementation [8].

Types of Authentication Mechanisms.
Researchers have been investigating the utilization of different ways, that is, PIN, passwords, OTP, face, touch, and so on, to design and develop the different types of authentication solutions.ese types are briefly explained below: 2.2.1.One-Shot Authentication.One-shot authentication is a type of authentication mechanism in which users' credentials are verified at the beginning of the session [16][17][18].is is simply a process where a user claims his or her identity by providing the correct credentials or fulfilling the challenges in order to gain the access to a device.For example, PINs, passwords, graphical patterns, fingerprints, face, and iris are some of the commonly used modalities on the smartphones, for authenticating users.If the verification is successful (e.g., right password is entered), the access is granted; otherwise, the access is denied.Session remains valid until the user signs off or closes the session.

Periodic Authentication.
Periodic authentication is simply the variant of "one-shot authentication" in which idle timeout duration is set, for closing the session, automatically [4,19].If a user remains inactive for more than the idle timeout duration, the device locks itself.

Single Sign-On (SSO)
Authentication.Single sign-on (SSO) is a long-term or persistent authentication type in which a user remains signed on till the time he or she revokes or terminates the session.In case, if the system observes any discrepancy with respect to fix set of attributes, for example, change in location, network connection, and anomaly in usage pattern, the session is terminated or the user is asked for reauthentication [20][21][22].VMware identity manager provides APIs to implement mobile sign-on authentication for airwatch-managed Android devices [23].Similarly, Google offers G Suite apps for single sign-on for Android devices which can be done by pairing smartphones with smartwatches [24].

Multifactor Authentication.
Multifactor authentication utilizes the concept of combining 2 or more authentication ways, that is, e-mail verification, OTP via SMS, phone call to the predefined numbers, push notification to the paired device, smart tokens, and so on, along with the usual method of authentication [25][26][27].A very common practice is registering ones mobile number with service providers, and whenever the corresponding user accesses that service for sensitive operation, for example, online banking, service provider sends the one-time passcodes (OTPs) via SMS, getting assured that a legitimate user has requested access to that service.

Static and Dynamic Authentication.
e static authentication mechanism presents the fixed set of challenges to the users, whereas dynamic authentication mechanism capitalizes the concept in which diverse set of prestored challenges are presented every time users unlock their smartphones [28,29].

Continuous Authentication.
As the name implies, continuous authentication mechanisms are developed to authenticate a legitimate owner throughout their entire session.If any anomaly is detected by the device, the access to the device is stopped, immediately, and the device asks for explicit reauthentication [4,29,30].In other words, the users are passively and periodically monitored throughout their interactive session with any device or system [5]. is concept seems to promise higher security as compared to the other authentication mechanisms, such as one-shot authentication, one-time authentication, and periodic authentication, but at the same time much more complex to implement.Additionally, it is desirable that a continuous authentication system should not interrupt the user's normal activity and be lightweight, that is, on battery consumption.

Transparent Authentication.
is concept stresses more on the procedure of collecting and analyzing user authentication identifiers [4,10].More specifically, if the system performs authentication steps in background (without requiring explicitly user cooperation) [10,31], they are termed as implicit, transparent, or unobtrusive authentication systems.However, various authentication types (one-shot, riskbased, or continuous) could collect input transparently.

Risk-Based Authentication. Risk-based authentication
schemes are mostly based on nonstatic authentication decision engine, where the decision to accept or reject authentication is based on a risk score computed in real-time, which is compared with the stored risk profiles of the users, and then the system challenges the users for authentication [32], accordingly.For instance, if a user is checking a bank account balance from a verified secure location (home or workplace), verification of identity should not be required.While in case of nonverified location, for example, the service requires additional evidence about the identity of the user thus asking for the authentication credentials.Nowadays, risk-based authentication schemes tend to offer frictionless authentication providing user experience, that could be tailored as per threats observed by the service providers [11,12,33,34].
2.2.9.Adaptive Authentication.Adaptive user authentication boasts the concept having ability to change and to prepare for different conditions and situations, while securing any unauthorized access [13,35,36].It entails for multifactor user authentication mechanisms which should be readily configurable and deployable.

