Content uploaded by Prashant Shrivastava
Author content
All content in this area was uploaded by Prashant Shrivastava on Sep 28, 2019
Content may be subject to copyright.
E_ICKCT38
Abstract - In the last few years increase in usage of technology has enhanced connectivity between businesses through internet. Lot of
websites are developed for connecting businesses and used by lot of users. These websites carries sensitive business data that
certainly must be secured. Authentication is the most widely and commonly used method of access control in such implementations.
It allows only legal registered users to be allowed to use the website resources and services in an authorized way. It is widely seen
that people generally use the same passwords for many different applications and websites. It cannot be denied that few of these
websites may transfer the password without unencrypted form which may lead to be easily sniffed and restored. Another issue with
passwords is typing the password while sitting next to other person where few passwords characters have the possibility of being
revealed. To avoid the problems of one time authentication and possibility of stealing of information the recent research is focused on
active authentication. One of the ways of achieving active authentication is through Biometrics.
This paper presents a comprehensive inputs on the research work done in last few years on authentication through Biometric. The
key objective of this paper is to summarize and provide details on well-known approaches and challenges. The key advantage of
Biometric authentication of system is that biometrics cannot be stolen or can be lost.
Index Terms— Active Authentication, Continuous Authentication, Passive Authentication, Biometrics, Security, Privacy
I. INTRODUCTION1
ODERN human society is rapidly moving towards
digital era. New developments in touch and
communication technologies are leading to increase in the
use of mobile devices such as tablets and smartphones.
With the increase in the usage of mobile devices it has
brought worry about the security and privacy as the loss of
mobile device or been used by some other unexpected user
can lead to compromise personal information of the user.
To get over with such problem, active authentication also
known as continuous authentication is been proposed in
which users are continuously monitored by the system after
the first initial access to the device.
M
Existing standard methods for validating a user’s
identity for authentication on digital information systems
requires humans to provide something inherently different
from day to day activities such as - create some unique
complex password and remember them. Moreover as long
as the application sessions remain active typically the
systems provide no mechanisms to verify if the person
originally authenticated is the same person who is still in
control of the input devices for interaction. Unauthorized
users can obtain access to the application or digital
information system, if password is compromised or else the
user does not use adequate vigilance after the initial
authentication.
Traditional authentication models have only focused on
verifying the user’s identity only the initial time, as a result
active authentication models are needed to continuously
1 Submitted on December, 01, 2016 and modified on December, 05, 2016
Dr. Dhanalakshmi R, is with KCG College of Technology, Anna
University, Chennai, TN 600 097, India. She is Professor in Department of
Computer Science & Engineering (e-mail:
dhanalakshmi.cse@kcgcollege.com).
Prashant Shrivastava is with L&T Infotech, Chennai, TN 600 089, India.
He is working as Senior Project Manager and is research scholar in Computer
Science & Engineering Department, Hindustan University (e-mail:
prashant.shrivastava@lntinfotech.com).
and uninterruptedly validate that a user is certainly the
actual authenticated user throughout the user's active
session. In this paper we try to find the application of
Biometric for implementing active authentication.
Biometrics is the type of study of automated methods for
uniquely identifying people based on physical and
behavioral traits. The Biometric system first identifies a
person from the entire registered dataset by searching a
database for a match based on the biometric. Next
Biometric system authenticates a person through claimed
identity from their previously existing pattern.
II.TRADITIONAL VS. MODERN AUTHENTICATION
Traditional authentication is mostly done using
password. This is not sufficient to use only password as it
is prone to brute force attacks, wild guessing etc.
Additional authentication procedures are required to add
more security to password usage. It could be using human
physical and body characteristics as one of the solutions to
perform active authentication. Biometrics such as face,
fingerprints and iris are few of possible biometric
characteristic that are used for active authentication. Each
biometric approach has its own advantages and
disadvantages. The method to choose a particular biometric
characteristic for use for a given authentication application
will widely depends on the application requirements. The
only disadvantage of biometric authentication is the
requirement of few additional tools which definitely
increase cost of implementation.
