Multi-factor Implicit Biometric Authentication

MULTI-FACTOR IMPLICIT BIOMETRIC AUTHENTICATION 1
Multi-Factor Implicit Biometric Authentication
Jigisha Aryya
Department of ITM, School of Applied Technology,
Illinois Institute of Technology, Chicago
Author Note
Firstly, I thank the institute for providing a rich repository of scholarly articles for carrying
out this research submitted in November, 2016. Any questions about this paper should be
sent through email at jaryya@hawk.iit.edu or jaryya@gmail.com. I thank Prof. Raymond E.
Trygstad for suggesting improvements to my research work. Secondly, you are hereby
granted permission to use (and adapt) this document for research purposes. You may not
sell this document either by itself or in combination with other products or services. Thirdly,
if you use this document, you use it at your own risk. The document’s accuracy has been
thoroughly evaluated, but not guaranteed. Due diligence is therefore expected.
ITMS 578 - Cyber Security Management - Fall 2016 IIT, Chicago

Table of Contents
Abstract
Introduction
Physiological versus Implicit (Behavioral) Biometrics
Challenges with Physiological Biometrics
Challenges with Implicit (Behavioral) Biometrics
A Hybrid Approach for Robust Authentication
Continuous Implicit Biometrics
Beyond Traditional Biometrics - Using “Mind Metrics”
Biometric Security System for a Bank
Managerial Precautions for Biometrics
Government Policies Protecting Citizens’ Privacy Rights
Key Privacy Laws
Additional Measures
Government Policies for Biometrics
Federal Regulations
State Regulations
Conclusion
References

Abstract
The online realm is ever-growing in terms of data exchanged through devices. It generates
valuable information that needs to be protected. With the advent of advanced
technologies like IoT, AI, smartphones, and big data, it becomes the responsibility of any
government, institution, or organization to create protocols that will protect information
exchanged peer-to-peer or through centralized and decentralized networks. Authentication
is the primary method for restricting access to sensitive information. It is important that
the processes, technologies, and policies are updated on time, to keep pace with the
changing technological and business landscape.
Biometrics has a promising future. However, there are challenges such as operational
feasibility, user acceptance, and technical issues. These include resource limitation in
mobile devices and concerns over protecting users' personal data, which have motivated
researchers to look for more viable options. Continuous implicit biometric authentication is
a process of correctly identifying users by collecting data about their behavior over a
period of time and processing it using complex algorithms. This contrasts with
physiological biometrics, which only uses the physical attributes of a subject. We take a
deep dive into the current ecosystem, along with the research trends in physiological and
continuous implicit biometric authentication techniques, and their practical applicability in
various sectors to highlight the challenges they pose and ways of overcoming them.
Keywords: authentication, implicit biometrics, behavioral traits, physiological
biometrics, user acceptance, operational feasibility, policies, privacy laws, encryption

Introduction
Most transactions, data exchanges, and storage occur over connected systems like data
center servers, smartphones, or home appliances. Authentication typically relies on login ID
and password combinations. However, cybercriminals exploit phishing and brute-force
attacks to compromise credentials and manipulate network assets. Meanwhile,
cybersecurity experts continually develop countermeasures to prevent breaches.
Biometric authentication, which relies on unique physical traits, is not new but has yet to
see widespread adoption across the globe. Recently, institutions like banks handling
sensitive data have shown interest due to its potential. However, several drawbacks remain
unresolved, and new techniques are being explored to counter evolving threats. The
following sections examine key biometric methods, their challenges, and potential solutions.
Physiological versus Implicit (Behavioral) Biometrics
Physiological biometrics, such as fingerprint, iris scans, facial recognition, and palm print
are used in sectors like banking, aviation, healthcare, KYC, IT etc. Research by Bhosale
and Sawant (2012) highlights fingerprint authentication’s potential for "cardless" ATM
transactions. While many devices support biometric scanning, others, like ATMs, still rely
on PINs or passwords. Adoption is hindered by hardware limitations, complexity, and
security concerns. As Corcoran and Costache (2016) note, integrating biometric modules
into consumer devices can be challenging. Additionally, biometric data, unlike passwords,
cannot be reset once compromised, posing security risks (Welinder, 2016). Effective