Unimodal and Multimodal Authentication.
is term is typically used for biometric authentication schemes.e literal meaning of modality (https://dictionary.cambridge.org/dictionary/english/modality) is a particular way of doing or experiencing something.
is concept is based on the number of modalities or traits being used in the authentication systems [37][38][39].Unimodal authentication systems leverage only a single biometric modality or trait, whereas multimodal systems are developed by combining two or more modalities.Multimodal authentication systems demonstrate several advantages, such as higher recognition rate, accuracy, and universality [39].

Usable Authentication System Design Goals.
Usability along with security plays a pivotal role in evaluating user authentication schemes. is leads to an important questionhow to trade-off between security and usability [40]?We present the guidelines described by Yee for usable security designs [41].Yee's work focused on addressing valid and nontrivial concerns specific to usable security.We explain below the design goals from usability perspective as suggested in [41]: (i) Appropriate boundaries: this goal is based on the principle of boundaries [42].In order to distinguish among objects and actions along the boundaries, which are relevant to users, system should expose the boundaries and must acknowledge the users.For example, in the context of mobile devices, popular Operating Systems (OS), such as Android (Ver.6 onwards) and iOS, allow users to grant permissions to the applications and services accessing resources while installing them.Here, the object could be assumed as the apps or services for the devices and actions could be defined as the indicators that the apps or services demand from users to serve them and to use the system's resources.However, boundaries are the thin line that defines the users' decisions affecting the security of system due to human factors.(ii) Path of least resistance: choosing the most natural method in granting the authority is the most secure way.(iii) Explicit authorization: any authorization to other actors must only be granted in accordance with user actions which should be well understood by a user while acknowledging the consent.(iv) Visibility: a user should be aware of others' active authority affecting any security-relevant decisions.(v) Revocability: a user should be able to revoke others' authority to access the system.(vi) Self-awareness: maintain accurate awareness of the user's own authority to control the system.(vii) Trusted path: protect the user's channels to any entity that manipulate authority on the user's behalf.(viii) Identifiability: any specific objects and specific actions must be clearly identifiable and apparent to the user.(ix) Expressiveness: enable the user to express safe security policies in terms that fit the user's goals.(x) Clarity: notify the consequences of any securityrelevant decisions precisely that the user is most likely to perform.

Usability Evaluation. System usability scale (SUS)
questionnaire [43] is utilized to gather subjective assessments about the usability of the proposed systems [8].e questionnaire consists of 10 questions or statements.e response to each question/statement is measured on a 5-point scale ranging from "strongly disagree" to "strongly agree."e final SUS score ranges between 0 and 100, where a higher value indicates a more usable system.e system usability scale (SUS) template for questionnaire and scoring is available online [44].

Literature Review and Analysis
In this section, we review the recent literature emphasizing on the types of authentication mechanisms and the ways on which they are developed and analyze them from security and usability point of view.More specifically, we present the assessment of commonly used user authentication mechanisms on smartphones, focusing on the security and usability issues.

Ways of Authentication.
e usability of authentication mechanisms is one of the dominant attributes that influence users' acceptance of a particular authentication scheme [45].
e ISO standard:13407 defines usability as "the extent to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction, in a specified context of use" [46].Further, the study [47] suggests that the usability can be done on the basis of three criteria: task performance, user satisfaction, and user cost.
Conventional authentication schemes, that is, PIN, passwords, and graphical patterns, are no more considered secure and convenient [48] because they are not able to distinguish between the users, rather they authorize everyone (regardless of whether that person is the legitimate owner of the device or not) who enter the correct credentials.Physiological biometric-based solutions are considered more secure because it is assumed that human body traits cannot be shared, copied, lost or stolen.Moreover, they genuinely authenticate their users by forcing them to present themselves physically to the system.However, they are less preferable on smartphones due to their inherent usability issues [49].As such, security experts are focusing on developing the usable authentication systems because they believe that behavioral biometrics will restructure the authentication landscape in the next 5-8 years [50].
In each subsections, we have included tables presenting the synopsis of each authentication ways being used as different authentication types along with the references that either indicating usability pros and cons or reporting security solutions and concerns.

