Accepted Manuscript

Authentication Schemes and Methods: a Systematic Literature

Review

Ignacio Velásquez , Angélica Caro , Alfonso Rodrı́guez

PII: S0950-5849(16)30150-1
DOI: 10.1016/j.infsof.2017.09.012
Reference: INFSOF 5885

To appear in: Information and Software Technology

Received date: 14 September 2016

Revised date: 5 July 2017
Accepted date: 25 September 2017

Please cite this article as: Ignacio Velásquez , Angélica Caro , Alfonso Rodrı́guez , Authentication
Schemes and Methods: a Systematic Literature Review, Information and Software Technology (2017),
doi: 10.1016/j.infsof.2017.09.012

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service
to our customers we are providing this early version of the manuscript. The manuscript will undergo
copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please
note that during the production process errors may be discovered which could affect the content, and
all legal disclaimers that apply to the journal pertain.
 ACCEPTED MANUSCRIPT

Authentication Schemes and Methods: a Systematic

Literature Review

Ignacio Velásquez, Angélica Caro, Alfonso Rodríguez,

T
Computer Science and Information Technologies Department,
University of Bío-Bío, Chillán, Chile

IP
[email protected], {mcaro, alfonso}@ubiobio.cl

CR
Abstract. Context: There is a great variety of techniques for performing
authentication, like the use of text passwords or smart cards. Some techniques
combine others into one, which is known as multi-factor authentication. There
is an interest in knowing existing authentication techniques, including those

US
aimed at multi-factor authentication, and the frameworks that can be found in
literature that are used to compare and select these techniques according to
different criteria.
Objective: This article aims to gather the existing knowledge on authentication
AN
techniques and ways to discern the most effective ones for different contexts.
Method: A systematic literature review is performed in order to gather existing
authentication techniques proposed in literature and ways to compare and select
them in different contexts. A total of 515 single-factor and 442 multi-factor
authentication techniques have been found. Furthermore, 17 articles regarding
M

comparison and selection criteria for authentication techniques and 8

frameworks that help in such a task are discussed.
Results: A great variety of single-factor techniques has been found and smart
ED

card-based authentication was shown to be the most researched technique.

Similarly, multi-factor techniques combine the different single-factor
techniques found and the combination of text-passwords and smart cards is the
most researched technique. Usability, security and costs are the most used
criteria for comparing and selecting authentication schemes, whereas the
PT

context is given an important remark as well. No framework among the ones

found analyzed in detail both single-factor and multi-factor authentication
techniques for the decision-making process.
CE

Conclusion: The review shows that a vast research has been done for
authentication techniques, although its use in some contexts has not been
researched as much. The lack of works regarding the comparison and selection
of authentication techniques is observed.
AC

Keywords: Security, Authentication Scheme, Multi-Factor Authentication

Method, Systematic Literature Review.
 ACCEPTED MANUSCRIPT

1 Introduction

One of the most serious security threats to any computing device is impersonation of
an authorized user. User authentication is the first line of defense against this threat
[1], and is a central component of any security infrastructure [2]. Authentication is the
process of positively verifying a user’s identity, device or other entity in a computer
system, often as a prerequisite to allowing access to resources in the system [3].

T
An authentication factor is a piece of information used to authenticate or verify the
identity of a user [4]. These factors can be categorized in three groups [17, 18]: those

IP
based on the knowledge factor (what the client knows, like text passwords [5, 6, 7] or
graphical passwords [8, 9, 10]), those based on the possession factor (what the client

CR
owns, dependent of a physical possession, like smart cards [11, 12, 13]) and those
based on the inherence factor (who the client is, biometrics, like face recognition [14],
fingerprints [15] and keystroke dynamics [16]). Although there are other factors
proposed in literature, such as the use of a person’s social networks [19] and location-
based authentication [20], the three above are the most used and well-known factors.

US
Authentication techniques belonging to different factors can be combined to
enhance security, which is known as multi-factor authentication [3]. Some examples
of multi-factor authentication are the combination of the knowledge and possession
factors [21, 22], the combination of the knowledge and inherence factors [23, 24], the
AN
combination of the possession and inherence factors [25, 26], and the combination of
all three well-known factors [27, 28]. In this article, authentication techniques that
belong to a single authentication factor will be referred to as authentication schemes,
whereas combinations of techniques from different factors will be referred to as
M

multi-factor authentication methods.

A Systematic Literature Review (SLR) is performed to analyze existing
frameworks that help in the decision process for choosing the adequate authentication
schemes or methods for different use contexts, together with identifying the most used
ED

criteria for this comparison and selection. This information could be useful for
industry experts when faced with the job of selecting the most adequate authentication
schemes or methods for their applications. Additionally, a detailed review of existing
authentication schemes and multi-factor authentication methods is performed, in order
PT

to know the current research that has been done in this area.
The remainder of the article is organized as follows: section 2 explains the used
research methodology. In section 3, the whole planning process of the SLR is
presented, whereas its results are shown in section 4, and a discussion about the main
CE

findings of the review is given in section 5. Section 6 provides the article’s

conclusions.
AC

2 Research Methodology

A systematic literature review, based on Barbara Kitchenham’s method [29], was

performed in order to survey the existing knowledge about the topic of this article.
The SLR process applied in this research can be seen in Fig. 1.
 ACCEPTED MANUSCRIPT

T
IP
CR
Fig. 1. Systematic literature review process applied in this research.