encryption, secure storage, and liveness detection can mitigate these concerns.
Behavioral, or implicit, biometrics track user interactions, such as voice, keystroke, or
touchscreen dynamics. Banks like Singapore Bank and CitiBank have adopted voice
authentication. Implicit biometrics allow continuous authentication but can be
resource-intensive. Research by Alzubaidi and Kalita compares various methods,
highlighting their challenges and potential optimizations.
Challenges with Physiological Biometrics
Securing Templates: Biometric data, being immutable, requires strong encryption and
secure storage to prevent identity theft. Liveness checks, such as pupil contraction under
light exposure, help counter spoofing.
Technical Feasibility & User Acceptance: Online authentication may fail due to poor
camera resolution or user misalignment, leading to frustration. Behavioral biometrics offer
an advantage by functioning passively. Reliable cloud-based backup solutions can address
server failures (Khan et al., 2015).
Privacy Issues: Continuous biometric tracking raises significant privacy concerns.
Organizations must implement stringent access controls and robust encryption to protect
sensitive data. Clearly defining surveillance areas and restricting access to authorized
personnel can bolster security. Government policies safeguarding citizens' privacy rights
are crucial for ensuring the success of technological innovations in any progressive nation.
This priority should always remain at the forefront for any private or public institution
involved in driving such biometric security efforts.

Challenges with Implicit (Behavioral) Biometrics
Diversity of Use Cases: Behavioral traits like voice, keystroke, and touchscreen dynamics
vary across devices. While smartphones facilitate data collection, surveillance cameras can
track gait patterns for additional security layers.
Device Resource Limitations: Continuous authentication can strain battery life, processing
power, and bandwidth. Optimized algorithms, such as those proposed by Gasti et al.,
reduce computational overhead while maintaining accuracy.
Privacy Issues: Behavioral data, like physiological traits, is unique and must be
safeguarded. Users should be informed about data collection and usage policies.
Adapting to Changing Behavior: Behavioral traits evolve with age, environment, and
health. AI-driven authentication systems can adapt over time but require cost-effective
solutions for long-term feasibility.
By addressing these challenges, biometric authentication can enhance security while
maintaining usability and efficiency.
A Hybrid Approach for Robust Authentication
Understanding the strengths and limitations of biometric authentication is crucial for
effective implementation. Factors such as cost, effort, timeframe, and organizational
impact must be considered. A robust, future-proof design should integrate both
physiological and behavioral biometrics to enhance security, usability and relevance with

rapidly evolving hardware design.
Authentication occurs at two levels: Entry Level and Interaction Level. In physical
systems, physiological biometrics like fingerprint, palm print, or iris scans provide quick
and reliable authentication. Continuous monitoring of movement or facial recognition can
further ensure authenticity. In mobile digital systems, a hybrid approach using
physiological biometrics at entry, followed by behavioral authentication, enhances security.
Fully behavioral authentication systems are feasible, with companies like UnifyID
pioneering implicit biometric solutions. However, these focus on smartphones, assuming
single-user scenarios. An ideal system must adapt to various devices and architectures.
Personal computers, often lacking microphones or cameras, can utilize keystroke dynamics
alongside traditional methods like OTPs or passwords. Studies by Bakelman et al. explore
diverse password and keyboard input techniques. Devices with audio/video hardware can
leverage face recognition, hand-waving, and voice authentication, while fingerprint sensors
are increasingly embedded in consumer electronics. Mouse movement in computers
parallels touchscreen dynamics in smartphones, providing another layer of behavioral
authentication.
Below is a categorization of biometric methods based on their popularity and applicability
across consumer devices.
Entry level → Interaction level
1. Keystroke dynamics (Implicit) Mouse & Touchscreen interaction (Implicit)
2. Voice recognition (Implicit)/Signature(Implicit) Keystroke dynamics (Implicit)
3. Face recognition (Physiological) Voice inputs (Implicit)