Something You Know.
As per the web report [51], average smartphone users get themselves engaged in 76 separate phone sessions, while heavy users (the top 10%) peaked to 132 sessions per day.PIN/passwords, and graphical patterns, require users to memorize their text, they had set earlier, to unlock their devices, every time they need to initiate the session (76 times a day).e capacity of the human brain to process the information varies from person to person [52].Zhang et al. [53] found that users faced problems in remembering their passwords and more especially, to memorize and correctly recall numerous passwords.is encouraged users going for an easy or simple password which is quick to remember [54], but this opens plenty of opportunities for attackers to guess or crack their passwords, easily [55].When the system enforces stringent password policies, users due to memorability issues [56], allow their browsers or password managers to save their username/password information to make future logins easier.However, users trusting their browsers or password managers are more likely to be a victim of a wide variety of attacks [57,58].Overall, 82% of end users are frustrated with managing passwords [59].Clearly, this indicates the lack of usability, and a result, nearly, 75 million smartphones users in the US do not use any of PIN, pattern, or passwords because they consider them annoying and an obstacle in quick access to their smartphones [60].
From security perspective, PINs and passwords are vulnerable to various attacks, for example, guessing [61], because users choose date of births [57], easier digits (1111, 2222, etc.,) [62] to set up their PIN.Alternatively, Android Mobile Information Systems users (40% of them) prefer graphical patterns for device unlocking.But this approach too requires users to remember them; hence users choose simple and less secure patterns, that is, if a user connects at least four dots without repeating any of them in their patterns, the maximum number of combinations are 389,112 which could be easily cracked by brute force [63].Ye at al. [64] managed to crack 95% of 120 unique patterns collected from 215 independent users within just five attempts by recording their smartphone screen, remotely, while they were unlocking their devices.In addition, these schemes are more vulnerable to shoulder surfing than textual passwords [65].
Knowledge-based authentication schemes are generally used as one-shot, static, or unimodal authentication types (refer Table 1) due to usability issues they are prone to several attacks, such as smudge attacks [66], shoulder surfing or observation attacks [61,67], dictionary-based attacks, or rainbow table password attacks [68].Recently, Mehrnezhad et al. [69] demonstrated the recovery of entered PIN or password from the sensory data collected, while the users were entering their secrets.ey installed PINlogger.js-aJavaScript-based side-channel attack, capable of recording motion and orientation sensor streams without requiring any user permission from the user.e attack resulted in 94% accuracy in recovering the correct PIN number in just three rounds of tries.Similarly, Sarkisyan et al. [70] demonstrated an approach to exploit smartwatch motion sensors to recover the entered PINs.
ey infested smartwatches with malware to get access to the smartwatch motion sensors and inferred user activities and PINs.In a controlled scenario, authors obtained PIN numbers within 5 guesses with an accuracy of at least 41% using random forest classifier over a dataset of 21 users.

Something You Have.
As defined in Section 2.1.2,smartphones are being utilized for authentication purposes in several sensitive operations by the means of OTP via SMS, offline OTP using Apps, or pairing the wearable devices, for example, smartwatches, smartglasses, and smartcards.However, this idea of enhancing security with multifactor authentication, that is, topping knowledge-based authentication with token-based authentication (one-time passcode), eventually perishes too due to side-channel attacks, for example, MITM (man-in-the-middle) and MITPC/Phone (man-in-the-PC/phone) [73].Software-based OTP solutions also do not guarantee the confidentiality of the generated passwords or the seeds as the mobile OS could be compromised, at the same time, could also suffer from denial-ofservice attacks on the account of mobile OS crashes [74].
e adversaries by the means of real-time phishing or intercept attacks could reveal the users' secret information and valid OTP by breaking into their smartphones [75].As per the Verizon Data Breach Investigations Report [76], NIST stopped recommending the users for two-factor authentication via SMS, as malicious code infesting mobile endpoints could surreptitiously capture second factors delivered by SMS or offline OTP generated using apps.Secure device pairing schemes allow access to the smartphones by pairing it with a trusted Bluetooth device like a smartwatch and use the same to unlock the phone.is concept from the usability point of view is a very elegant solution but not safe from insider attacks or sniffing attacks [77,78].
Token-based authentication (TBA) schemes are used in multifactor, adaptive, dynamic, and risk-based authentication types (Table 2).Unfortunately, they could not add too much to the usability because the users are required to manage always an additional hardware for the sole purpose of authentication.As a result, Braz and Robert [40] gave usability rating 3 (out of 5) to one-time generator acquisition devices.Additionally, Belk mentioned that token-based authentication mechanism incurred more cost to users and are comparatively slower [79].According to a study by Zink and Waldvogel [82], 83.3% users considered that SMS-based transaction authentication number is not a usable solution.Another in-depth usability study by Krol et al. [81] evaluated 2-factor authentication on 21 online banking customers (16 among 21 were having multiple accounts with more than one bank).Total 90 separate login sessions of all the participants were collected meticulously, over the period of 11 days.eir analysis showed approximately 13.3% faced problems due to mistyped credentials, misplaced token, forgotten credentials and so on.