First, a planning of the review was performed from which, together with the
identification of the need for research, the search and review protocols to be used
were obtained. Two supervisors analyzed this planning to evaluate its adequacy.

US
Afterwards, a general search was performed in different sources as specified by the
review planning. From the search’s results, the duplicate articles were removed, and a
partial review was performed on the remaining articles, obtaining a list of selected
articles that were potentially useful. The selected articles were reviewed and analyzed
AN
in depth and the list with useful articles for this research was obtained. The details of
the review planning are specified in section 3, whereas the results from performing
the search and review process can be found in section 4.
M

3 Review Planning
ED

The identification of the need for research, together with the search and review
protocols used for the SLR are specified as follows:

3.1 Identification of the Need for Research

PT

The review’s objective was to identify authentication schemes proposed in literature

and possible combinations of them for their use as multi-factor authentication
CE

methods, while also detecting criteria used for their comparison and selection and the
existence of frameworks that handle such a task. Based on this objective, the
following Questions (Q) were formulated to further define the need of investigation:
Q1. Which are the main authentication schemes that exist in the literature?
AC

Q2. What combinations of these schemes can be found that can be used as multi-
factor authentication methods?
Q3. What criteria can be used to compare and/or to select between authentication
schemes or multi-factor authentication methods?
Q4. Are there frameworks that help to compare and/or to select authentication
schemes or multi-factor authentication methods? What are their
characteristics?
 ACCEPTED MANUSCRIPT

3.2 Resources for Performing the Systematic Literature Review

In order to perform the SLR, sources that are related to the topic at hand were used,
specifically, Scopus (https://www.scopus.com/), Science Direct
(http://www.sciencedirect.com/), IEEE (http://ieeexplore.ieee.org/Xplore/home.jsp),
ACM (http://dl.acm.org/) and Springer (http://link.springer.com/).
Additionally, Google Scholar (https://scholar.google.com/) was used to deepen in

T
the research for those potentially useful publications not indexed in the previously
mentioned sources.

IP
3.3 Search Protocol

CR
This defines the protocol that was used for performing the search in the sources
defined above. Thus, the Terms (T) used for the review, as well as their Combinations
(C) were defined (see Table 1).

US
Table 1. Terms and combinations used to perform the SLR.

T1: authentication T4: multi-factor T7: comparison T10: decision

AN
Terms T2: scheme T5: two-factor T8: selection T11: framework
T3: method T6: three-factor T9: criteria
C1: T1 and (T2 or T3)
C2: (T4 or T5 or T6) and T1
C3: (T4 or T5 or T6) and T1 and (T2 or T3)
C4: T1 and (T2 or T3) and (T7 or T8 or T9 or T10)
M

Combinations C5: (T4 or T5 or T6) and T1 and (T7 or T8 or T9 or T10)

C6: (T4 or T5 or T6) and T1 and (T2 or T3) and (T7 or T8 or T9 or T10)
C7: T1 and (T2 or T3) and (T7 or T8 or T9 or T10) and T11
C8: (T4 or T5 or T6) and T1 and (T7 or T8 or T9 or T10) and T11
C9: (T4 or T5 or T6) and T1 and (T2 or T3) and (T7 or T8 or T9 or T10) and T11
ED

Some general guides for the realization of the search in accordance to each of the
resources specified above were defined, between them:
 In some cases, the search terms can be entered in an escalated way, restricting
PT

the results of a previous search.

 For each performed search, the first 200 results must be reviewed.
 If the search results have restricted access, the document must be searched for
CE

in alternate ways (for example, in the authors’ personal sites).

 The possibility of the appearance of new terms or concepts that could help to
find works of interest must be taken in consideration.
AC

An online reference manager was used to facilitate the recording of the search
results and their source. Moreover, the results of each search were recorded in a table
containing the source, the combination of terms, the number of found articles and the
search date for each search. For every entry in the previously described table, another
table was used to record every reviewed article’s reference, their acceptance or
rejection, a brief description explaining the motive of acceptance or rejection and the
acceptance topic to which they belong.
 ACCEPTED MANUSCRIPT

3.4 Review Protocol

A partial review was performed in order to obtain potentially useful articles for the
research. For reviewing every article in this step, the abstract of each one was read. If
needed, their introduction and conclusions were also read, while on some specific
cases part of the article’s body was read as well. Once every reading had been made,
the decision to include or not the article as a potentially useful article was done, in

T
accordance to this protocol’s criteria. A control on the accepted and rejected articles
was kept by using the tables described above.

