Hindawi

Journal of Healthcare Engineering

Volume 2022, Article ID 1789996, 15 pages
https://doi.org/10.1155/2022/1789996

Review Article
Biometric Authentication for Intelligent and Privacy-Preserving
Healthcare Systems

Dhananjay Nigam ,1 Shilp Nirajbhai Patel ,1 P. M. Durai Raj Vincent ,2

Kathiravan Srinivasan ,1 and Sinouvassane Arunmozhi3
1
School of Computer Science and Engineering, Vellore Institute of Technology, Vellore, India
2
School of Information Technology and Engineering, Vellore Institute of Technology, Vellore, India
3
Department of Electronics and Communication Engineering, Manakula Vinayagar Institute of Technology, Puducherry, India

Correspondence should be addressed to Kathiravan Srinivasan; [email protected]

Received 11 January 2022; Revised 27 February 2022; Accepted 8 March 2022; Published 24 March 2022

Academic Editor: Sahfqat Ullah Khan

Copyright © 2022 Dhananjay Nigam et al. This is an open access article distributed under the Creative Commons Attribution
License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is
properly cited.

Secure identification is a critical system requirement for patients seeking health-related services. In the event of critical, aged, or
disabled patients who require frequent health treatments, quick and easy identification is vital. Researchers describe the notion of
the unprotected environment in this study, in which patients can receive health services from the hospital’s smart and intelligent
surroundings without the use of explicit equipment. Patients would interact directly with the environment and be identified
through it. We suggest a biometric-based authentication technique for the unprotected hospital environment that also safeguards
the patient’s identity privacy. Furthermore, we demonstrate that this authentication technique is resistant to many well-known
assaults, including insider attacks, replay attacks, and identity privacy. Doctors and other staff members showed enthusiastic
responses after installing 2-factor authentications, as it makes their workflow efficient and makes things easier for patients. It also
lets them focus on other factors rather than worrying about data security; hence, we need biometric authentication in intelligent
and privacy-preserving healthcare systems. The paper deals with two-factor biometric authentication, and despite the added
security, two-factor authentication adoption is said to be poor. It is due to a lack of awareness and difficulty to use and configure
two-factor authentication (2FA) into a particular application by some individuals who struggle with the concept of authentication
and its technology. Also, many 2FA methods in widespread use today have not been subjected to adequate usability testing.
Research focuses on the point that there is still a large section of people unaware of the use of biometric systems to protect their
online data. Researchers collected quantitative and qualitative data from 96 individuals during a two-week between-subjects
usability survey of some common and rarely used 2FA approaches. The survey allowed the researcher to investigate which
authentication methods are given higher priority and why, along with the relationship between different usage patterns and
perceived usability, and identify user misconceptions and insecure habits to determine ease of use. It was observed that the
biometric-based method was given the utmost preferability.

1. Introduction can be automatically identified based on their surroundings

Due to recent breakthroughs in Internet of things (IoT) and
wireless sensor networks, there is a new digital paradigm
shift. These technologies prove to be very useful, especially in
the case of healthcare systems, thereby enhancing the well-
being of people. With the help of this technology, the doctors
and the hospital staff can continuously monitor their pa-
tients without even being present with them. Elderly patients
and thus receive the appropriate services [1]. Electronic
prescriptions for restricted medicines are heavily regulated
and require a strong authentication system. Imprivata, a
healthcare company, developed a biometric-powered con-
firmation ID system that enables healthcare institutions to
meet their Drug Enforcement Administration criteria for
electronic prescriptions of restricted medicines. Ghana’s
Health Ministry has already joined with Gavi to begin its
2 Journal of Healthcare Engineering
biometric-based national vaccination programs by the end
of 2021.
External devices such as laptops, cell phones, and tablets
can interact with the system; the user interface provided by
these devices is pertinent. On the contrary, the wearable
category is far better and more advanced than other devices.
The goal is to develop an intelligence technology in which
services are incorporated through sensors and are available
when needed and disappear when not, removing the need
for the user to engage with the device. These cutting-edge
technologies supply customers with a plethora of new op-
tions while also providing new revenue streams. Lightweight
security solutions are required to implement these devices
because they include various sensitive resources. Figure 1
shows the architecture of a digital healthcare services.
Identifying a valid patient/user is a significant difficulty
in this type of unprotected setting. Traditional password-
based single-factor authentication systems are not suitable
and have some limitations. They are substantially weak when
it comes to incorporating security in smart systems. As they
contain only a single factor, which consists of a pin or a
password, it can be easily breached by brute-forcing or
simply guessing the password. Hence, a more transparent
method such as biometric authentication should be incor-
porated, including face and speech recognition.
The unique property of biometrics expands its use in
authentication protocols. Some important advantages of
biometric keys are as follows:
(i) A user cannot lose or forget the key
(ii) They are difficult to copy or forge
(iii) They are tough to duplicate and transfer
(iv) It cannot be guessed easily when compared to low-
entropy passwords
Password breaches, whether due to multiple password
database leaks or increasingly sophisticated phishing attacks,
dramatically increase the risk of authentication credential
vulnerability [2]. Worse, poor user password hygiene, such
as using passwords that are easily discovered such as birth
dates, names, relatives’ names, and phone pins, or repeating
them across several accounts, exacerbates these flaws [3].
Figure 2 depicts the healthcare IT topology for medical
devices.
Two-factor authentication (2FA), commonly known as
two-step verification or dual-factor authentication, is a se-
curity feature in which users must authenticate their identity
using two different authentication factors [4]. 2FA is used to
protect a user’s credentials and the resources to which they
have access. Single-factor authentication (SFA), in which the
user provides only one factor (usually a password), provides
a lower level of security than 2FA [5]. 2FA gives the user a
second factor that is either something they have (such as a
hardware token or a phone) or something they are (referring
to biometrics, such as facial recognition or fingerprint) [6]. It
is the successor step after one has entered their credentials,
which corresponds to something they know (traditionally a
password and a username), so even though an attacker steals
or guesses a user’s password, they must compromise the
user’s phone or steal a physical device to gain access to the
account [7]. As a result, compromising an account protected
by a second authentication factor is far more difficult for a
remote attacker [8, 9]. However, these technologies still
reside in an external gadget that might be stolen and hence
exploit the technology. So, we need a more transparent
technology such as biometric authentication, which stays
with the user all the time and is very difficult to exploit.
Many biometric services are now under development
and testing, to be widely used in a few years. Plastic cards will
soon be a thing of the past, and biometric scans will become
the norm. The publicity of biometrics appears to be a
concern. You have fingers, eyes, and a face, as everyone
knows. On the other hand, open biometric data are only the
tip of the iceberg. Every imaginable attribute is being
studied, from heart rate monitoring to implanting chips
under your skin, as well as examining intraocular veins, the
structure of your earlobes, and more.
Two-factor authentication is a vast area, but this study
focuses on biometric authentication: facial and speech
recognition. The research is conducted because many people
are unaware of the password-related risks and do not use
2FA for security. This hypothesis will be proved with the help
of a survey further in the paper. A two-week survey was done
using the Google Form, circulated among people using
different social platforms. The survey measures the aware-
ness of people from both technical and nontechnical
backgrounds and people from all age brackets. The partic-
ipants were from different parts of India. Researchers tried to
determine which of the following two-factor authentication
methods were popular and easy to use. The study focuses on
the following:
(i) Presents the increasing need for 2FA
(ii) Expounds the concept of biometric authentication
using face and speech recognition
(iii) Explains the integration of this technology into
intelligent and smart healthcare systems
(iv) Presents diagrammatically the functioning of smart
wireless sensors integrated with biometric
authentication
(v) Presents a survey analysis conducted in India, which
gives insight into the awareness and usability of
biometrics
The study covers a literature survey of various research
articles and journals, survey analysis, scope: present scenario
and future opportunities, open challenges, and future re-
search directions.
1.1. Biometric Recognition. Humans normally identify be-
tween persons using their faces, and recent advances in
computer vision capacity have enabled similar recognitions
to be made automatically [10]. Face recognition algorithms
used simple geometric models in the past, but they have
evolved into a science of complex mathematical models and
representations throughout time, putting face and speech
recognition in the spotlight for verification and
Journal of Healthcare Engineering 3