Something You
Are: Physiological Biometrics.Mobile device manufacturers have started embedding biometric sensors in their flagship smartphones for reliable and convenient user authentication with the intuition that biometric approaches are better than their conventional authentication schemes.For example, Apple, Huawei, Lenovo (Motorola), Microsoft (Nokia), Samsung, and many other leading manufacturers have integrated fingerprint sensors, iris scanners, and face recognition algorithms, in some of their high-end devices.ese advancements are akin to replacing a hay castle with a glass house to ward off attacks from sophisticated cyber pirates.Physiological biometrics, for example, face, fingerprint, iris, and eyes, are commonly used as one-shot or multifactor/multimodel (combining with other modalities) authentication schemes for smartphones (Table 4).Unexpectedly, biometric systems have shown to be exposed to different types of attacks, for example, impersonation, replay, spoofing, and hill climbing [95], exposing their security loopholes.ese schemes suffer from their data leakage; that is, a user's face can be easily found on social media websites, or his or her fingerprints can be extracted from the photos from their gestures, to mount a presentation attack [96] against them.Additionally, these solutions also suffer from lack of secrecy [97] and vulnerability to various spoofing attacks [98].
Recent research has shown that these schemes can be hacked very easily with almost negligible investment and efforts.For example, iPhone X face ID was hacked with 3Dprinted mask costing just $150 approximately [100], while Samsung S8 facial recognition technology [99] was simply fooled with a photo of the owner.Similarly, German Chaos Computer Club cracked the Samsung Galaxy S8 iris scanner [102] with a dummy eye made from pictures of the iris, taken by a digital camera in a night mode, and covered it with a contact lens to match the curvature of the eye, within a month of S8 launch.e same club earlier cracked the iPhone 5S fingerprint sensor protection within two days after the device went on sale worldwide [103].eir hacking team photographed the glass surface containing the fingerprint of a user and created a "fake fingerprint" using a thin film to unlock the phone.Japan's National Institute of Informatics (NII) researcher Isao Echizen [104] demonstrated that fingerprints can easily be recreated from photos, taken just from three meters distance, without the use of any sophisticated process and warned casually making a peace sign in front of a camera, which could lead to fingerprint theft.
From the usability perspective, smartphone users have not shown optimistic inclination to physiological biometricbased authentication schemes.For example, De Luca et al. [49] determined smartphone users felt like as if they are taking selfies all day to authenticate themselves.Additionally, the performance of these schemes is affected by several exogenous factors, such as accessories, camera movement, capturing distance, clothing, illumination, interoperability of the sensors, noise, occlusion, operators, postures, and training, which makes the authentication process more challenging and less usable to the user [106][107][108][109].
3.1.5.Something You Are: Behavioral Biometrics.Behavioral biometrics [111] is described as the future of user authentication.us, the focus of the research has been shifted to develop newer behavioral biometric-based solutions.For example, applications like e-wallet, m-commerce, and mobile banking are some of the sensitive domains, where behavioral biometric-based solutions have shown to be handy in authenticating the customers on their smartphones.
Although the behavioral modalities are not considered to be unique enough for identification purposes, they have proved to be sufficiently unique for user authentication [112,113].One or more modalities can be combined to increase their accuracy and enhance their usability.ese schemes could be stitched to the existing user authentication mechanisms as an additional transparent authentication layer [8,9,114] enhancing the reliability of whole authentication process without affecting the usability.Behavioral biometric techniques could be deployed as adaptive, continuous, multimodal, risk-based, transparent authentication (Table 5).
Gait recognition is a process of identifying or verifying individuals on the basis of their walking style.In clinical applications, human gait was already getting utilized for the studies related to the health of a person, and nearly 25 key patterns from gait were detected using different techniques like