IP
Every article that was related to any of the following Acceptance Topics (AT),
each related to one of the research questions formulated above, was included:
AT1. Authentication schemes.

CR
AT2. Multi-factor authentication methods.
AT3. Comparison and selection criteria for authentication schemes or multi-
factor authentication methods.
AT4. Frameworks that support the decision of authentication schemes or multi-
factor authentication methods.
US
On the other hand, any article that contained the search terms or combinations of
them, but did not contain relevant information on the topic at hand, was excluded.
AN
An in-depth analysis of these potential articles was performed afterwards,
according to the acceptance topic of each article. For the articles in AT1 and AT2, the
authentication scheme or method, together with the authentication factor to which
they belong and (if mentioned) the context that the scheme or method was proposed
for were identified. A thorough analysis of the articles in AT3 and AT4 was realized,
M

in order to adequately understand their proposals and to identify their pros and cons,
emphasizing the criteria used in each one.
The information of the accepted articles was extracted, synthetized and stored in a
ED

table according to their acceptance topic. For authentication schemes, the reference,
the proposed scheme, the authentication factor to which they belong and a brief
description were stored. For multi-factor authentication methods, the reference, the
combined factors, the specific schemes and a brief description were stored. For the
comparison and selection criteria, the reference, the used criteria and a brief
PT

description were stored. Finally, for the decision frameworks, the reference, a brief
description and observed strengths and weaknesses were stored.
CE

4 Results

A search was performed for every combination of terms in every source specified in
AC

the search protocol, in total 54 different searches were done. For each search, 200
publications were reviewed. However 15 of these yielded less than 200 results and,
among them, 5 yielded no results. This way, a total of 8,153 articles were reviewed.
In order to improve the obtained results, some extra refinements were made on
some of the sources: in Scopus, the subject area was limited to Computer Science,
 ACCEPTED MANUSCRIPT

whereas in Springer the content type was refined to article and in Google Scholar
patents and citations were excluded.
Out of the 8,153 articles, those that were repeated were eliminated, obtaining a
total of 3,910 different articles. After a superficial review, 1,015 of them were
considered potentially useful articles. A detailed analysis was performed afterwards,
and it was noticed that 33 of the potential articles were not relevant for the current
research, so they were discarded, leaving a total of 982 useful and accepted articles,

T
split between the four acceptance topics as shown in Table 2.

IP
Table 2. Accepted articles split between each Acceptance Topic.

Number of Accepted

CR
Acceptance Topic
Articles
AT1 515
AT2 442
AT3 17
AT4
Total
US 8
982

A list containing all of the references for the accepted articles in this SLR can be
AN
found in the supplementary materials (http://colvin.chillan.ubiobio.cl/mcaro/). The
remainder of this section shows the analysis of the useful articles according to each
acceptance topic.
M

4.1 Authentication Schemes (AT1)

Over 50% of the accepted articles, 515, belong to AT1. The reason for it could be that
authentication schemes are the base for the topics discussed in AT2, AT3 and AT4, so
ED

they have been addressed more often in literature. As for the results, 217 of the
articles focus on the proposal of schemes pertaining to the inherence factor, whereas
169 propose the use of the possession factor and 124 the knowledge factor. The
remaining 5 articles are related to other authentication factors that have been proposed
PT

in literature. Table 3 presents the authentication scheme proposals found in literature,

the factor to which they belong and the number of articles that propose each of them.

Table 3. Authentication schemes found in literature.

CE

Number of
Factor Scheme
Articles
Knowledge Text Passwords 44
AC

Graphical Passwords 42
Cognitive Authentication 25
Personal Identification Number (PIN) 7
Questions 4
Other Knowledge-Based Schemes 2
Total 124
Possession ID-Based (Smart Cards) 103
 ACCEPTED MANUSCRIPT

One Time Password (OTP) Tokens 43

Mobile-Based 21
Other Possession-Based Schemes 2
Total 169
Inherence Face Biometrics 24
Keystroke Biometrics 24
Hand Gestures 12

T
Palmprint Biometrics 12
Touchstroke Biometrics 11

IP
Fingerprints 10
Iris Biometrics 8
Brainwaves 5
Heartbeats 5

CR
Knuckleprint Biometrics 5
Gait Biometrics 4
Multi-Modal Biometrics 19
Other Biometrics 17

Other Factors
Biometrics (Undefined)
US
Behavioral Biometrics (Undefined)

Total

Grand Total
13
48
217
5
515
AN
The text passwords scheme, the most widely used scheme nowadays [30], is the
authentication scheme that belongs to the knowledge factor with the most related
articles (44), followed by the graphical passwords scheme, with 42 articles. On the
M

other hand, the vast majority of proposals regarding to the possession factor are
related to the use of smart cards, with 103 out of 169 articles, which corresponds to
60.1% of them. There are many different articles related to the use of biometrics for
the inherence factor, although 48 of those do not define a specific biometric for their
ED

proposal, and 13 others only mention the use of behavioral biometrics but not a
particular one.
Most of the articles found have been published from 2000 onwards (505) and only
10 where published before. An increasing interest in the topic of authentication
PT

schemes can be noticed, as the number of articles related to it has been increasing
over the years, with the exception of 2012, which has a notorious decrease in research
compared to its prior year. 2015 is the year with the most publications related to
authentication schemes, with 82 articles, whereas 2001 has the least, with only one.
CE