Biometric
MPI
Technology
Patient Entry Patient Patient Nurse Patient Doctor
Registration See the
Vitals are
Doctor
important
Security Prevention
Techniques

Pharmacy Lab
Services

Mapping Biometrics
to MPI
Patient
Exit

Hospital
Information
System
Figure 1: Architecture of biometric authentication for digital healthcare services.

stream neural networks to aggregate data and build a cross

representation between high- and low-resolution images to
Medical Medical learn an appropriate feature mapping.
Wearable Embedded Significant investment is needed in biometrics for se-
Devices Devices curity. Machine learning and algorithms must be very ad-
Attributes: vanced to minimize biometric demographic bias. Some
Identifications biometric systems can face scanning issues if there is a slight
Location change, especially if the company is using retina scanning.
Sensing Hard biometrics consists of authentication using face, fin-
Connectivity gerprints, or signature. It is very easy nowadays to forge
Wearable
Stationary
Health another person’s fingerprint or signature. Getting a facial
Medical snapshot of a person is very easy, and by that way, face
Monitoring
Devices
Devices recognition can be easily breached. Soft biometrics include
voice recognition, eye color, and scars, which provide an-
cillary information but are not fully distinctive and per-
Figure 2: Healthcare IT topology for medical devices. manent [12].
Numerous symmetric key techniques have been pro-
identification [11]. The practice of comparing one biometric posed in the literature for smart card-based authentication
pattern to another to determine whether it should be on single-server and multi-server architectures. In addition
rejected or accepted is known as verification. Figure 3 shows to smart card-based authentication, the literature describes
the steps for authentication and verification. three-factor authentication techniques that involve bio-
metrics. However, biometric information integration is
2. Literature Review bound to be a fixed string and implemented similarly to
password introduction. These smart card-based procedures
Previous research has looked into using extremely low- can easily be transformed into the biometric form and vice
resolution photographs to accomplish activity recognition versa. Most of the suggested smart card-based and bio-
while maintaining anonymity. Low-resolution action rec- metric-based authentication methods are unsafe for well-
ognition based on the shape of the human head to guide known attacks such as stolen smart card attacks, replay
body position estimate is proposed in one paper (Privacy- attacks, user impersonation attacks, and insider attacks. A
Preserving Action Recognition for Smart Hospitals Using novel security system with identity privacy and untrace-
Low-Resolution Depth Images). Inverse super-resolution ability is offered. Fuzzy extractors, fuzzy vaults, and fuzzy
(ISR) employs a network that generates several low-reso- commitments, on the other hand, are commonly used to
lution recommendations and employs MCMC and entropy facilitate reusability and unlinkability in the practical inte-
measure techniques to find the best action recognition gration of biometric data. These techniques use a template
transformation. Two comparable approaches use two- and assistance data to retrieve the secret material.
4 Journal of Healthcare Engineering
Start
Register
Take the user’s username as
voice input
Store the speech data
Capture about 30 images of the
face of new user
Give the database password to
be associated with that face
Associated voice and data and
store those datasets to disk
Figure 3: Flow of authentication.
Unfortunately, these approaches come at a considerable cost
in terms of complexity and performance. The use of a
pseudorandom number generator (PRNG) is proposed in
“Identity Privacy-Preserving Biometric-Based Authentica-
tion Scheme for Unprotected Healthcare Environment” to
develop a safe and computationally efficient remote bio-
metric authentication technique, which adds robust bio-
metric data security to a wide range of existing
authentication protocols. Because it protects templates and
the user’s privacy, the technique is known as a blind bio-
metric authentication protocol. The protocol is blind since it
does not display any information about the user other than
their identification. On the server side, it also employs a
PRNG.
Many current 2FA approaches are being called into
question. Two-factor authentication enabled using one-time
password (OTP), or SMS has one major disadvantage. As
long as the device on which the OTP has been configured is
in possession, it is convenient, but sometimes when the
person does not have the device with him/her, although his
account is secure, he is not able to log in or get access. It
becomes a matter of convenience and hence is not used
sometimes. For example, according to “Transparent two-
factor authentication” [13] paper, certain methods of 2FA
can be turned against a user’s system. One such case is when
McAfee and Guardian Analytics released a joint report titled
“Dissecting Operation High Roller.” It mentioned an in-
ternational criminal group that used an automated
Login
Listen to User’s voice for
UserID
Identified No Give error: Not found
user? Try again
YES
Scan face, No Give error: Not found
Fount? Try again
YES
Pass the credentials to
Database connector
Spawn a MYSQL shell
operation and stole large sums of money through unau-
thorized and fraudulent transfers. By infesting malicious
software, they were able to get hold of the user’s system, and
hence, they could even verify the two-factor tokens required
for the bank account. Hence, this study suggested a more
transparent method so that users can easily verify themselves
and save themselves from different frauds. “Overview of
fingerprint recognition system” states that the fingerprint
system will be unavailable to certain segments of the pop-
ulation. People who have lost fingers or hands would be
excluded, while older adults who are indulged in manual
labor for so many years may struggle to record worn prints
into a system. Many laptops do not support fingerprint
recognition; hence, they cannot be used for online databases.
According to the “Five methods of usability of 2FA,”
many users disliked hardware code generators; in fact, a few
people switched banks because the tokens were so difficult to
use. We also found out that the most common 2FA methods
used were email or SMS for financial or personal sites [14].
According to another survey, these common methods have
certain limitations. An attacker may pose as somebody while
speaking to the victim, somebody from a particular bank,
and by taking advantage of the user’s distraction, which may
