Full Text

1. Introduction

User authentication technology plays a critical role in securing access to online services. Authentication systems identify users only when the session is initiated (entry point authentication model), thus leaving them exposed to attacks that take place after the initial authentication process (Stylios et al., 2016a, 2021b; Frank et al., 2013; Stylios et al., 2016b; Clarke and Furnell, 2005; Androulidakis et al., 2009; Shila and Eyisi, 2018). These systems defend themselves against such attacks by performing an additional authentication step at critical points in the session but are not popular with users because of the inconvenience caused by repetitive authentications. Also, smartphones are used as authentication means, especially in two-factor authentication schemes, which are often required by several electronic services. Whether the smartphone is in the hands of the legitimate user constitutes a great concern and correspondingly whether the legitimate user is the one who uses the services. In addition, mobile devices are vulnerable to smudge attacks (Aviv et al., 2010), i.e. the mark of the fingerprints left by our finger on the screen, as it is easy to reveal the touch pattern or the PIN of the device. Thus, stealing a device carries the risk of granting full access to personal data and crucial applications. Moreover, smartphone users are unaware of privacy and security threats and keep large amounts of private information, including PINs, credit card numbers, etc., stored in their mobile devices (Stylios et al., 2016a).

For the above reasons, behavioral biometrics (BBs) and continuous authentication (CA) are used by a new method of user authentication which is also based on the “something that the user is” paradigm (Corcoran and Costache, 2016; Cherifi et al., 2010; Zhu Draffin and Zhang, 2013; About-fraud, 2019; Dorizzi, 2005; Stylios et al., 2021b, 2016b). The technological advancement of mobile devices has led to the efficient capture of user behavior via their incorporated sensors, thus enabling the authentication of users based on their BB (Shi et al., 2011; Lane et al., 2010; Patel et al., 2016; Murmuria et al., 2015; Developers, 2020). The incorporated sensors of mobile devices are used to enroll BB templates (Stylios et al., 2021b; Murmuria et al., 2015; Jain