The oldest accepted article dates to 1974 [31], and proposes the use of text passwords.
No article prior to 2000 discusses the use of schemes related to the possession factor.
The graphic in Fig. 2 shows the accepted articles and the authentication factor to
which they belong, split per year. It is important to mention that this review was
AC

performed between the second and third quarters of 2016, so not all of the articles of
this year are present.
 ACCEPTED MANUSCRIPT

T
IP
CR
US
Fig. 2. Authentication factors according to publication year.

The context for which every authentication scheme was proposed was recorded.
The mobile environment was the most common context, followed by remote
AN
authentication and healthcare/telecare. It is important to mention that more than half
of the articles, 282, did not specify a particular context for their proposal. The
different contexts that have been found can be seen in Table 4, along with how many
schemes for each authentication factor are proposed in each of them.
M

Table 4. Authentication factors and their contexts.

Total
Possession
Knowledge

Inherence

Factors
Factor

Other
ED

Context
PT

Mobile Environment and Touch Screens 24 16 41 0 81

Remote Authentication 4 33 5 0 42
Healthcare/Telecare 0 13 11 0 24
Multi Server Environment 2 9 6 0 17
CE

Continuous Authentication 0 0 11 0 11
Wireless Sensor Networks 2 7 1 0 10
Cloud Computing 1 6 2 0 9
Banking and Commerce 2 4 2 0 8
AC

Smart Environment 0 6 1 0 7
Session Initiation Protocol 1 2 2 0 5
Web Applications 2 1 1 1 5
Other Contexts 4 6 4 0 14
Not Specified 82 66 130 4 282
Total 124 169 217 5 515
 ACCEPTED MANUSCRIPT

4.2 Multi-Factor Authentication Methods (AT2)

For the AT2, 442 articles were found. Most of the accepted articles correspond to
proposals of methods that combine schemes from the knowledge and possession
factors, adding up to 270 articles, which corresponds to over 60% of the articles.
There are 44 proposals that combine the knowledge and inherence factors and 43 that
combine the possession and inherence factors. On the other hand, 68 proposals

T
combine the three factors. Twelve articles were found that did not propose a specific
combination of factors, but rather proposed the use of different factors according to

IP
different situations. Similar to AT1, 5 articles were found that proposed multi-factor
authentication methods whose factor combinations included a factor proposed in
literature that was not among the three well-known ones. Table 5 presents the multi-

CR
factor authentication method proposals found in literature, the combination of factors
to which they belong and the number of articles that propose each of them.

Table 5. Multi-factor authentication methods found in literature.

Combination
Knowledge AND
Method US
Text Passwords AND ID-Based
Number of
Articles
188
AN
Possession Text Passwords AND Mobile-Based 37
Text Passwords AND OTP 34
Other Methods 11
Total 270
Knowledge AND Text Passwords AND Biometrics 36
M

Inherence Graphical Passwords AND Biometrics 4

Other Methods 4
Total 44
Possession AND ID-Based AND Biometrics 24
ED

Inherence OTP AND Biometrics 9

Mobile-Based AND Biometrics 6
Other Methods 4
Total 43
Knowledge AND Text Passwords AND ID-Based AND Biometrics 47
PT

Possession AND Text Passwords AND OTP AND Biometrics 9

Inherence Text Passwords AND Mobile-Based AND Biometrics 7
Other Methods 5
Total 68
CE

Other Combinations 5
Dynamic Methods 12
Grand Total 442
AC

The combination of text passwords and smart cards (ID-Based) is by far the one
with most number of articles, with a total of 188 (69.4%) of the articles combining the
knowledge and possession factors. Either text passwords and/or smart cards are seen
as the most used schemes together with biometrics for every other combination of
factors as well, highlighting the vast amount of research given to multi-factor
authentication methods based on these schemes.
 ACCEPTED MANUSCRIPT

Similar to AT1, an increasing interest in the topic of multi-factor authentication

can be seen, with the difference that there are no significant drops in the number of
articles in any specific year. There are only 6 articles prior to 2000, and all of them
propose the use of a combination between the knowledge and possession factors.
Again, 2015 is the year with the most publications, 81. No articles were accepted that
were published during 2000, and the oldest accepted article dates to 1991 [32]. The
graphic in Fig. 3 presents the accepted articles and the combination of authentication

T
factors to which they belong, split per year. Remind that this review was performed
between the second and third quarters of 2016, so not all of the articles of said year

IP
are present.

CR
US
AN
M

Fig. 3. Multi-factor authentication methods according to publication year.