4. Hand-waving (Implicit) Gait (Implicit)
5. Iris/Retina /Fingerprint recognition (Physiological) Gait (Implicit)
6. Palm print/Tongue print recognition (Physiological) Gait(Implicit)
Continuous Implicit Biometrics
While physiological biometrics are well-studied, implementing a continuous implicit
authentication system requires careful consideration of hardware and software constraints.
Implicit techniques enable end-to-end digital authentication without conscious user input.
However, identity capture still relies on the hardware to establish training datasets for
comparison.
Challenges include login failures, system locks, and user dissatisfaction if authentication
fails. While feasible for digital systems, continuous authentication for physical assets
presents implementation hurdles. Threats like Target Mimicry and Reconstruction attacks,
as studied by Chang et al. and Vogel et al., require precision countermeasures. Adaptive
systems must accommodate behavioral changes over time, environment, hardware, and
varying physical condition of the subject and provide fallback authentication to prevent
user lockout leading to poor user experience.
Beyond Traditional Biometrics - Using “Mind Metrics”
An emerging approach in cybersecurity leverages cognitive traits for authentication.
Researchers propose methods akin to psychometric tests, where users answer specific
questions instead of entering passwords. Often combined with behavioral biometrics like
keystroke dynamics, this approach strengthens authentication by assessing user

personality traits. Juyeon Jo et al. (2014) developed a prototype where users select their
login ID after answering security questions, eliminating password entry. While initial
feedback was positive, large-scale feasibility remains unproven. This concept suggests a
novel direction in biometrics—one that is both user-friendly and intangible, expanding the
possibilities of secure authentication.
Biometric Security System for a Bank
An organization like a bank, which is the foremost in implementing biometrics, has several
divisions, products and personnels with varied roles who access servers to modify the data
related to the capital managed by the bank. In the list below, we try to visualize all the
possible places where biometrics could be used in a multi-modal fashion.
● Account access by a Customer through a Bank branch
● Account access by a Customer through an ATM
● Account access by a Customer through a Web portal using a browser
● Account access by a Customer through a Smartphone Application
● Bank employee's access to Customers’ data
● IT Manager's access to servers containing sensitive data of customers
● DBA's access to bank databases
● IT Infrastructure personnel's access to on-premise database servers, network devices,
consoles for accessing a VPC, cloud database, storage and other remote resources.

● Technical team's access to the security software governing the customer and bank
related data. Physical locations in the bank's corporate offices where software

development, data maintenance and IT assets management activities take place
These are just a few to mention. There are several other repositories containing financial
reports, fund management, administrative and other confidential information that need
secure handling. Biometrics can either make or break the security system depending on
how it is planned, designed and deployed by a CISO’s team.
Managerial Precautions for Biometrics
Implementing a new technology requires adherence to the Technology Adoption Model
(TAM) to assess feasibility and user acceptance. Regardless of how innovative a solution
is, thorough testing is essential to ensure seamless integration. Unexpected authentication
demands can lead to resistance, making it crucial for management to educate employees,
customers, and stakeholders on its benefits.
Policies regulating biometric data collection for analysis must be carefully designed to
avoid legal challenges related to privacy rights. Security measures should not disrupt
business operations; hence, investment decisions must account for the potential failure
scenarios. The rise of cybersecurity insurance reflects the growing need for risk mitigation
against both external threats and internal vulnerabilities.
To optimize authentication systems, management must balance cost, with operational
efficiency and user acceptance. Research by Fungai Bhunu et al. highlights that emerging
markets may resist comprehensive biometric security measures compared to developed
economies. Therefore, piloting biometric authentication solutions before full-scale
implementation is highly recommended.

Government Policies Protecting Citizens’ Privacy Rights
In the United States, several key government policies and laws are in place to safeguard
citizens' privacy rights. Here are some of the most significant ones:
Key Privacy Laws
1. Privacy Act of 1974: Governs the collection, use, and dissemination of personal
information by federal agencies. It requires agencies to safeguard personal data
and allows individuals to access and correct their records.
2. Health Insurance Portability and Accountability Act (HIPAA): Protects sensitive
patient health information and mandates strict guidelines on data privacy and
security for healthcare providers.
3. Children's Online Privacy Protection Act (COPPA): Regulates the online collection
and use of personal information from children under the age of 13.
4. California Consumer Privacy Act (CCPA): Grants California residents specific
rights regarding their personal data, including the right to know what information is
collected, the right to delete data, and the right to opt-out of data selling.
5. Federal Information Security Modernization Act (FISMA): Requires federal
agencies to develop, document, and implement an agency-wide program to provide
information security for their operations and assets.
6. Electronic Communications Privacy Act (ECPA): Protects wire, oral, and electronic
communications while they are being made, are in transit, and when they are stored
on computers.