Modalities Authentication types Usability pros and cons indicated
Security solutions or concerns reported Face [99,100]; eyes [10,101]; iris [102]; fingerprint [103,104] One-shot; multifactor; multimodal [49,[105][106][107][108][109] [17, 95-97, 99, 100, 102-104, 110] Mobile Information Systems image processing, floor sensors, and sensors placed on the body [118].Recently, smartphones and wearable devices have also started utilizing it for authentication purposes [128].As users are not required to perform any explicit interaction with their devices, gait modality can be collected unobtrusively, and this leads to making it convenient for a user-friendly access system [116].Muaaz and Mayrhofer [116] evaluated the security strength of a smartphone-based gait recognition system against zero-effort and live-minimal-effort impersonation attacks under realistic scenarios and achieved an equal error rate (EER) of 13% on a dataset of 35 participants.However, more testing is required to check the robustness against impersonation attacks.Hestbek et al. [117] introduced a method using wearable sensors and noncyclic feature extraction and achieved 18.92% half total error rate (HTER) on a dataset of 36 users.Similarly, the grip is another natural way to authenticate users.It is robust too as the finger movements and pressure applied while gripping the mobile device are visibly unseen and difficult to be replicated or imitated by the impostor.Murao et al. [124] proposed a grip-based authentication solution, which profiles grip gestures using pressure sensors mounted on the lateral and back sides of a smartphone and achieved a 2% ERR, which is equivalent to face recognition-based authentication.Keystroke or touch dynamics refers to the typing characteristics (due to the timing differences) of individuals to fingerprint their identity.Researchers have proved its effectiveness in both fixed text and text independent scenarios.Since designing such systems does not require any additional dedicated hardware and data can be collected, unobtrusively, they have been widely tested and evaluated [9,114].Zheng et al. [115] proposed authentication mechanism based on tapping; they collected tapping data from over 80 users; and their system achieved high accuracy with averaged 3.65% EER.Another bimodal authentication scheme developed using client-server architecture for online financial environments achieved 96% true acceptance rate (TAR) and 0.01% false acceptance rate (FAR) using 15 training samples on a dataset of 95 users [9]. is scheme used motion-based touch-types biometrics, that is, touch typing and phone movements by users and collected data, transparently, while users entering their credentials to sign in to their banking apps using 8-digit PIN/password [9], while the "touchstroke" scheme used 4-digit PIN/password [114].Buriro et al. [8], proposed, implemented, and evaluated the "Hold and Sign" scheme on commercially available smartphones and achieved 95% TAR on a dataset of 30 volunteers. is was a bimodal behavioral biometric based on user's smartphone holding style, by examining the hand and finger micromovements of users, while the users were signing on device's touchscreen.In an another approach, Buriro et al. [113] proposed multimodal behavioral biometrics (swipe, pickup movement, and voice) for user authentication on smartphones and reported 7.57% HTER in an experiment involving 26 participants.
Brunet et al. [123] experimented on voice modality for user authentication on a public database (Sphinx Database of the Carnegie Mellon University [129]).
ey digitized the user's voice and extracted Mel Frequency Cepstral Coefficients (MFCCs) features and computed the Euclidean distance to authenticate the user and reported an EER of 4.52%.Behavior profiling techniques were based on the applications, and the services utilized in past for generating a user profile and compared it against the current activity of a user in real-time [5].If any significant variation is observed, the system could take action for a possible intrusion.Sultana et al. [119] combined social behavioral information of individuals that was extracted from the online social networks to fuse with traditional face and ear biometrics, to enhance the performance of the traditional biometric systems.
Studies suggest that no single biometric trait can ideally fit all the scenarios; however, by trying multimodal biometric approaches, most of the limitation of unimodal systems can be addressed [121,122,125].e selection of proper modalities and combining them, systematically, most of the times increase the accuracy, usability, and security.In a study conducted by Saevanee et al. [126], the unimodal systems, namely, behavior profiling, keystroke dynamics, and linguistic profiling, were proved less accurate; they yielded an EER of 20%, 20%, and 22%, respectively.However, by applying matchinglevel fusion, the error rate was decreased, significantly (EER 8%).Additionally, the use of users' transparent characteristics for data collection and classification also increases the usability of the system.us, in order to furnish users with an adequate security, a better usability is also required to design the authentication solutions for smartphones.