The need to verify the genuine user identity beyond the
initial authentication led to the research of a new
authentication method that is capable of continuously
validating the authenticity of the authenticated user. This
type of authentication is known as active authentication in
which the system at various points in time attempts to
uninterruptedly verify the active user’s identity. To achieve
this any active authentication system must meet two main
criteria –
Biometric Based Authentication - A
Comprehensive Study
Dr. Dhanalakshmi R, Professor CSE, KCG College of Technology, Prashant Shrivastava, Research
Scholar CSE, Hindustan University
1
• Continuous: The system must constantly verify the
identity of user. The verification can be started
based on time or events. In time-based model, the
system attempt to verify the identity of the active
user based on a predefine time intervals whereas in
an event-based model, the system attempt to verify
the identity of an active user based on the
occurrence of an event or change in state.
• Nonintrusive: The system must function without
interrupting the normal flow of operations by
noninvasive monitoring and verifying the user’s
identity. To fulfill the nonintrusive property, active
authentication models almost always employ
biometrics in their implementations. Biometrics
allows the authentication model to silently in the
background observe the traits of authenticated
users.
III. BIOMETRIC AUTHENTICATION
Biometric-based Authentication Models introduces to the
world many types of biometrics used for active
authentication. It aims to overcome the limitations of
traditional authentication methods which are designed to
verify a user’s identity only at the initial access point and
once the user is authenticated, is presumed to be the valid
user for the complete active session. In active
authentication implementation the system is not designed
to re-verify the identity of a user until the current active
session is expired and the user makes an attempt to access
the system again the next time. As a result any cheat or
fraud authentication cannot be successfully taken over by
the legitimate user’s session as it cannot be left undetected.
Main characteristics of a biometric that should be present
in order to utilize the system for authentication purposes
are –
Uniqueness: The same trait will not repeat in
any two people
Universality: The trait has to occur in many
people as possible
Permanence: The given trait does not change
over time
Measurability: The trait can be measured with
few easy technical instruments
User friendliness: The trait can be easily
measured with least discomfort
Biometrics can be classified into either Passive or Active -
Passive biometrics does not require a user’s
active participation and can be successful
without a person even knowing that they are
been analyzed. Passive biometrics example are -
Voice recognition, Iris recognition, Facial
recognition
Active biometrics does require user’s
cooperation and will not proceed if the user
denies their participation in the process. Active
biometric examples are - fingerprint, Hand
geometry, Retina scanning, Signature
recognition
There is yet another way called multimodal biometric
systems. These biometric systems are those that utilize
more than one physiological (DNA, ear, face, fingerprint,
hand geometry, iris, and retina) or behavioral (gait,
signature, and voice) characteristic for enrollment,
verification, or authentication. Multi-modal biometric
systems can be helpful –
In reducing false non-match and false match
rates of authentication
In providing a secondary means of enrollment,
verification, and identification if sufficient data
can’t be acquired from a provided biometric
sample
In combating attempts to spoof biometric
systems
Through offline data sources such as fake
fingers
IV. BIOMETRIC AUTHENTICATION TECHNIQUES
Biometric security implementations can prevent intrusions
and theft to a greater extent. It can be used for both
identification and verification which are based on
physiological and biological factors. Due to the exponential
growth in the use of biometric devices more active
authentication on them has become the focus of many
researchers. Many biometrics are proposed to continuously
authenticate the users.
A. Biometric Face Recognition
One of the most widely used and popular active
authentication methods is based on the face biometric.
There are many types of biometric authentication ways.
Few are more obvious ones like recognition of face,
fingerprint and voice where as others biometric
authentication systems uses gait recognition and artificial
intelligence that can adjust to the users uniqueness while
utilizing with other methods. In few studies two types of
face recognition rules are used - face verification and face
identification. Face identification is used for comparing
input identity with prior stored existing registered identity.
Face verification is used to authorize appropriate access to
the user.
Some research studies apply a different approach by
combining various attributes such as face recognition,
location tracks, and RFID technology. They provide a
better sense of security as the device detects whether or not
the RFID badge and location is correct and valid. The good
thing about RFID tag is that it is unique to each user. There
are few negative points related with privacy issues that
need to be addressed and overcome. For example RFID
tags can be read and tracked at a distance without the user
has even knowledge about it. Besides the privacy issues
E_ICKCT38
there are some vulnerability to the system based upon face
recognition alone. Two separate intrusion attempts were
made against a facial recognition biometric system –
authentication by image and authentication by a photo
captured by another person. The results of the research
showed that there was an illegal authentication success rate
with a captured image and with just a face photo were
quite high. Based on these results, face recognition does
not looks to be very secure, especially when someone could
use a photo from an online social network such as
Facebook or twitter. More research is required to overcome
these limitations.