get hold of the one-time password from that user [15, 16].
This way, the user might lose every penny he owns, further
affecting his/her business or professional life. According to
one paper on cryptography known as “multifactor au-
thentication,” integrating credible and new solutions has
Journal of Healthcare Engineering
always been a huge hurdle for developers and managers.
User acceptance is low and a very serious part of adopting
multifactor authentication. For example, a method known as
deoxyribonucleic acid (DNA) recognition has very high
performance, universality, and uniqueness, but the accept-
ability rate is quite low, although it is not prone to spoof
attacks and is an assuring method. On the other hand, this
study supports using face and speech recognition as a part of
2FA. They suggest it is more transparent and easier to use
and configure for people from almost every age bracket [17].
There are different ways with the help of which can
optimize this method and make it more and more secure
[18]. We can enable three-dimensional face recognition, i.e.,
by asking the user to move the head during the authenti-
cation process in a specific manner. User expressions can
also be detected, making it less prone to any attacker or
breach. According to a survey done at Carnegie Mellon
University [19], many people were satisfied and thought that
one-factor authentication is secure. The conclusion followed
in the paper deduces that two-factor authentication now has
become a necessity, regardless of the petty limitations that
will be fixed in due time. Table 1 presents the list of existing
methods with their approaches and limitations.
3. Methodology
The researchers have opted for the empirical way of research
and are using the survey to prove the above hypothesis. The
survey was conducted through Google Forms with 96 re-
sponses from different age groups and aspects of the society,
which gave the researcher a vivid idea of the hypothesis. The
survey was carried out for two weeks, and the participants
were from different professions and different parts of India.
For those who did not know the meaning of 2FA, researchers
explained the meaning and usage to get their views. They
were asked to use a simple biometric 2FA to get a clear idea.
4. Survey Analysis
Researchers got thoughtful opinions on where exactly the
technology should be incorporated, which areas need im-
mediate attention to this kind of technology, etc. Most
people voted in favor of the companies that handle finances
and online payment systems using the 2FA system. Although
many people know about two-factor authentication, more
people need to be aware of this technology as it will be
fruitful soon.
This was an investigational study to see how people
interpreted, adopted, and used 2FA. The researchers focused
their efforts on gathering data that may be used to guide
future deployments and improve specific procedures. In
particular, the researchers were interested in users’ im-
pressions of 2FA and the factors that encourage and inhibit
adoption. The survey was conducted through Google Form
with 96 responses, including people from all the age
brackets. In some questions, multiple-choice can be selected.
Analysis 1: the majority of the people, about 86.5%, i.e.,
83 of the 96 participants, belonged to the 16–30 age group.
Less than 9.4% (9 people) were people above 45 years. Only
5
2.1% (2 people) belonged to the age bracket of 5–15 and
31–45 years. This shows the targeted audience. People from
age groups 5–15 are too young to understand the concept of
2FA and use it properly. Due to the generation gap and
technical knowledge gap, not many people above the age of
40 use 2FA. Researchers did not circulate the Google Form
to the people who did not know about 2FA because some
questions required knowing 2FA and authentication. That is
why there are fewer people in this age group. Currently, the
main users of 2FA are people from 16 to 30 years. This gap
will fade away in a few years, and people above 30 years will
also actively use 2FA. Figure 4 illustrates the survey query 1.
Analysis 2: researchers found out that 35.8%, i.e., 34 of
the 95 people, fall into indecision in the case of a password
compromise. They are not aware of how to recover and
restore their account by changing their passwords so that the
attacker may not control their account for too long. Figure 5
depicts the survey query 2.
Analysis 3: 63.5%, i.e., 61 of the 96 people, use the same
passwords everywhere. Hence, if one of their accounts gets
compromised, it is very likely that other accounts will also
get attacked, and they may lose a huge amount of sensitive
information. Even if your password is leaked, attackers still
need the 2nd factor to authenticate successfully. Using
biometric factors makes it difficult to steal face or speech
factors. Thus, the need for two-factor authentication is very
high. Figure 6 portrays the survey query 3.
Analysis 4: participants selected multiple options. 68.1%
of people (64 people) prefer biometric authentication such as
face and speech recognition for security. One-time password
through SMS is the most common and used method.
However, it is observed that participants wanted to switch to
technologies such as face and speech recognition, which is
more secure and not easily stolen or imitated. Researchers
focus on “biometric 2FA for online database”; therefore, face
and speech recognition is the most feasible options. OTP and
PIN codes are not biometric, and fingerprints are difficult to
use for online databases on the laptop. Figure 7 shows the
survey query 4, and Figure 8 represents the survey query 5.
Analysis 5: 23.2%, i.e., 22 of the 95 people, still think that
a single authentication system is enough for the security of
their accounts. One reason for this could be that they find it
difficult to carry hardware tokens everywhere to authenticate
themselves repeatedly, which is a tedious task. 58.9%, i.e., 56
of the 95 people, think 2FA is the highest level of security,
which cannot be surpassed and is more than enough to
secure their data, while 21.1% of people (20 people) want
2FA to be optimized and more factors should be added to
strengthen the security. Few people feel like multifactor is a
time-consuming process. Figure 9 illustrates the survey
query 6, and Figure 10 depicts the survey query 7.
Analysis 6: 84.9%, i.e., 79 of the 93 people, want to
incorporate 2FA into online payment apps and other fi-
nancial consultancies operating online and where the ex-
change of money is taking place. Figure 11 portrays the
survey query 8.
Analysis 7: in the survey, researchers found that 60.3% of
people (38 people) find 2FA easy to use. 7.9% of people (5
people) reported it being difficult, out of which most people
6 Journal of Healthcare Engineering