Additional Measures
● Office of Management and Budget (OMB) Memoranda: Provides guidance on
inter-agency sharing of personal data and protecting personal privacy.
● Fair Information Practices (FIPs): Establishes foundational principles for data
collection and management, emphasizing transparency, data minimization, and
individual access to personal information.
These laws and policies aim to provide individuals with control over their personal data,
addressing concerns related to unauthorized access, misuse, and identity theft.
Government Policies for Biometrics
In the United States, biometric data is regulated at both the federal and state levels. Here
are some key policies and laws:
Federal Regulations
1. Federal Trade Commission (FTC) Act: Section 5 of the FTC Act prohibits unfair or
deceptive practices, which includes the misuse of biometric data. The FTC has taken
action against companies for deceptive practices related to biometric data.
2. Biometric Information Privacy Act (BIPA): While not a federal law, BIPA in Illinois
is often considered the benchmark for biometric privacy laws. It requires companies
to obtain informed consent before collecting biometric data and sets guidelines for
data storage and destruction.

State Regulations
1. Illinois Biometric Information Privacy Act (BIPA): Requires informed consent
before collecting biometric data, mandates secure storage, and provides individuals
with the right to sue for violations.
2. Texas Biometric Privacy Act: Similar to BIPA, it requires consent and sets guidelines
for data protection.
3. Washington State Biometric Privacy Act: Also requires informed consent and sets
standards for data security.
4. California Consumer Privacy Act (CCPA): While not exclusively focused on
biometrics, it includes provisions for the protection of personal data, including
biometric information.
5. New York and Arkansas: These states have also passed laws regulating the
collection and use of biometric data.
Conclusion
Using physiological or implicit biometrics offers benefits with some challenges. Continuous
authentication through multiple biometric factors enhances security, efficiency and overall
user experience when implemented effectively. However, failing to address issues like
precision, fault tolerance and hardware-software optimization can severely impact system
performance leading to access failures that may frustrate end-users.
Multi-factor authentication proves that combining physiological (e.g., face, fingerprint, iris,
voice) with behavioral biometrics (e.g., keystroke dynamics) is more reliable than relying on

a single approach. Integrating adaptive algorithms in the software further strengthens
security while improving usability. The choice of biometric factors depends on the system
architecture, with banking already favoring certain established methods. Given the
growing reliance on mobile devices, exploring touchscreen dynamics is crucial for the
future of secure access.
References
● Bhosale, S.T. , Dr. Sawant, B.S. (2012) Security in e-banking via card-less biometric
ATMs, International Journal of Advanced Technology & Engineering Research
(IJATER), Volume 2, Issue 4, July 2012.
● Welinder, Yana (2016) Biometrics in Banking is Not Secure. The New York Times,
July 13, 2016
● Gasti, Paolo, Šedˇ nka, Jaroslav ,Yang, Qing, Zhou, Gang, Balagani, Kiran S. (2016)
Secure, Fast, and Energy-Efficient Outsourced Authentication for Smartphones.
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 11,
NO. 11, NOVEMBER 2016.
● Corcoran, Peter, Costache, Claudia (2016) Biometric Technology and Smartphone.
IEEE Consumer Electronics Magazine, April 2016
● Alzubaidi, Abdulaziz and Kalita, Jugal (2016) Authentication of Smartphone Users
Using Behavioral Biometrics. IEEE COMMUNICATIONS SURVEYS & TUTORIALS,
● Ahmad, Dhurgham T. and Hariri, Mohammad, (2012) User Acceptance of Biometrics
in E-banking to improve Security. Business Management Dynamics Vol.2, No.1, Jul
2012, pp.01-04.