Face biometrics usage is modest for users due to
noninvasiveness and ease to get and collect the data with
any regular camera. The algorithms processing the face
images can compare either face geometry or vectors
describing whole face images. In recent past researches on
face 3D models are been conducted. These approaches
allow for face recognition from different angles and reduce
rate of attack. Lighting, camera position, glasses, color of
clothes, aging, and various other face changes can impact
the quality of face recognition. The applications are
developed now so that they can distinguish between a face
and a face image. In addition multiple devices can be
synchronized and used after single authentication.
B. Biometric Fingerprint Recognition
Fingerprint recognition is little more secure and safe
because a fingerprint is extremely unique to a person and
difficult to reproduce. Studies are done on fingerprint
authentication for digital signing based on the X.509
certificate infrastructure. Key feature to this research was
that users can download any third party algorithms and
customize rules. In addition this research was conducted
using an external USB optical fingerprint sensor by using
US National Institute of Standards and Technology
Biometric Image Software.
A different fingerprint authentication method was used in
another paper which had an optical fingerprint reader
utilized as well. The key idea in this research was that 2D
code provides a more effective security rule and QR codes
are found to be more reliable and secure. The data and
information gathered is detailed to various patterns and
few specific characteristics. According to a biometric
evaluation study intrusion attempts were made against a
fingerprint authentication system using an artificial
fingerprint. It is seen that illegal authentication success
rate is quite high. It was noticed that if user’s fingerprint
can be obtained and re-created with plastic and gelatin, a
breach may take place and any sensitive information can be
stolen by the attacker.
Various factors affecting quality of fingerprints acquisition
includes humidity, dirt, pattern location, skin tensility, and
orientation. The technologies used are - optical sensors
which are cheap but easy to circumvent and dirt sensitive;
dirt, capacitive sensors and humidity sensitive; temperature
sensitive, thermal sensors, and ultrasonic sensors,
expensive but hard to circumvent, since they analyze not
only fingerprints but also finger physical properties, such
as blood vessels. Biometrics utilizes three options for
pattern storage - on device, on corporate servers, or service
provider servers.
C.Biometric Voice Recognition
Voice recognition is a method that is easy to apply since it
requires only software for it. Authentication can be
performed by any one of the four schemes, where user has
to speak a fixed phrase, new phrase send by the system
each time, freely chosen phrase, or a conversation which
verifies both knowledge and voice characteristics. Various
factors that affect quality of voice recognition include
background noise, human emotional state, aging, or
respiratory diseases.
As a combined research method, one study researched both
fingerprint and voice recognition together. Since we have a
better understanding of how fingerprint authentication
works. The idea behind the research was that three seconds
was coded into the cell phone’s database. Once the voice
was digitized, new input were compared to previous
recordings for verification. This adds extra protection
against breaching this method. Another study used a
biometric voice recognition system which exchanged a
digital signature token encrypted and confirmed by voice.
According to an evaluation study, penetration attempts
were made against a voice authentication system by
applying a recorded voice. The results observed that an
illegal authentication success rate was high. It is clearly
seen that voice authentication would be easier to overcome
than fingerprint authentication. A session key exchanged
during communication and verified by voice is a better
solution than just a standard voice recognition method.
D.Biometric Gait Recognition
Gait is a behavioral biometric and may not remain
invariant over a long period of time. This could be due to
injuries involving joints or brain or could be due to
fluctuations in body weight. This technique could be an
acceptable biometric since collecting data of gait is similar
to acquiring a facial picture. It can use video –sequence
footage of a walking person to get different movements of
each articulate joint. These methods are computationally
expensive and input intensive.
As against to independent authentication systems such as
face, fingerprint, and voice recognition, various other
methods have been proposed to involve all three and more.
One study on gait recognition showed how cell phone
authentication could be implemented by gathering gait
data. Essentially Gait recognition verifies by automatic
authentication by the way a person walks. In cases where a
user is not walking, a PIN would be required instead. This
method is unassuming because it is always recording and
gathering data without the user having to make any
physical inputs. For gait recognition to be more successful,
three approaches were utilized - Machine Vision Based,
Floor Sensor Based, and Wearable Sensor Based Gait
Recognition.
E. Using Artificial Intelligence
In another study a method that combine some basic form of
Artificial Intelligence. The researchers found that there is
too much weakness in biometric authentication if used
independently. As a result researchers proposed a device or
3
cell phone that would adapt to its user like a digital pet. It
is a system created with Artificial Intelligence where an
intelligent agent extracts data in real time from the
environment and makes decisions to increases the rate of
success. The algorithm used both gait data and location
tracks in conjunction with other biometrical authentication
methods like - face, voice, and fingerprint recognition.