ED

The context for which every multi-factor authentication method was proposed was
recorded as well. As opposed to authentication schemes, only a 38.7% of them did not
mention the context for which they were proposed. Remote authentication and
healthcare/telecare are the two most recurrent contexts, but unlike for authentication
PT

schemes, mobile environment is considerably less discussed. The different contexts

that have been found can be seen in Table 6, along with how many methods for each
combination of authentication factors are proposed in each of them.
CE
AC
 ACCEPTED MANUSCRIPT

Table 6. Multi-factor authentication methods and their contexts.

Knowledge AND Inherence

Combinations

Total
Other Combinations
Knowledge AND Possession

AND Inherence

Dynamic
Possession AND Inherence

Knowledge AND Possession

T
IP
Context

CR
Remote Authentication 45 1 8 10 0 0 64
Healthcare / Telecare 29 3 2 14 0 0 48
Wireless Sensor Networks 28 0 1 4 0 0 33
Multi Server Environment 18 1 4 6 0 0 29
Mobile Environment and Touch Screens
Cloud Computing
Banking and Commerce
Web Applications
US 11
10
8
10
8
2
1
1
0
1
1
0
2
3
0
0
0
0
0
0
0
1
1
0
21
17
11
11
AN
Wireless Networks 7 0 0 1 0 0 8
USB Devices 3 0 0 3 0 0 6
Unsafe Environment 4 0 1 0 0 0 5
Other Contexts 10 2 3 2 1 1 19
Not Specified 87 25 22 23 4 9 170
M

Total 270 44 43 68 5 12 442

4.3 Comparison and Selection Criteria (AT3)

ED

Another goal of this review was to identify different selection and comparison criteria
used to decide on what authentication scheme or multi-factor authentication method
to use in a given situation. 17 articles regarding this topic were found. All of these
PT

consider one or more criteria for comparing authentication schemes or methods, being
usability and security criteria the two most used, each one addressed in 9 different
articles.
Criteria related to the scheme or method’s costs are used 5 times, and those
CE

regarding the context where the scheme or method will be used are used twice. Other
seven criteria, such as future tendencies of the scheme or method or its privacy, are
proposed as well among different articles, but each of them is proposed only once. It
could be observed that many of the relevant articles proposed the use of two or more
AC

of the three most considered criteria [33, 34, 35].

Five of the articles consider multi-factor authentication. On the other hand, 13 of
them consider a specific context. The contexts considered in these articles can be seen
in Fig. 4.
 ACCEPTED MANUSCRIPT

T
IP
CR
US
Fig. 4. Contexts considered in articles regarding comparison and selection criteria.
AN
4.4 Decision Frameworks (AT4)

Eight decision frameworks have been found that help in the selection and comparison
of authentication schemes and/or multi-factor authentication methods. A brief
M

description of each is given through Table 7.

Table 7. Frameworks that help in the decision of authentication schemes or methods.

ED

Article Title Description

A criteria-based evaluation Decision framework for multimedia systems based in three
framework for authentication primary criteria (security, ease of use and simplicity) and
schemes in IMS [36] three secondary criteria (awareness, usability and
PT

algorithms), and also considering users’ perceptions.

A Framework for Choosing Realizes a general evaluation of various authentication
Your Next Generation schemes in relation to their pros and cons. Also addresses
Authentication/Authorization some authorization-related topics.
CE

System [37]
Approach for selecting the
most suitable Automated
Personal Identification
AC
Supports the selection of the most suitable automated
identification from either the knowledge or the inherence
factors, considering both the context and stakeholders’

Mechanism (ASMSA) [38] requirements.

Cost and benefit analysis of
authentication systems [39]
Efficiency of Paid
Authentication Methods for
Mobile Devices [40]
Thorough analysis of authentication schemes and multi-
factor authentication methods in relation to cost-related
criteria. Thought for its use when a company switches from
an authentication scheme or method to another.
Surveys system managers about their preferences on paid
authentication schemes for the mobile environment.
Security, convenience and operation costs are considered.
 ACCEPTED MANUSCRIPT

The quest to replace passwords: Thorough analysis of multiple authentication schemes in

A framework for comparative
evaluation of web
authentication schemes [30]
The Request for Better
Measurement: A Comparative
Evaluation of Two-Factor
Authentication Schemes [41]
terms of security, usability and costs. It provides a
comparative table that eases the decision-making process. It
mentions multi-factor authentication but ever so slightly.
Compares the multiple existing two-factor authentication
scheme proposals using text passwords and smart cards, in
regards to their desirable attributes, security requirements
and efficiency.

T
User-centred authentication A framework oriented to researchers that evaluates
feature framework [42] knowledge-based schemes in regards to features related to

IP
persuasion, memory, input and output and obfuscation.

The oldest article found is from 2002 [37]. Most of the authentication scheme and

CR
multi-factor authentication method proposals found in this review are from years after
this framework’s publication, so its contents might be outdated. On the other hand,
the most recent article is from 2016 [41], and most scheme and method proposals
found are prior to this publication, so its contents are probably up to date.