Table 1: List of existing methods with their approaches and limitations.

Scheme Year Approach Limitations
[20] 2012 Asymmetric Forgery attacks are possible
[21] 2015 Cryptographic hash function Vulnerable to impersonation attacks and insider attacks
[22] 2012 Symmetric encryption User tracking attacks are possible
[23] 2016 Cryptographic hash function Experiencing issues with transmitting secrecy and revocability
[13] 2018 Fingerprint verification Fingerprints can also be stolen by capturing your prints without you knowing
Many people find it difficult to carry hardware tokens and may lose them
[18] 2015 Hardware tokens
sometimes
Bloom filter and format-preserving
[24] 2020 The primary downside is its probabilistic nature
encryption

Which age-group do you belong to? If your password is compromised, do you know what to do?
96 responses 95 responses

35.8%

9.4%

86.5%

64.2%

Yes
No
5-15 years 31-45 years
Figure 5: Survey query 2.
16-30 years above 45 years

Figure 4: Survey query 1.

were above 45 years old. 14.3% of people (9 people) feel like it
is unnecessary, and 17.5%, i.e., 11 of the 63 people, feel like it
is very time-consuming and annoying. With this small-scale
survey, researchers could figure out the qualitative and
quantitative aspects of two-factor authentication technology.
From these data, researchers can undoubtedly infer that
although the preponderance of the people is aware of the
technology and its logistics, there are still many people who
are entirely oblivious to the use of this technology. Figure 12
represents the survey query 9. Table 2 presents the com-
parison results for privacy and security characteristic
features.
5. Scope
5.1. Present Scenario. There are some limitations of this
technology. It has been observed that two-factor authenti-
cation brings inconvenience to users when a physical entity
is used as a second authentication factor, where many
additional operation steps are added [28]. The main barriers
to this technique are the data collecting and data storage
processes. There is a chance the platform will crash or get an
authentication problem. The possibility of technology du-
plication by other companies is a concern. New technologies
could put this platform and technology to the challenge.
After completing the password recovery process, many
services will automatically log you into your account. When
you use social media to log in to your account, 2FA may be
ignored [29].
Patient records, data from clinical trials, radiological
images, and genetic sequencing data are among the sources
of the ever-increasing healthcare data. These data are pre-
dicted to have grown to a size of 25,000 petabytes by 2020.
Virtualization and cloud computing are two new technol-
ogies that may acquire, manipulate, and store massive
amounts of data. Healthcare data management thus involves
the issues of storage and retrieval of vast amounts and types
of data and the integration and exchange of such data across
numerous sites. Aside from that, the construction of a
scalable system that provides continuous connectivity
Journal of Healthcare Engineering 7

Do you use similar passwords for multiple applications?

96 responses

36.5%

63.5%

Yes
No
Figure 6: Survey query 3.

Which kind of authentication method would you prefer?

94 responses

Cryptographic-based method 33 (35.1%)

Biometric-based method 64 (68.1%)

Smartcard with password based

37 (39.4%)
method

0 20 40 60 80
Figure 7: Survey query 4.

Which kind of authentication system would you prefer?

96 responses
Face Recognition 40 (41.7%)
Speech Recognition 18 (18.8%)
OTP authentication 54 (56.3%)
Security questions 20 (20.8%)
Pincode 30 (31.3%)
QR code 15 (15.6%)
Fingerprint 58 (60.4%)
Location 2 (2.1%)
0 20 40 60
Figure 8: Survey query 5.
8 Journal of Healthcare Engineering

Do you think one-factor authentication is secure enough? Would you consider two-factor authentication
95 responses when it comes to payment gateways?
93 responses

15.1%
76.8%

84.9%

23.2%

Yes
Yes
No
No
Figure 9: Survey query 6.
Figure 11: Survey query 8.