V. COMPARISON OF BIOMETRICS
Different studies over period of time have done several
comparisons under different criteria. Ranking of each
biometric is based on the three categories - Low, Medium,
or High. A low ranking indicates poor performance
whereas a high ranking indicates good performance.
VI. BIOMETRIC AUTHENTICATION CHALLENGES
Biometric authentication cannot be used in all situations.
For example it cannot be applied in remote access
authentication. In addition there cannot be any machine
which reads the biometric data in all situations that
requires authentication. Similarly not all biometric
authentication techniques are acceptable to all people, also
biometric authentication techniques require certain specific
conditions that may not be available always. For example
in iris authentication, availability of good light to operate
efficiently is must; on the similar line fingerprint
authentication requires that the fingers are clean with no
sweat on them. The main problem in all of these methods
is that these systems require special tools to perform the
scanning of the biometrics.
The current and future applications of Biometric have the
potential to provide enormous advantages to those being
served and to the general public. Yet there are lots of issues
that are not yet fully resolved –
Collection of vast amount of personal
information in electronic storage should be
highly secured to protect the privacy of those
we serve
It requires permitting electronic decision
support systems to supplant individual
professional judgment
Can something be lost when relying totally on
online when they no longer meet or confer with
each other in person
Is there sufficient controls on who has access to
what databases and for what purposes the data
may be used
In the age of computer hacking and cyber
warfare, it is required to check that there are
sufficient protections, backup and redundancy
to ensure the continued access
There is no governance defined to be followed
by both government and private organizations.
A large number of attacks exist in both traditional and
biometrics based authentication systems like - Brute-force
attack which deals by enumerating all the possible
passwords, resubmission of a formerly attained signal by
the client by bypassing the sensor. In this mode of attack a
replica of a biometrics is provided to the system for
example submitting a forged copy of a signature, a fake
finger, or a face mask. There are still lot needs to be done
to identify other types of fake biometrics. For example in
case of face recognition when the processing power is
increased software algorithms may fail. The future is to use
video instead of single still image.
VII. CONCLUSION
Biometrics approach is more suitable in applications where
security and identification are very critical. It can also be
conveniently used in e-Commerce, access control and e-
Banking domains. Few of the key usage could be related to
include national ID, attendance and time, driver and voter
registration, immigration checkpoints and welfare
disbursement. Knowledge based authentication for data
access via remote login can be replaced by biometric
systems. Similarly token-based authentication popular in
physical access control can be substituted by biometrics.
Biometric authentication standards should be implemented
to prevent illegal intrusions. To protect various important
assets a system other than PIN and password verification
must be used. As seen from the researches, biometric
authentication is a better alternative although they must be
complimented with other technology to create more
security. It is seen that the majority of faces, voices, and
fingerprints cannot be duplicated unless replicated. It
means that a biological key cannot be changed or altered
easily.
Each biometric method has their own merits and demerits
and usage of any one can be vulnerable in high security
applications. Attempts to involve two or more techniques
are vital in this regard. But in cases where security is of
less concern, comprising with only one biometric can be
acceptable. It is seen that the selection of a particular
biometric technique is dependent more on application
domain.
Future of Biometrics is going to be in the study related
with - DNA matching, creating national level Biometric
database, national database of citizens, auto security, non
usage of keys, active advertisement based on who the user
is etc. We saw throughout replications of faces, voices, and
fingerprints can be used to obtain illegal authorization. To
have a fail-safe there must be a system that combines
biometrics with hardware keys.
TABLE I
COMPARISON OF BIOMETRICS
Biometrics Unique
ness
Univers
ality
Permane
nce
Measura
bility
User
friendliness
Face Low High Medium Low High
Fingerprint High Mediu
m
High High Medium
Voice Low Mediu
m
Low Low High
Gait Low Low Low Low Medium
Artificial
Intelligence
Mediu
m
Mediu
m
High High Medium
E_ICKCT38
REFERENCES
[1] Shankar, Sheela, and V. R. Udupi. "A Dynamic Security Protocol for
Face Recognition Systems Using Seismic Waves." (2015).