5 Discussion
US
AN
The main findings and the limitations of this review are discussed here. This review
permits us to not only know about the state of the art on authentication schemes and
multi-factor authentication methods, but it also serves as a way to identify the
principal contexts in which they were proposed and used, while also giving an insight
M

on the criteria used when facing the need to decide on what scheme or method to use
in different contexts and the existing frameworks that perform this task.
Among authentication schemes, out of the three well-known authentication factors,
ED

the inherence factor is the most researched one, whereas the knowledge factor is the
least, perhaps due to the current paradigm that the most representative scheme of this
factor (text passwords) is not very secure [30]. Nevertheless, the most reviewed
scheme is smart card-based authentication, which belongs to the possession factor.
While some contexts were expected to be researched often, like the mobile
PT

environment, some others were not identified as often as it was expected, like banking
and commerce.
The combination of the knowledge and possession factors is very predominant in
CE

multi-factor authentication methods, especially the use of both text passwords and
smart cards. Three-factor authentication is the second most researched combination of
factors, although it seems to be the less widely applied one [3]. Both text passwords
and smart cards are used in 259 articles each, as one of the schemes considered in the
AC

combination for multi-factor authentication. The existence of dynamic multi-factor

authentication methods [43, 44, 45] is interesting, as they adapt to different
environments. One multi-factor authentication method that uses four different factors
(being the factor related to the user’s location the fourth) was found [46].
Not many articles related to comparison and selection criteria or decision
frameworks for authentication schemes or methods were found. From the existing
ones, the common use of usability, security and cost-related criteria for the
 ACCEPTED MANUSCRIPT

comparison and selection was noticed. The context of use is also seen as an important
element, as the articles either consider this as one of the decision criteria [47] or the
article’s proposal itself is directed to a specific context [48, 49].
In regards to the decision frameworks, it can be seen that multi-factor
authentication is not considered often, whereas proposals that do focus solely in some
authentication aspects, leaving others aside. No framework could be found that
considered both single-factor and multi-factor authentication, together with enough

T
decision criteria for realizing a detailed comparison and selection of existing
authentication schemes or methods to be used.

IP
The acceptance of the articles for AT1 and AT2 was limited to those that directly
proposed a new authentication scheme or an improvement to an existing one. Also,
due to time constraints and the number of potentially useful articles in AT1 and AT2,

CR
only the relevant information for the review was extracted.

6 Conclusions

US
The realization of this SLR aimed at investigating the existing decision frameworks
and comparison and selection criteria related to authentication schemes and multi-
AN
factor authentication methods, together with the existing research on these schemes
and methods. Through this review, a total of 982 articles were found that either
discussed authentication schemes, multi-factor authentication methods or frameworks
and criteria that helped on the comparison and selection of these in different
environments. The main findings of this review, in relation to the formulated research
M

questions, are as follows:

Q1. There has been considerable research on all three well-known authentication
factors. Text and graphical passwords are the most researched schemes for
knowledge-based authentication, whereas there are multiple different
ED

biometrics proposals for the inherence factor. The most researched scheme is
smart card-based authentication from the possession factor.
Q2. There are many different multi-factor authentication methods that combine
the authentication schemes from Q1. There are both combination proposals
PT

that consider two factors and others that consider three factors, there’s even a
proposal that considers four factors (the fourth being location-based
authentication). There’s a clear prevalence in the use of text passwords and
smart cards as one of the schemes used for the different combinations.
CE

Q3. The comparison and selection of different authentication schemes or

methods is done primarily through usability and security criteria, with
sometimes the consideration of cost-related criteria as well. Although it is
not considered as a criterion in the reviewed articles, the context is an
AC

important aspect to examine as most studies are presented for specific

contexts.
Q4. Eight frameworks that help in the decision of authentication schemes or
methods were found. Each framework has its own characteristics, some
consider a specific context, some focus on specific schemes of methods and
some are more general. No framework that realized a thorough analysis of
 ACCEPTED MANUSCRIPT

both authentication schemes and multi-factor authentication methods could

be found.

The main purpose of this SLR was to ascertain existing decision frameworks and
criteria for the comparison and selection of authentication schemes or methods.
However, its results could also be useful for researchers as it can help them to analyze
the existing work on the different authentication schemes or methods that have been

T
found through its realization, thus identifying spaces to perform further research on
them. Some future work ideas are to research the existing authentication schemes or

IP
methods on contexts that have not been widely studied, such as social media, and to
evaluate the use of these contexts as a criterion for the comparison and selection of
authentication schemes or methods. The definition of a framework that helps in detail

CR
to the decision to use authentication schemes and/or multi-factor authentication
methods is considered as well.

Acknowledgments
US
This research is part of the following projects: DIUBB 144319 2/R and BuPERG
AN
(DIUBB 152419 G/EF).