One-Shot Authentication. One-shot authentication
schemes are designed to authenticate a user at the initiation of a session (subject's identity is verified only once, just before allowing access to the resources) [16,18].Roth et al. [18] also discussed the limitations of one-shot authentication, such as short sensing time, inability to rectify decisions, and enabling the access for potentially unlimited periods of time.Meng et al. [17] introduced the term one-off authentication for one-shot authentication.ey also concluded that authenticating just once leaves the possibilities for impostors to gain the access to the current session and retrieve sensitive information from mobile phones.

Modalities Authentication types Usability pros and cons indicated
Security solutions or concerns reported Touch [9,113]; keystroke [115]; hold [8]; gait [116][117][118]; behavior profiling [119] Adaptive; continuous; multimodal; risk-based; transparent [3, 5, 10, 113, 119-121] [8, 12, 29, 112, 113, 115-117, 122-127] 8 Mobile Information Systems end], P, auth}" holding of 3 prime attributes, where "begin" is authorization start date, "end" is either the constant ∞, or a deauthorization date after the start date, "P" is the duration of a session, and "auth" is an authorization function.Feng et al. [4] determined that periodic authentication or automatic logouts are more detrimental while one-shot authentication solutions are prone to a wide variety of attacks.Typing an error-free username and/or password on smartphone's keyboard is really a tedious task, especially when an average user initiates 76 phone sessions a day [51].Single sign-on (SSO) has been seen as the solution to the problem.

Single Sign-On.
Single sign-on (SSO) enables users to sign in to an app using a single or federated identity, for example, Facebook, Twitter, and Google+.But this concept is severely risky for mobile devices as they are more likely to be misplaced or could be inadvertently shared with someone.In an SSO system, the user is authenticated to a single identity provider (IDP) which acts as a trusted party between the user and multiple service providers (SPs), and on the demand of the user, IDP generates an authentication token for a speci c SP asserting the users' identity; in turn, SP allows the user to access the services [20].Users can access di erent applications using SSO, once they are authenticated to the system.SSO is further divided into two categories, that is, Enterprise Single Sign-ON (ESSO) and Reduced Sign-ON (RSSO) [21].ESSO enables a user to enter the same id and password to sign into multiple applications within an enterprise domain.e system is considered the least secure because there could be potential curious adversary which can try to spoof and consequently resulting in an identity theft.erefore, it is also known as RSSO.

Multifactor Authentication.
Security experts also suggest the use of multifactor authentication by processing multiple factors, simultaneously, for the veri cation purposes [27].
In multifactor authentication, generally, a PIN or password is the baseline authentication standard, while more factors can be augmented from a wide variety of available sources to verify users (Figure 5).It could be observed in Figure 5 that as the number of factors increases, the level of authentication also increases.For an instance, if only PIN is used, the authentication level is minimum, but when other factors like tokens and ngerprints are added, the authentication level tends to increase proportionally.
e most common authentication mechanism is the secondary code that can be delivered either via SMS to the registered mobile number or can be obtained directly from a secure authenticator mobile app.Other forms of multifactor authentication involve the use of a smart card or smart token entitled to the user, biometrics like the face or ngerprint scans, or a dedicated code generator linked to user's account [25]. is concept is mainly in uenced by the notions that not all the authentication factors could be hacked at the same time.Stanislav [26] in his paper explained various technical methods by which two-factor authentication can be implemented.

