User authentication is an essential component of securing our electronic devices. It is the gatekeeper that enables subsequent access control and accountability mechanisms to operate successfully. Whilst technology and the way in which people use it has changed enormously, from the days of centralized mainframe computing (available to few), to a highly mobilized, personal and service orientated approach (utilized by (almost) all), the way in which people authenticate has barely changed – with the password still the most popular technique implemented. This paper discusses the role of active authentication – a fundamentally different approach to user authentication that moves away from point-of-entry Boolean decisions and provides a real-time measure of identity assurance that can be associated with each and every access control decision. Whilst active authentication can take many forms, this paper proposes the evolution of the technique into a centralized managed service that offers the opportunity to provide highly secure, robust, multi-device and intelligent handling of every authentication decision. Taking a device-independent approach to authentication removes the need for each and every device and service to make its own authentication decision and enables it to be incorporated in a true identity assurance federation system.

Alaswad, A. O., Montaser, A. H and Mohamad, F. E. (2014). Vulnerabilities of Biometric Authentication “Threats and Countermeasures”. International Journal of Information & Computation Technology. (Vol. 4, pp. 947-958). Retrieved from http://www.ripublication.com/irph/ijict_spl/ijictv4n10spl_01.pdf

Apple Inc. (2015). Use Touch ID on iPhone and iPad. Retrieved 02 February 2015 from http://support.apple.com/en-us/HT5883

Barclays (n.d.) (2015). Upgrade to PINsentry. Retrieved 28 January 2015 from http://www.barclays.co.uk/Helpsupport/UpgradetoPINsentry/P1242559314766

Clarke, N.L. and Furnell, S. M. (2005) Authentication of users on mobile telephones—a survey of attitudes and practices. Computers and Security (Vol.24, pp.519–527). Retrieved from http://www.sciencedirect.com/science/article/pii/S0167404805001446

Clarke, N.L. and Furnell, S. M. (2006). Authenticating Mobile Phone Users Using Key-stroke Analysis. International Journal of Information Security (Vol. 6, pp.1-14). Retrieved from http://link.springer.com/article/10.1007%2Fs10207-006-0006-6

Clarke N. L. and Furnell S.M. (2007). Advanced user authentication for mobile devices. Computers & Security (vol. 26, no. 2, pp.109-119). Retrieved from http://www.sciencedirect.com/science/article/pii/S0167404806001428

Clarke, N. L., Karatzouni, S., and Furnell, S. M. (2008). Transparent Facial Recognition for Mobile Devices. Refereed paper from the 7th Security Conference, Las Vegas, USA

Clarke, N. L. and Mekala, A. R. (2007). The application of signature recognition to trans-parent handwriting verification for mobile devices, Information Management & Computer Security (Vol. 15, pp. 214-225).

DARPA (2011). Active Authentication. Retrieved 17 January 2015 from http://www.darpa.mil/OurWork/I2O/Programs/ActiveAuthentication.aspx

FaceLock (2013). FaceLock. Retrieved 28 January 2015 from http://www.facelock.mobi/

HSBC (n.d.) (2015). Secure Key. Retrieved 20 January 2015 from http://www.hsbc.co.uk/1/2/customer-support/online-banking-security/secure-key

ISO (2006a). ISO/IEC 19784-1: 2006 Information technology – Biometric application programming interface – Part 1: BioAPI specification. Retrieved 12 February 2015 from http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?Csnumber=33922

ISO (2006b). ISO/IEC 19785-1: 2006 Information technology – Common Biometric Exchange Formats Framework – Part1: Data element. Retrieved 11 February 2015 from http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=41047

ISO (2011). ISO/IEC 19794-1:2011 Information technology – Biometric data interchange formats – Part 1: Framework. Retrieved 8 February 2015 from http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=50862

Kurkovsky, S. and Syta, E. (2010). Digital natives and mobile phones: A survey of practices and attitudes about privacy and security. Refereed paper from the IEEE International Symposium on Technology and Society (ISTAS) (pp. 441–449). Wollongong, Australia

Lerouge, E., Moreau, Y., Verrelst, H., Vandewalle, J., Stoermann, C., Gosset, P., and Burge, P. (1999). Detection and management of fraud in UMTS networks. Refereed paper from the Third International Conference on The Practical Application of Knowledge Discovery and Data Mining (PADD99) (pp. 127-148). London, UK

Li F., Clarke, N. L., Papadaki, M., and Dowland, P. S. (2013). Active authentication for mo-bile devices utilising behaviour profiling, International Journal of Information Security. Retrieved from 10.1007/s10207-013-0209-6

Ledermuller, T. and Clarke, N. L. (2011). Risk Assessment for Mobile Devices. Refereed paper from Privacy and Security in Digital Business – 8th International Conference (pp. 210-221). Toulouse, France,
Matsumoto, T., Matsumoto, H., Yamada, K., and Hoshino, S. (2002). Impact of Artificial “Gummy” Fingers on Fingerprint Systems. Proceedings of SPIE in Optical Security and Counterfeit Deterrence Techniques IV (pp. 275–289)

Moreau, Y., Verrelst, H., and Vandewalle, J. (1997). Detection of mobile phone fraud using supervised neural networks: A first prototype. Refereed paper from International Conference on Artificial Neural Networks Proceedings (ICANN'97) (pp.1065—1070). Lausanne, Switzerland

Paivio, A., Yuille, J. C., and Madigan, S. A. (1968). Concreteness, imagery, and meaningfulness values for 925 nouns. Journal of Experimental Psychology Monograph Supplement, 76 (1, pt.2).

Saevanee H, Clarke N. L., and Furnell S. M. (2011). SMS Linguistic Profiling Authentication on Mobile Devices. Refereed paper from the 5th International Conference on Network and System Security (NSS 2011) (pp.224-229). Milan, Italy.

Samfat, D. and Molva, R. (1997). IDAMN: an Intrusion Detection Architecture for Mobile Networks. IEEE Journal on Selected Areas in Communications (Vol. 15, pp.1373–1380). Retrieved from: doi:10.1109/49.622919

Shepard R. N. (1967). Recognition memory for words, sentences and pictures. Journal of Verbal Learning and Verbal Behaviour (Vol6, pp.156-163). Retrieved from http://www.sciencedirect.com/science/article/pii/S0022537167800677

Walker, S. (2002). Biometric Selection: Body Parts Online. Retrieved 10 February 2015 from http://www.sans.org/reading-room/whitepapers/authentication/biometric
-selection-body-parts-online-139

Woo, R., Park, A., and Hazen, T. (2006). The MIT Mobile Device Speaker Verification Corpus: Data collection and preliminary experiments. Proceeding of Odyssey, The Speaker & Language Recognition Workshop, San Juan, Puerto Rico.