[2] Navalyal, Geeta U., and Rahul D. Gavas. "A dynamic attention
assessment and enhancement tool using computer graphics." Human-
centric Computing and Information Sciences 4.1 (2014): 1-7.
[3] Sheela Shankar, V.R Udupi, Rahul Dasharath Gavas,"Biometric
Verification, Security Concerns and Related Issues - A Comprehensive
Study", International Journal of Information Technology and Computer
Science(IJITCS), Vol.8, No.4, pp.42-51, 2016. DOI:
10.5815/ijitcs.2016.04.06
[4] Yildirim N, Varol A (2015) Android based mobile application
development for web login authentication using fingerprint recognition
feature. In: Signal processing and communications applications
conference (SIU), pp 2662–2665
[5] Bargal SA, Welles A, Chan CR, Howes S, Sclaroff S, Ragan E, Johnson
C, Gill C (2015) Image-based ear biometric smartphone app for patient
identification in field settings. In: Proceedings of the 10th international
conference on computer vision theory and applications (VISIGRAPP
2015), pp 171–179
[6] Goode A (2014) Bring your own finger—how mobile is bringing
biometrics to consumers. Biometric Technology Today. Oxford, UK
[7] M. E. Fathy, V. M. Patel, T. Yeh, Y. Zhang, R. Chellappa, and L. S.
Davis, “Screenbased active user authentication,” Elsevier, vol. 42, no.
Pattern Recognition Letters, pp. 122 – 127, 2014.
[8] H. Wechsler, “Cyberspace Security using Adversarial Learning and
Conformal Prediction,” Intell. Inf. Manag., vol. 7, no. 04, p. 195, 2015.
[9] A. El Masri, H. Wechsler, P. Likarish, C. Grayson, C. Pu, D. Al-Arayed,
and B. B. Kang, “Active authentication using scrolling behaviors,” in
Information and Communication Systems (ICICS), 2015 6th
International Conference on, 2015, pp. 257–262.
[10] M. E. Fathy, V. M. Patel, T. Yeh, Y. Zhang, R. Chellappa, and L. S.
Davis, “Screenbased active user authentication,” Elsevier, vol. 42, no.
Pattern Recognition Letters, pp. 122 – 127, 2014.
[11] T. Feng, X. Zhao, B. Carbunar, and W. Shi. Continuous mobile
authentication using virtual key typing biometrics. In TRUSTCOM,
2013.
[12] H. Locklear, S. Govindarajan, Z. Sitova, A. Goodkind, D. Brizan, ´ A.
Rosenberg, V. Phoha, P. Gasti, and K. Balagani. Continuous
authentication with cognition-centric text production and revision
features. In IJCB, 2014.
[13] H. Zhang, V. M. Patel, M. Fathy, and R. Chellappa, "Touch Gesture-
Based Active User Authentication Using Dictionaries," in Applications
of Computer Vision (WACV), 2015 IEEE Winter Conference on, 2015.
[14] U. Burgbacher, M. Pratorius, and K. Hinrichs, "A behavioral biometric
challenge and response approach to user authentication on
smartphones," in Systems, Man and Cybernetics (SMC), 2014 IEEE
International Conference on, 2014.
[15] N. Pokhriyal, I. Nwogu, and V. Govindaraju. Use of language as a
cognitive biometric trait. In Biometrics (IJCB), 2014 IEEE
International Joint Conference on, pages 1–8. IEEE, 2014.
[16] N. Pokhriyal, I. Nwogu, and V. Govindaraju. Use of language as a
cognitive biometric trait. In Biometrics (IJCB), 2014 IEEE
International Joint Conference on, pages 1–8. IEEE, 2014.
[17] U. Mahbub, V. M. Patel, D. Chandra, B. Barbello, and R. Chellappa.
Partial Face Detection for Continuous Authentication. ArXiv e-prints,
1603.09364, Mar. 2016.
[18] L. Fridman, S. Weber, R. Greenstadt, and M. Kam, “Active
authentication on mobile devices via stylometry, gps location, web
browsing behavior, and application usage patterns,” IEEE Systems
Journal, 2015.
[19] P. Samangouei, V. M. Patel, and R. Chellappa, “Attribute-based
continuous user authentication on mobile devices,” in IEEE
International Conference on Biometrics: Theory, Applications and
Systems, 2015.
[20] H. Wang, D. Lymberopoulos, and J. Liu, "Sensor-Based User
Authentication," in Wireless Sensor Networks, ed: Springer, pp. 168-
185, 2015.
5