Which one do you prefer?

95 responses What was you perception after using 2FA ?
63 response

14.3%

21.1%
17.5%

58.9%

20%

60.3%

Signal-factor authentication
Two-factor authentication easy to use not needed

Multi-factor authentication difficult to use very much time taking

Figure 10: Survey query 7. Figure 12: Survey query 9.

between the healthcare management system and its users is

required [30].
5.2. Case Study: Healthcare Facilities. In a case such as
healthcare data storage and retrieval, a biometric system can
provide authentication. The fundamental motivation for
implementing biometrics in the healthcare industry is to
ensure the privacy and security of patient records. Health
Insurance Portability and Accountability Act (HIPAA), the
European Data Protection Directive, and the Australian
Journal of Healthcare Engineering
Table 2: Comparison results for privacy and security characteristic features.
Features [25]
User anonymity Yes
Mutual authentication Yes
Off-line PW guessing attack Yes
Impersonation attack Yes
Replay attack Yes
Provides formal security Yes
Privacy Principles Act are examples of the international rules
that mandate a high level of security, sensitive data exchange,
and access control [30].
“Two-factor authentication platform helps healthcare
institutions and health information networks secure remote
access to confidential health information in a cost-effective
and scalable manner, without disrupting provider workflow”
[31]. The security of patient data is legal and an ethical
obligation of the medical sector. Complete security is dif-
ficult to achieve, especially in the medical domain, where
disclosing information regarding the patient is a significant
part of treating the patient. As dangers to the patient’s health
data rise, suitable technical, administrative, and physical
protection measures must be taken to protect the privacy of
protected health information (PHI). Hackers consistently
target user credentials to gain access to the healthcare system
[32]. Figure 13 shows the functional platform for the
healthcare system.
According to the Protenus Breach Barometer, these types
of incidents compromised 3.8 million medical records in 2019.
An increase in health data available electronically implies more
risks. For example, it is usually these days for family members
and the provider’s office to share usernames and passwords.
Employees may be given these personal credentials to gain
legitimate access. They are occasionally written down and
picked up by curious individuals. It may be guessed or detected
by malicious software. This increased exposure has resulted in a
significant increase in information leakage, theft of personal
information, and numerous violations of HIPAA’s privacy and
security regulations [33]. Using a static password to prevent
unauthorized or unlawful access to your personal or sensitive
information is no longer deemed sufficient [34]. Also, there are
important data of healthcare departments such as information
related to where particular medicine is kept and how many
doses can be harmful, or research information needed to be
protected at any cost. The leakage of such data can prove fatal
and affect the masses.
Two-factor authentication provides a higher level of
security and reliability. According to “[31]” by William
Braithwaite, it is accepted and understood widely that to
provide sufficient security to protect access of sensitive data
and personal information of the patient, two-factor au-
thentication needs to be implemented. Allowing access only
after face and speech recognition verification will help keep
intruders from hacking or logging in and stealing important
healthcare data. Keeping factors such as face detection and
speech verification prevent robots or other systems [7].
Figure 14 shows the healthcare data breach record in the past
years.
9
[26] [27] [10]
Yes No No
Yes Yes Yes
No No No
Yes Yes No
No No Yes
Yes No No
According to HealthTech, a company that deals with
software requirements of healthcare facilities, doctors and
other staff members showed enthusiastic response after the
installation of 2-factor authentications as it makes their
workflow efficient and makes things easier for patients. It
also lets them focus on other factors rather than worrying
about data security. It saves money and time.
For example, many healthcare companies ask their
employees to strengthen their passwords, which may
sometimes be complicated. They also require users to change
their passwords periodically to ensure the security of their
sensitive data, which makes passwords hard to remember
but very easy to lose. Based on studies by Microsoft, the
account becomes 99.9% less likely to be compromised or
attacked if you use MFA. Table 3 presents a summary of the
protocol, results, and key contributions from authentication
and privacy-preserving healthcare systems. Table 4 presents
the details on the classification of healthcare apps for au-
thentication and privacy-preserving healthcare systems.
Table 5 shows the different types of attacks for authenti-
cation and privacy-preserving healthcare systems.
6. Open Challenges: Authentication and
Privacy-Preserving Healthcare Systems
Figure 15 illustrates the open challenges for authentication
and privacy-preserving healthcare systems. Some of the
open challenges are as follows:
(i) If only one parameter is impacted, the accuracy of
the entire system will suffer
(ii) Cost and technical complexity to implement
(iii) 2FA for many platforms can be circumvented
(iv) Creating procedural delays in the system
(v) Susceptible to social engineering
(vi) Access codes can be stolen; vulnerable to phishing
attacks
(vii) Poses advanced threats such as a 3D modeling of a
face or finger
(viii) The influence of the technical issues is significant
(ix) Usability issues in Google’s 2FA setup processes
7. Future Research Directions: Authentication
and Privacy-Preserving Healthcare Systems
Face recognition (FR) is becoming a key study area due to
the wide range of applications in commercial and law
10 Journal of Healthcare Engineering

Health Data Authenticating

Management signature
System Biometric samples using
Authentication mobile devices
Health Security Agent
Data Manager
Store

Healthcare Cloud

Importing Data
into healthcare
cloud
Healthcare Center
Figure 13: Functional platform of the intelligent and privacy-preserving healthcare system.

HEALHCARE DATE BREACHES OF 500 OR MORE RECORDS

642

512

358 368
314 329
277 270
199 199 219

18

2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
Figure 14: Healthcare data breach record.