● Kekre, H. B., Bharadi, V.A. , (2009) Ageing Adaptation for Multimodal Biometrics
using Adaptive Feature Set Update Algorithm. IEEE International Advance
Computing Conference (IACC 2009) Patiala, India, 6-7 March 2009.
● Jo, Juyeon, Kim,Yoohwan, and Lee, Sungchul (2014) Mindmetrics: Identifying users
without their login IDs. 2014 IEEE International Conference on Systems, Man, and
Cybernetics, October 5- 8, 2014, San Diego, CA, USA
● Erastus, Licky Richard, Jere, Nobert, Shava, Fungai Bhunu (2015) Exploring
Challenges of Biometric Technology Adoption:A Namibian Review. Emerging
Trends in Networks and Computer Communications (ETNCC), 2015
● Keenan, Dr. Thomas P., (2015) Hidden Risks of Biometric Identifiers and How to
Avoid Them, Black Hat USA 2015.
● Khan, Salman H., Akbar, M. Ali (2015) Multi-Factor Authentication on Cloud. Digital
Image Computing: Techniques and Applications (DICTA), 2015 International
Conference, IEEE International Conference on Consumer Electronics (ICCE) 2016.
● Patel, Heena M., Panuwala, Chirag N., Vora, Aarohi (2016) Hybrid Feature level
approach for Multi biometricCryptosystem. IEEE WiSPNET 2016
● Almuairfi, Sadiq , Veeraraghavan, Parakash, Chilamkurti, Naveen (2011) IPAS:
Implicit Password Authentication System.
● Bakelman, Ned, Monaco, John V., Sung-Hyuk Cha, and Charles C. Tappert (2013)
Keystroke Biometric Studies on Password and Numeric Keypad Input 2013
European Intelligence and Security Informatics Conference.
● Panja, Biswajit, Fattaleh, Dennis, Mercado, Mark, Robinson, Adam, Meharia, Priyank
(2014) Cybersecurity in Banking and Financial Sector:Security Analysis of a Mobile

Banking Application. Collaboration Technologies and Systems (CTS)
● Bhargav, Abilasha, Squicciarini, Anna, Bertino, Elisa (2006) Privacy Preserving
Multi-Factor Authentication with Biometrics. DIM’06, November 3, 2006,
Alexandria, Virginia, USA.
● Khan, Hassan, Hengartner, Urs, Vogel, Daniel (2016) Targeted Mimicry Attacks on
Touch Input Based Implicit Authentication Schemes. MobiSys’16, June 25-30, 2016
● Chun, Hu, Elmehdwi, Yousef, Li, Feng, Bhattacharya, Prabir, Jiang, Wei (2014)
Outsourceable Two Party Privacy-Preserving Biometric Authentication. ASIA CCS’14,
June 4–6, 2014, Kyoto, Japan.
● Tanviruzzaman, Mohammad, Ahamed, Sheikh Iqbal (2014) Your phone knows you:
Almost transparent authentication for smartphones. 2014 IEEE 38th Annual
International Computers, Software and Applications Conference.
● Li, Yanyan, Yang, Junshuang, Mengjun Xie, Carlson, Dylan, Jang, Han Gil, Bian,
Jiang (2015) Comparison of PIN- and Pattern-based Behavioral Biometric
Authentication on Mobile Devices. Milcom 2015 Track 3 - Cyber Security and
Trusted Computing.
● Ford, Bryan (2015) Private Eyes: Secure Remote Biometric Authentication. 12th
International Joint Conference on e-Business and Telecommunications (ICETE)
● Gatali, Inkingi Fred, Lee, Kyung Young, Park, Sang Un, Kang, Juyong (2016) A
Qualitative Study on Adoption of Biometrics Technologies: Canadian Banking
Industry. ICEC '16, August 17 - 19, 2016, Suwon, Republic of Korea.
● Michael, Katina, Michael, MG, Tootell, Holly, Baker, Valerie (2006)
The Hybridization of Automatic Identification Techniques in Mass Market

Applications: Towards a Model of Coexistence. Management of Innovation and
Technology, 2006 IEEE International Conference on.
● Al-Rubaie, Mohammad, Chang, J. Morris (2016) Reconstruction Attacks Against
Mobile-Based Continuous Authentication Systems in the Cloud. IEEE
TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, DEC 2016.

Multi-factor Implicit Biometric Authentication

More Related Content

Similar to Multi-factor Implicit Biometric Authentication (20)

Recently uploaded (20)

Multi-factor Implicit Biometric Authentication