查看文章

Efforts to improve the security of the authentication services have historically progressed from what-you-know (ie, passwords) to what-you-have (ie, tokens), then to what-you-are (ie, biometrics) as attacks have increased in sophistication and become widespread [80, 85]. While the deployment of biometric authentication systems increases the usability of the authentication systems, the plethora of cyber-attacks demands more user information from biometrics, which introduces additional security and privacy challenges in the authentication systems. In this landscape, another challenge is due to the nature of one-time authentication, which verifies users only at the initial login session regardless of being single-or multi-factor. This is a serious security risk as once the attacker bypasses the initial authentication, it will have a forever access or if the user leaves the system intentionally/unintentionally unlocked, anyone such as an insider or a strong outsider adversary [11], who has physical access to the system will have access to the system without the actual user notification. Therefore, the user should be continuously monitored and re-authenticated. In the literature, several solutions such as time-out or token (or even RFID) based solutions are proposed to address these issues in the authentication systems [55]. Indeed, biometric-based systems are considered to be ideal and usable for such cases as they cannot be easily misplaced unlike tokens, or forgotten unlike passwords, or easily forged by an imposter. The method of verifying and authorizing the user throughout the session is called continuous authentication. A motivational example for …