Table 3: A summary of the protocol, results, and key contributions from authentication and privacy-preserving healthcare systems.
Reference Year Protocol Results Key contributions
They do not describe how a procedure is performed
Health screening for people Smart services do the whole
[1] 2019 but why, when, where, and by whom the care is
who have diabetes screening autonomously
given
Promotes public confidence in Provides a secure environment for people using the
[27] 2015 Security
healthcare services services
Decentralized privacy- Secures data transfers and
[35] 2019 preserving healthcare logging of data and storage on Security through blockchain
blockchain for IoT the blockchain
Tracks hospital supplies, medical
[36] 2017 Radiofrequency identification Privacy-preserving access controls
equipment, medications
The lightweight encryption algorithm is proposed to
Wireless medical sensor Sensitive patient information is
[12] 2013 secure communication between the sensor node and
network sent through the open air.
the Sharemind system.
Journal of Healthcare Engineering 11

Table 4: A classification of healthcare apps: authentication and privacy-preserving healthcare systems.

Category
Medicine delivery app
Telenursing applications
Medicine reminders app
Appointment scheduling apps
Mindfulness, health, and
fitness apps
Patient health education apps
Common apps Description
Netmeds, PharmEasy, Medlife Delivery anywhere
Practo Online doctor consultation
Medisafe Pill reminder, Bedside
Alerting with push notification
Reminders
AppointmentPlus, PatientPop Set online scheduler with doctor
Records your heart rate, water level, sugar level, and gives you a full
MyFitnessPal, Headspace
report at the end
Educates patients about different diseases, what causes them, and
CardioTech, Simply Sayin’
what are the symptoms

Table 5: Different types of attacks: authentication and privacy-preserving healthcare systems.

Reference Year Attacks Description
Dictionary and password
[37] 2012 Guessing the password from a password list
guessing attack
[38] 2013 Denial of service Denying service to the user by creating unnecessary traffic
[20] 2012 Impersonation attacks Impersonating to be someone and stealing information
[39] 2013 Patient anonymity violation Exploiting the hidden identity of the patient
The act of misrepresenting a communication from an unknown source as coming
[40] 2014 Spoofing
from a recognized, reliable source.
[22] 2012 Malware infusion Ingesting malware into the system so that it does not work properly
Capturing and listening to the information being passed from the sender to the
[23] 2016 Man in the middle
receiver and vice versa.
In each session, the patient uses the same identifier, leading to the disclosure of private
[21] 2015 Tracing attacks
information.

Based on only
one parameter,
if acquisition
affected, whole
accuracy will Cost and
Usability issues
degrade technical
in Google’s 2FA
complexity to
setup processes
implement

2FA for many

Influence of the
platforms can
technical issues
be
is significant
Open circumvented
Challenges

Poses advanced Creating

threats like a procedural
3D modelling of delays in the
a face or finger system

Access codes
Susceptible to
can be stolen;
social
Vulnerable to
engineering.
phishing attacks

Figure 15: Open challenges: authentication and privacy-preserving healthcare systems.

12 Journal of Healthcare Engineering

EHR
Medical Officer
Access Control List Access Control
(ACL)
(MOI)
List (ACL)

MO2
Mandatory Access
Control (MAC) Mandatory Access
Control (MAC)

Control List
Access

(ACL)
Control List
(ACL)

Access
Electronic Health
Server

MOI.....n
Authentication

ID/Proxy

PHARMACY
Service request

Authorization

Report

Doctor-Patient’s
Feedback Server
Patient

Figure 16: Operating model: authentication and privacy-preserving healthcare systems.

Research efforts
Utilizing Al and in improving the
using brain usability of 2FA Area of neural
signals to setup processes networks and
carryout user Big Data
authentication

Unique fingerprint
of the user-
Synergistic biometric
computer
systems couple all
interaction
three factor:
pattern, which is Future Research knowledge,
extremely difficult Directions biometrics, and
to replicate
ownership

The capability to
identity the users
Behavior-based
based on the way
biometrics based
they interact with
on muscular
computer
MFA sources to be memory
utilized: heart and
brain; attractive
area of ECG and EEG
analysis