Static versus Dynamic
Authentication.Static authentication process, like other authentication types, mainly consists of three steps: enrollment, presentation, and evaluation as illustrated in Figure 6, and the outcome of the evaluation is a binary decision [29].In the enrollment step, system generates a feature template by processing the information gathered from the user, pro les the feature vectors with the label of the user, and saves it for the evaluation or matching.During the presentation step, system asks the user to con rm his or her credentials.In the nal step, that is, evaluation, information given by the user is compared with the stored templates of the claimed identity.Conclusively, the access is granted or denied as per the match result.
Static authentication veri es the individual's identity only at the start of a session like one-shot authentication does, whereas in dynamic authentication the user is presented with a varying set of challenges to enable the dynamic scaling of access controls.Ren and Wu [28] explained dynamic authentication as a scheme that utilizes one-time password derived from the user's password, the authenticating time, and a unique attribute only known to the user.

Continuous Authentication. Continuous authentication
is a mechanism to repeatedly verify the identity of a user for the entire duration of an authorized session as illustrated in Figure 7 [29].More speci cally a continuous authentication is an approach that constantly veri es a user's identity and locks the system once the change in users' identity is observed [29].Continuous authentication process dynamically iterates in between the three steps involved (Figure 6) throughout the session.However, these iterations can be event-based or can be adjusted at x intervals (periodically) or randomly [29].A continuous authentication is an approach that constantly veri es a user's identity and locks the system once the change in user identity is observed.us, overcoming the limitations of one-shot authentication, where authentication happens only at the time of login, and any future changes in user identity go undetected [130].Behavioral biometric-based  Mobile Information Systems continuous authentication solutions have shown to be more attractive to the researchers of the domain because these behavioral modalities can be collected and utilized, unobtrusively, for authentication purposes [30].However, continuous authentication, active authentication, implicit authentication, and transparent authentication have been interchangeably used in many papers [10,120,131,132].Patel et al. [5] considered continuous authentication and active authentication systems as similar and explained it as continuous monitoring of the user activities after the initial access to the mobile device.Active authentication, as de ned by Stolerman et al. [132], is the process of continuously verifying users based on their on-going interaction with the device.e Defense Advanced Research Projects Agency (DARPA) started Active Authentication program [133] in order to seek solutions by shifting the focus during authentication from the password to people themselves.
e rst phase of their Active Authentication program focused on the behavioral traits, that is, cognitive ngerprint, which could be processed without the need for additional sensors.
According to Fridman et al. [134], active authentication is the problem of continuously verifying the identity of an individual.ey conducted an experiment using Android mobile devices and collected several biometric modalities, namely, text entered via soft keyboard, applications used, websites visited, physical location of the device as determined from GPS (when outdoors) or WiFi (when indoors), and stylometry, of 200 volunteers approximately for a period of at least 30 days.eir authentication system achieved an ERR of 0.05 (5%) after 1 minute of user interaction with the device, and an EER of 0.01 (1%) after 30 minutes in identifying a legitimate user.In another stylometric-based continuous authentication, an EER of 12.42% for message blocks of 500 characters is achieved using support vector machine (SVM) for classi cation [135].However, stylometry-based authentication schemes must improve the accuracy, delays, and forgery.
Khan et al. [120] mentioned that implicit authentication employs behavioral biometrics in a continuous and transparent manner to recognize and validate smartphone users' identity and conducted a eld study on implicit authentication usability and security perceptions with 37 participants.eir experiment indicated that 91% of participants found implicit authentication to be convenient and 81% perceived de ned the protection level to be satisfactory.[10] was suggested as an alternative authentication mechanism with minimal or no noticeable involvement of users.Transparent authentication implicitly authenticates the users on the basis of their unique interactions with the device and creates a logic for authentication decisions.Feng et al. [4] utilized the term transparent and continuous for their Finger-gestures Authentication System using Touchscreen (FAST) to protect the mobile system.e approach transparently captures the touch data without intervening to user's normal user-device interactions.After the user's login, FAST continues to authenticate the mobile user in the background using intercepted touch data from their normal user-smartphone interactions.

