You are here: Home Contents V11 N3 V11N3_Clark.html
Personal tools

Active Authentication: The Panacea of Access Control



Full text

Journal of Information System Security
Volume 11, Number 3 (2015)
Pages 185199
ISSN 1551-0123
Nathan Clark — Centre for Security, Communications & Network Research, Plymouth University, UK
Fudong Li — Centre for Security, Communications & Network Research, Plymouth University, UK
Information Institute Publishing, Washington DC, USA




User authentication is an essential component of securing our electronic devices. It is the gatekeeper that enables subsequent access control and accountability mechanisms to operate successfully. Whilst technology and the way in which people use it has changed enormously, from the days of centralized mainframe computing (available to few), to a highly mobilized, personal and service orientated approach (utilized by (almost) all), the way in which people authenticate has barely changed – with the password still the most popular technique implemented. This paper discusses the role of active authentication – a fundamentally different approach to user authentication that moves away from point-of-entry Boolean decisions and provides a real-time measure of identity assurance that can be associated with each and every access control decision. Whilst active authentication can take many forms, this paper proposes the evolution of the technique into a centralized managed service that offers the opportunity to provide highly secure, robust, multi-device and intelligent handling of every authentication decision. Taking a device-independent approach to authentication removes the need for each and every device and service to make its own authentication decision and enables it to be incorporated in a true identity assurance federation system.




Alaswad, A. O., Montaser, A. H and Mohamad, F. E. (2014). Vulnerabilities of Biometric Authentication “Threats and Countermeasures”. International Journal of Information & Computation Technology. (Vol. 4, pp. 947-958). Retrieved from

Apple Inc. (2015). Use Touch ID on iPhone and iPad. Retrieved 02 February 2015 from

Barclays (n.d.) (2015). Upgrade to PINsentry. Retrieved 28 January 2015 from

Clarke, N.L. and Furnell, S. M. (2005) Authentication of users on mobile telephones—a survey of attitudes and practices. Computers and Security (Vol.24, pp.519–527). Retrieved from

Clarke, N.L. and Furnell, S. M. (2006). Authenticating Mobile Phone Users Using Key-stroke Analysis. International Journal of Information Security (Vol. 6, pp.1-14). Retrieved from

Clarke N. L. and Furnell S.M. (2007). Advanced user authentication for mobile devices. Computers & Security (vol. 26, no. 2, pp.109-119). Retrieved from

Clarke, N. L., Karatzouni, S., and Furnell, S. M. (2008). Transparent Facial Recognition for Mobile Devices. Refereed paper from the 7th Security Conference, Las Vegas, USA

Clarke, N. L. and Mekala, A. R. (2007). The application of signature recognition to trans-parent handwriting verification for mobile devices, Information Management & Computer Security (Vol. 15, pp. 214-225).

DARPA (2011). Active Authentication. Retrieved 17 January 2015 from

FaceLock (2013). FaceLock. Retrieved 28 January 2015 from

HSBC (n.d.) (2015). Secure Key. Retrieved 20 January 2015 from

ISO (2006a). ISO/IEC 19784-1: 2006 Information technology – Biometric application programming interface – Part 1: BioAPI specification. Retrieved 12 February 2015 from

ISO (2006b). ISO/IEC 19785-1: 2006 Information technology – Common Biometric Exchange Formats Framework – Part1: Data element. Retrieved 11 February 2015 from

ISO (2011). ISO/IEC 19794-1:2011 Information technology – Biometric data interchange formats – Part 1: Framework. Retrieved 8 February 2015 from

Kurkovsky, S. and Syta, E. (2010). Digital natives and mobile phones: A survey of practices and attitudes about privacy and security. Refereed paper from the IEEE International Symposium on Technology and Society (ISTAS) (pp. 441–449). Wollongong, Australia

Lerouge, E., Moreau, Y., Verrelst, H., Vandewalle, J., Stoermann, C., Gosset, P., and Burge, P. (1999). Detection and management of fraud in UMTS networks. Refereed paper from the Third International Conference on The Practical Application of Knowledge Discovery and Data Mining (PADD99) (pp. 127-148). London, UK

Li F., Clarke, N. L., Papadaki, M., and Dowland, P. S. (2013). Active authentication for mo-bile devices utilising behaviour profiling, International Journal of Information Security. Retrieved from 10.1007/s10207-013-0209-6

Ledermuller, T. and Clarke, N. L. (2011). Risk Assessment for Mobile Devices. Refereed paper from Privacy and Security in Digital Business – 8th International Conference (pp. 210-221). Toulouse, France,
Matsumoto, T., Matsumoto, H., Yamada, K., and Hoshino, S. (2002). Impact of Artificial “Gummy” Fingers on Fingerprint Systems. Proceedings of SPIE in Optical Security and Counterfeit Deterrence Techniques IV (pp. 275–289)

Moreau, Y., Verrelst, H., and Vandewalle, J. (1997). Detection of mobile phone fraud using supervised neural networks: A first prototype. Refereed paper from International Conference on Artificial Neural Networks Proceedings (ICANN'97) (pp.1065—1070). Lausanne, Switzerland

Paivio, A., Yuille, J. C., and Madigan, S. A. (1968). Concreteness, imagery, and meaningfulness values for 925 nouns. Journal of Experimental Psychology Monograph Supplement, 76 (1, pt.2).

Saevanee H, Clarke N. L., and Furnell S. M. (2011). SMS Linguistic Profiling Authentication on Mobile Devices. Refereed paper from the 5th International Conference on Network and System Security (NSS 2011) (pp.224-229). Milan, Italy.

Samfat, D. and Molva, R. (1997). IDAMN: an Intrusion Detection Architecture for Mobile Networks. IEEE Journal on Selected Areas in Communications (Vol. 15, pp.1373–1380). Retrieved from: doi:10.1109/49.622919

Shepard R. N. (1967). Recognition memory for words, sentences and pictures. Journal of Verbal Learning and Verbal Behaviour (Vol6, pp.156-163). Retrieved from

Walker, S. (2002). Biometric Selection: Body Parts Online. Retrieved 10 February 2015 from

Woo, R., Park, A., and Hazen, T. (2006). The MIT Mobile Device Speaker Verification Corpus: Data collection and preliminary experiments. Proceeding of Odyssey, The Speaker & Language Recognition Workshop, San Juan, Puerto Rico.