Figure 17: Future research directions: authentication and privacy-preserving healthcare systems.
Journal of Healthcare Engineering
enforcement industries. Figure 16 represents the operating
model for authentication and privacy-preserving healthcare
systems. Object lighting, pose variation, expression varia-
tions, and facial disguises are all issues for traditional FR
approaches based on visible spectrum (VS). Unfortunately,
these constraints reduce object identification and verifica-
tion performance. Figure 17 shows the future research di-
rections for authentication and privacy-preserving
healthcare systems. The infrared spectrum (IRS) may be
employed in human FR to circumvent these constraints.
Some of the future research directions are as follows:
(i) In India, preventing ATM fraud is a priority. It is
possible to construct a database of all ATM
cardholders in India with facial and speech rec-
ognition technologies.
(ii) It can also identify candidates during examinations
such as the Civil Services Exam, SSC, IIT, MBBS,
and others.
(iii) This technology can verify and track attendance at
various government offices and businesses.
(iv) It can also be implemented in bank lockers and
vaults for access control verification and authen-
tication of authentic users.
(v) More biometric authentication-enabled items,
such as computers and cell phones, can be
manufactured.
(vi) Consumers’ growing security concerns result in
increased demand for biometric services.
(vii) Research efforts in improving the usability of 2FA
setup processes.
(viii) Area of neural networks and big data.
(ix) Synergistic biometric systems couple all three
factors: knowledge, biometrics, and ownership.
(x) Behavior-based biometrics based on muscular
memory.
(xi) MFA sources to be utilized: heart and brain; at-
tractive area of ECG and EEG analysis.
(xii) The capability to identify the users based on the
way they interact with the computer.
(xiii) Unique fingerprint of the user-computer interac-
tion pattern, which is extremely difficult to
replicate.
(xiv) Utilizing AI and using brain signals to carry out
user authentication.
8. Conclusions
It is no surprise that various digital accounts have become a
magnet for fraudsters because people spend so much of their
time on their phones and laptops. Malicious attacks on
governments, businesses, and individuals are becoming
increasingly widespread. Moreover, there are no indicators
that hacking, data breaches, or other forms of cybercrime
will slow down anytime soon. Fortunately, two-factor
13
authentication, often known as 2FA, is a simple way for
organizations to add an extra layer of security to user
accounts.
Many existing approaches are vulnerable to insider at-
tacks and off-line password guessing attacks, resulting in
increased security risks and the inability to provide user
anonymity. Secure authentication is required to overcome
the problem of timely updating patient data in the medical
system. The discussion above makes us believe that the new
scheme meets the following requirements: smart health care
is good. The Proposed Intelligent and Privacy-Preserving
Healthcare Systems scheme provides mutual authentication
between patient and authentication server. The patient can
also change their password freely without the help of the
registration server. Researchers have demonstrated that the
proposed scheme has more security features and a greater
security level than similar schemes.
Some people still do not use 2FA, making them vul-
nerable to security threats. The company’s responsibility is to
endeavor to make people aware of the process and benefits of
2FA and biometric systems.
A very recent example of the same is WhatsApp. They
have started their end-to-end encryption; they have used
various media platforms to spread awareness about the
same and influence people to use it more as it is the safer
way, and this shall prevent them from various sorts of data
breaches. So, even now, if people are not technically aware
of end-to-end encryption, they still know this will protect
their data. The same efforts are needed in the field of
biometric 2FA.
Biometric authentication is undoubtedly gaining pop-
ularity and is commonly used by mobile users, but its
popularity has been restricted to phones only. People are
unaware of its usage on online databases, which is too
vulnerable to security breaches. It should be user-friendly,
with terms and conditions explained in a layman’s way and
the threats of not using it.
Data Availability
The article’s original contributions generated for this study
are included; further inquiries can be directed to the cor-
responding author.
Conflicts of Interest
The authors declare that there are no conflicts of interest
regarding the publication of this study.
References
[1] S. Khatoon, S. M. M. Rahman, M. Alrubaian, and A. Alamri,
“Privacy-preserved, provable secure, mutually authenticated
key agreement protocol for healthcare in a smart city envi-
ronment,” IEEE Access, vol. 7, pp. 47962–47971, 2019.
[2] S. Pandey, T. Taffese, M. Huang, and M. D. Byrne, “Human
performance in google’s two-factor Authentication setup
process,” Proceedings of the Human Factors and Ergonomics
Society - Annual Meeting, vol. 63, no. 1, pp. 2221–2225, 2019.
14
[3] A. Abuarqoub, “D-FAP: dual-factor authentication protocol
for mobile cloud-connected devices,” Journal of Sensor and
Actuator Networks, vol. 9, no. 1, p. 1, 2020.
[4] O. Persson and E. Wermelin, A Theoretical Proposal of Two-
Factor Authentication in Smartphones, 2017, http://www.bth.se.
[5] R. Bruzgiene and K. Jurgilas, “Securing remote access to
information systems of critical infrastructure using two-factor
authentication,” Electronics (Switzerland), vol. 10, no. 15,
2021.
[6] M. H. Barkadehi, M. Nilashi, O. Ibrahim, A. Zakeri Fardi, and
S. Samad, “Authentication systems: a literature review and
classification,” Telematics and Informatics, vol. 35, no. Issue 5,
pp. 1491–1511, 2018.
[7] M. K. Sharma and M. J. Nene, “Two-factor authentication
using biometric-based quantum operations,” Security and
Privacy, vol. 3, no. 3, 2020a, https://doi.org/10.1002/spy2.102.
[8] G. Ali, M. A. Dida, and A. E. Sam, “Two-factor authentication
scheme for mobile money: a review of threat models and
countermeasures,” Future Internet, vol. 12, no. Issue 10,
pp. 1–27, 2020.
[9] A. J. Mohammed and A. A. Yassin, “Efficient and flexible