Risk-Based Authentication.
ClearLogin [136] de nes risk-based user authentication as a method which adapts authentication levels based on the apparent risks, to mitigate the potential intrusion, before they happen.Existing riskbased user authentication schemes generate a risk pro le to determine the complexity of challenge to authenticate a user during a session, that is, higher-risk pro les lead to stronger authentication, whereas usual authentication scheme should be su cient in normal scenarios [137].Identity Automation [138] considers risk-based user authentication similar to adaptive authentication because they adapt to the stringency of authentication processes based on the likelihood that access to a given system could result in its compromise.
Earlier risk-based user authentication mechanisms were mainly based on contextual or historical user information or both [139].Furthermore, these systems use ad hoc or simplistic risk management models based on some rulebased techniques, which are proved to be ine ective due to human factors [140].However, nowadays as NuData Security [34] mentioned risk-based authentication schemes are getting fueled by behavior piercing technology that gives maximum security with minimal interruption to the user experience.Risk-based user authentication can be applied from two di erent perspectives: proactive or re-active [12].When applied proactively, risk-based authentication actively anticipates the genesis of potential attacks, failures, or any kind of security issues and takes prompt action.In contrast, re-active risk-based authentication accepts some of the risks until the risk score goes beyond the permissible threshold level, and consequently, reauthentication is required.[141] is a way by which two-or multifactor authentication can be con gured and deployed by doing risk assessment.us, it is a method for selecting the appropriate authentication factors accustomed to the situation accordingly to the user risk pro le and tendencies.It can be deployed as follows:

Adaptive Authentication. Adaptive authentication
(i) By setting static policies based on risk levels for di erent factors, such as user role, resource importance, location, time of day, or day of the week (ii) By learning day-to-day activities of users based on their habits to generate dynamic policies 10 Mobile Information Systems (iii) Lastly, by combing of both static and dynamic policies Hulsebosch et al. [35] exploited the ability to sense and use context information to augment or replace the traditional static security measures by making them more adaptable to a given context and thereby less intrusive to derive context sensitive adaptive authentication.RSA Risk Engine [36] used self-learning risk model and adapts itself on the basis of received feedback.e feedback loop includes case resolution and genuine or failed authentication results as well as chargeback les for adaptive authentication for e-commerce (Figure 8).

Unimodal and Multimodal Authentication Systems.
Unimodal authentication systems use single modality for establishing user identity, whereas multimodal authentication systems include multiple modalities (sources of information) [39].Unimodal and multimodal terms are more associated with biometric systems where person recognition is based on distinctive personal traits or characteristics [37].Unimodal physiological biometric based on face, ngerprint, and iris are already deployed on the smartphones; however, multimodal systems are yet to be deployed.Behavioral biometric-based solutions based on touch-stroke dynamics, voice, gait, and so on have been widely tested and evaluated by researchers; however, their deployment to the smartphones is still awaited.
Jain et al. [38] showed that multimodal biometric systems driven by multiple biometric sources perform, generally, better recognition performance as compared to unimodal systems.As per the type of multiple modalities being used, multimodal biometric systems can be further divided into three categories: (1) multiphysiological, (2) multibehavioral, and (3) hybrid multimodal systems [142].
e multiphysiological category includes multimodal biometric systems, where only physiological traits, such as face, ngerprint, and iris, are fused at di erent levels, whereas the multibehavioral system combines data from keyboard, mouse, and graphical user interface interactions.Hybrid multimodal system [143] fused face, ear, and signature with social network analysis at the decision level to enhance the biometric recognition performance.
Researchers have been actively working on combining di erent modalities to develop multimodal solutions; however, these systems have yet to appear on the real products.

Conclusion
In this paper, we presented the gist of ways and types of user authentication concepts in the context of smartphones.We surveyed the di erent state-of-the-art solutions proposed over the years and attempted to homogenize correlated buzzwords used in this eld, with the motivation to assist new researchers in understanding these concepts.en, we evaluated the related work on the ways and types of user authentication mechanisms available for smartphones, on the basis of their usability and security.Also, we discussed design goals for usable authentication systems and usability evaluation methods.
(a)) which could be sent either via SMS on the registered number or user could generate this OTP o ine (Figure 3(b)) on the mobile apps provided by service Something you know Something you have Something you are

Table 1 :
Synopsis of knowledge-based schemes.

Table 5 :
Synopsis of behavioral biometrics.