References
M

1. Jansen, W.: Authenticating users on handheld devices. In: Proceedings of the Canadian
Information Technology Security Symposium, pp. 1-12. (2003)
2. Madhusudhan, R., Mittal, R.C.: Dynamic ID-based remote user password authentication
ED

schemes using smart cards: A review. Journal of Network and Computer Applications 35,
1235-1248 (2012)
3. O'Gorman, L.: Comparing passwords, tokens, and biometrics for user authentication.
Proceedings of the IEEE 91, 2021-2040 (2003)
Rathgeb, C., Uhl, A.: Two-factor authentication or how to potentially counterfeit
PT

4.
experimental results in biometric systems. Image Analysis and Recognition, pp. 296-305.
Springer (2010)
5. Hafizul Islam, S.K., Biswas, G.P.: Design of improved password authentication and
update scheme based on elliptic curve cryptography. Mathematical and Computer
CE

Modelling 57, 2703-2717 (2013)

6. Das, A.K., Sharma, P., Chatterjee, S., Sing, J.K.: A dynamic password-based user
authentication scheme for hierarchical wireless sensor networks. Journal of Network and
Computer Applications 35, 1646-1656 (2012)
AC

7. Wang, S.-Q., Wang, J.-Y., Li, Y.-Z.: The Web Security Password Authentication based
the Single-block Hash Function. IERI Procedia 4, 2-7 (2013)
8. Mihajlov, M., Jerman-Blažič, B.: On designing usable and secure recognition-based
graphical authentication mechanisms. Interacting with Computers 23, 582-593 (2011)
9. Umar, M.S., Rafiq, M.Q.: Select-to-Spawn: A novel recognition-based graphical user
authentication scheme. In: 2012 IEEE International Conference on Signal Processing,
Computing and Control, ISPCC 2012. (2012)
 ACCEPTED MANUSCRIPT

10. Li, Z., Sun, Q., Lian, Y., Giusto, D.D.: A secure image-based authentication scheme for
mobile devices. In: Lecture Notes in Computer Science, pp. 751-760. (2005)
11. Cheul Shin, K., Jong Oh, K.: Smartcard-based remote authentication scheme preserving
user anonymity. International Journal of Information Processing and Management 4, 10-18
(2013)
12. Cheng, Z.Y., Liu, Y., Chang, C.C., Chang, S.C.: A smart card based authentication
scheme for remote user login and verification. International Journal of Innovative

T
Computing, Information and Control 8, 5499-5511 (2012)
13. Jeon, W., Lee, Y., Won, D.: An efficient user authentication scheme with smart cards for
wireless communications. International Journal of Security and its Applications 7, 1-16

IP
(2013)
14. Imtiaz, H., Fattah, S.A.: A face recognition scheme using wavelet-based local features. In:
Computers & Informatics (ISCI), 2011 IEEE Symposium on, pp. 313-316. (2011)

CR
15. Wang, P., Ku, C.-C., Wang, T.C.: A new fingerprint authentication scheme based on
secret-splitting for enhanced cloud security. Recent Application in Bio-metrics 183-196
(2011)
16. Wang, X., Guo, F., Ma, J.-f.: User authentication via keystroke dynamics based on

17. US
difference subspace and slope correlation degree. Digital Signal Processing 22, 707-712
(2012)
Al-Assam, H., Sellahewa, H., Jassim, S.: On security of multi-factor biometric
authentication. In: Internet Technology and Secured Transactions (ICITST), 2010
International Conference for, pp. 1-6. IEEE, (2010)
AN
18. Huang, X., Xiang, Y., Chonka, A., Zhou, J., Deng, R.H.: A generic framework for three-
factor authentication: Preserving security and privacy in distributed systems. IEEE
Transactions on Parallel and Distributed Systems 22, 1390-1397 (2011)
19. Brainard, J., Juels, A., Rivest, R.L., Szydlo, M., Yung, M.: Fourth-factor authentication:
M

somebody you know. Proceedings of the 13th ACM conference on Computer and
communications security. ACM, Alexandria, Virginia, USA (2006)
20. Choi, S., Zage, D.: Addressing insider threat using “where you are” as fourth factor
authentication. In: Security Technology (ICCST), 2012 IEEE International Carnahan
ED

Conference on, pp. 147-153. (2012)

21. Yang, G., Wong, D.S., Wang, H., Deng, X.: Two-factor mutual authentication based on
smart cards and passwords. Journal of Computer and System Sciences 74, 1160-1172
(2008)
22. Cao, T., Huang, S.: Two-factor authentication schemes based smart card and password
PT

with user anonymity. Journal of Computational Information Systems 9, 8831-8838 (2013)

23. Kang, J., Nyang, D., Lee, K.: Two-factor face authentication using matrix permutation
transformation and a user password. Information Sciences 269, 1-20 (2014)
24. Yu, Z., Jingchun, X., Dake, H.: Trusted user authentication scheme combining password
CE

with fingerprint for mobile devices. In: Biometrics and Security Technologies, 2008.
ISBAST 2008. International Symposium on, pp. 1-8. (2008)
25. Tang, H.B., Zhu, Z.J., Gao, Z.W., Li, Y.: A secure biometric-based authentication scheme
using smart card. In: International Conference on Cyberspace Technology (CCT 2013),
AC

pp. 39-43. (2013)