multi-factor authentication protocol based on fuzzy extractor
of administrator’s fingerprint and smart mobile device,”
Cryptography, vol. 3, no. 3, pp. 1–222, 2019.
[10] A. Ometov, S. Bezzateev, N. Mäkitalo, S. Andreev,
T. Mikkonen, and Y. Koucheryavy, “Multi-factor authenti-
cation: a survey,” Cryptography, vol. 2, no. 1, pp. 1–31, 2018.
[11] U. Sharma, P. Tomar, S. S. Ali, N. Saxena, and R. S. Bhadoria,
“Optimized authentication system with high security and pri-
vacy,” Electronics (Switzerland), vol. 10, no. 4, pp. 1–23, 2021.
[12] X. Yi, J. Willemson, and F. Nait-Abdesselam, “Privacy-pre-
serving wireless medical sensor network,” in Proceedings of the
12th IEEE International Conference on Trust, Security and
Privacy in Computing and Communications, TrustCom 2013,
pp. 118–125, 2013.
[13] J. Zhang, X. Tan, X. Wang, A. Yan, and Z. Qin, “T2FA:
transparent two-factor Authentication,” IEEE Access, vol. 6,
pp. 32677–32686, 2018.
[14] S. Yu, K. Park, and Y. Park, “A secure lightweight three-factor
authentication scheme for IoT in the cloud computing en-
vironment,” Sensors, vol. 19, no. 16, 2019.
[15] M. Obaidat, J. Brown, S. Obeidat, and M. Rawashdeh, “A
hybrid dynamic encryption scheme for multi-factor verifi-
cation: a novel paradigm for remote authentication,” Sensors,
vol. 20, no. 15, pp. 1–32, 2020.
[16] G. Xu, S. Qiu, H. Ahmad et al., “A multi-server two-factor
authentication scheme with un-traceability using elliptic
curve cryptography,” Sensors, vol. 18, no. 7, 2018.
[17] K. David Biaru, University of Nairobi School of Computing and
Informatics A Model of Two-Factor Authentication Using
Facial Recognition in Automated Teller Machines, 2014.
[18] I.-P. Chang, T.-F. Lee, T.-H. Lin, and C.-M. Liu, “Enhanced
two-factor authentication and key agreement using dynamic
identities in wireless sensor networks,” Sensors, vol. 15, no. 12,
pp. 29841–29854, 2015.
[19] J. Colnago, S. Devlin, M. Oates et al., “It’s not actually that
horrible: Exploring Adoption of Two-Factor Authentication
at a University,” in Proceedings of the 2018 CHI Conference on
Human Factors in Computing Systems, pp. 1–11, 2018.
[20] Z. Zhu, “An efficient authentication scheme for telecare
medicine information systems,” Journal of Medical Systems,
vol. 36, no. 6, pp. 3833–3838, 2012a.
[21] A. K. Das, V. Odelu, and A. Goswami, “A secure and robust
user authenticated key agreement scheme for Hierarchical
Journal of Healthcare Engineering
multi-medical server environment in TMIS,” Journal of
Medical Systems, vol. 39, no. 9, p. 92, 2015.
[22] Z.-Y. Wu, Y.-C. Lee, F. Lai, H.-C. Lee, and Y. Chung, “A
secure authentication scheme for telecare medicine infor-
mation systems,” Journal of Medical Systems, vol. 36, no. 3,
pp. 1529–1535, 2012.
[23] M. Wazid, A. K. Das, S. Kumari, X. Li, and F. Wu, “Design of
efficient and provably secure anonymity preserving three-
factor user authentication and key agreement scheme for
TMIS,” Security and Communication Networks, vol. 9, no. 13,
pp. 1983–2001, 2016.
[24] V. Bansal and S. Garg, “A cancelable biometric identification
scheme based on bloom filter and format-preserving en-
cryption,” Journal of King Saud University - Computer and
Information Sciences, 2022.
[25] A. Irshad, M. Sher, O. Nawaz, S. A. Chaudhry, I. Khan, and
S. Kumari, “A secure and provable multi-server authenticated
key agreement for TMIS based on Amin et al. scheme,”
Multimedia Tools and Applications, vol. 76, no. 15,
pp. 16463–16489, 2017.
[26] R. Amin and G. P. Biswas, “An improved RSA based user
authentication and Session key agreement protocol useable in
TMIS,” Journal of Medical Systems, vol. 39, no. 8, p. 79, 2015.
[27] D. Giri, T. Maitra, R. Amin, and P. D. Srivastava, “An efficient
and robust RSA-based remote user authentication for telecare
medical information systems,” Journal of Medical Systems,
vol. 39, no. 1, p. 145, 2015.
[28] Z. Siddiqui, O. Tayan, and M. Khurram Khan, “Security
analysis of smartphone and cloud computing authentication
frameworks and protocols,” IEEE Access, vol. 6, pp. 34527–
34542, 2018.
[29] M. K. Sharma and M. J. Nene, “Dual factor third-party
biometric-based authentication scheme using quantum one-
time passwords,” Security and Privacy, vol. 3, no. 6, 2020b.
[30] K. A. Shakil, F. J. Zareen, M. Alam, and S. Jabin, “BAM-
HealthCloud: a biometric authentication and data manage-
ment system for healthcare data in cloud,” Journal of King
Saud University - Computer and Information Sciences, vol. 32,
no. 1, pp. 57–64, 2020.
[31] W. R. Braithwaite, Why Two-Factor Authentication in
Healthcare?, 2009, http://www.anakam.com.
[32] A. Acar, W. Liu, R. Beyah, K. Akkaya, and A. S. Uluagac, “A
privacy-preserving multi-factor authentication system,” Se-
curity and Privacy, vol. 2, no. 5, 2019.
[33] X. Yin, J. He, Y. Guo, D. Han, K. C. Li, and A. Castiglione, “An
efficient two-factor authentication scheme based on the
Merkle tree,” Sensors, vol. 20, no. 20, pp. 1–19, 2020.
[34] H. Khalid, S. J. Hashim, S. M. S. Ahmad, F. Hashim, and
M. A. Chaudhary, “Selamat: a new secure and lightweight
multi-factor authentication scheme for cross-platform in-
dustrial IoT systems,” Sensors, vol. 21, no. 4, pp. 1–32, 2021.
[35] A. D. Dwivedi, G. Srivastava, S. Dhar, and R. Singh, “A
decentralized privacy-preserving healthcare blockchain for
IoT,” Sensors, vol. 19, no. 2, 2019.
[36] F. Rahman, M. Z. A. Bhuiyan, and S. I. Ahamed, “A privacy
preserving framework for RFID based healthcare systems,”
Future Generation Computer Systems, vol. 72, pp. 339–352, 2017.
[37] H.-M. Chen, J.-W. Lo, and C.-K. Yeh, “An efficient and secure
dynamic ID-based authentication scheme for telecare medical
information systems,” Journal of Medical Systems, vol. 36,
no. 6, pp. 3907–3915, 2012.
[38] H. Y. Lin, “On the security of a dynamic ID-based authen-
tication scheme for telecare medical information systems,”
Journal of Medical Systems, vol. 37, no. 2, p. 9929, 2013.
Journal of Healthcare Engineering 15

[39] Q. Jiang, J. Ma, Z. Ma, and G. Li, “A privacy enhanced au-

thentication scheme for telecare medical information sys-
tems,” Journal of Medical Systems, vol. 37, no. 1, p. 9897, 2013.
[40] Q. Jiang, J. Ma, X. Lu, and Y. Tian, “Robust chaotic map-based
authentication and key agreement scheme with strong ano-
nymity for telecare medicine information systems,” Journal of
Medical Systems, vol. 38, no. 2, p. 12, 2014.