26. Clancy, T.C., Kiyavash, N., Lin, D.J.: Secure smartcardbased fingerprint authentication.
Proceedings of the 2003 ACM SIGMM workshop on Biometrics methods and
applications. ACM, Berkley, California (2003)
27. Zhang, M., Zhang, J., Zhang, Y.: Remote three-factor authentication scheme based on
Fuzzy extractors. Security and Communication Networks 8, 682-693 (2015)
 ACCEPTED MANUSCRIPT

28. Yu, J., Wang, G., Mu, Y., Gao, W.: An efficient generic framework for three-factor
authentication with provably secure instantiation. IEEE Transactions on Information
Forensics and Security 9, 2302-2313 (2014)
29. Kitchenham, B.: Procedures for Performing Systematic Reviews. Joint Technical Report,
Keele University TR/SE-0401 and NICTA 0400011T.1, 1--26 (2004)
30. Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: The quest to replace passwords:
A framework for comparative evaluation of web authentication schemes. In: Security and

T
Privacy (SP), 2012 IEEE Symposium on, pp. 553-567. IEEE, (2012)
31. Arthur Evans, J., Kantrowitz, W., Weiss, E.: A user authentication scheme not requiring
secrecy in the computer. Commun. ACM 17, 437-442 (1974)

IP
32. Chang, C.-C., Wu, T.-C.: Remote password authentication with smart cards. IEE
Proceedings E-Computers and Digital Techniques 138, 165-168 (1991)

CR
33. Park, K.C., Shin, J.W., Lee, B.G.: Analysis of Authentication Methods for Smartphone
Banking Service using ANP. TIIS 8, 2087-2103 (2014)
34. Kumari, S., Khan, M.K., Atiquzzaman, M.: User authentication schemes for wireless
sensor networks: A review. Ad Hoc Networks 27, 159-194 (2015)
35.

36. US
Kiljan, S., Vranken, H., van Eekelen, M.: Evaluation of transaction authentication methods
for online banking. Future Generation Computer Systems (2016)
Eliasson, C., Fiedler, M., Jørstad, I.: A criteria-based evaluation framework for
authentication schemes in IMS. In: Proceedings - International Conference on Availability,
Reliability and Security, ARES 2009, pp. 865-869. (2009)
AN
37. Guel, M.D.: A Framework for Choosing Your Next Generation
Authentication/Authorization System. Information Security Technical Report 7, 63-78
(2002)
38. Palmer, A.J.: Approach for selecting the most suitable Automated Personal Identification
M

Mechanism (ASMSA). Computers and Security 29, 785-806 (2010)

39. Altinkemer, K., Wang, T.: Cost and benefit analysis of authentication systems. Decision
Support Systems 51, 394-404 (2011)
40. Kim, J.Y.: Efficiency of Paid Authentication Methods for Mobile Devices. Wireless
ED

Personal Communications 1-9 (2016)

41. Wang, D., Gu, Q., Cheng, H., Wang, P.: The Request for Better Measurement: A
Comparative Evaluation of Two-Factor Authentication Schemes. Proceedings of the 11th
ACM on Asia Conference on Computer and Communications Security. ACM, Xi'an,
China (2016)
PT

42. Forget, A., Chiasson, S., Biddle, R.: User-centred authentication feature framework.
Information and Computer Security 23, 497-515 (2015)
43. Nag, A.K., Dasgupta, D., Deb, K.: An adaptive approach for active multi-factor
authentication. In: 9th Annual Symposium on Information Assurance (ASIA’14), pp. 39.
CE

(2014)
44. Nag, A.K., Dasgupta, D.: An adaptive approach for continuous multi-factor authentication
in an identity eco-system. In: ACM International Conference Proceeding Series, pp. 65-68.
(2014)
AC

45. Miranda, L.H.F.M.: Context-aware multi-factor authentication. Faculdade de Ciências e

Tecnologia (2009)
46. Kathrine, G.J.W., Kirubakaran, E.: Four-factor based privacy preserving biometric
authentication and authorization scheme for enhancing grid security. Int J Comput Appl
30, 13-20 (2011)
47. O'Gorman, L.: Comparing passwords, tokens, and biometrics for user authentication.
Proceedings of the IEEE 91, 2021-2040 (2003)
 ACCEPTED MANUSCRIPT

48. Bruun, A., Jensen, K., Kristensen, D.: Usability of single-and multi-factor authentication
methods on tabletops: A comparative study. Lecture Notes in Computer Science
(including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in
Bioinformatics), vol. 8742, pp. 299-306 (2014)
49. Anwar, M., Imran, A.: A comparative study of graphical and alphanumeric passwords for
mobile device authentication. In: CEUR Workshop Proceedings, pp. 13-18. (2015)

T
IP
CR
US
AN
M
ED
PT
CE
AC