SS symmetry

Review
Authentication Securing Methods for Mobile Identity: Issues,
Solutions and Challenges
Zuriati Ahmad Zukarnain 1, * , Amgad Muneer 2,3, * and Mohd Khairulanuar Ab Aziz 1

1 Department of Communication Technology and Network, Faculty of Computer Science and Information
Technology, University Putra Malaysia, Seri Kembangan 43400, Malaysia; [email protected]
2 Department of Computer and Information Sciences, Universiti Teknologi PETRONAS,
Seri Iskandar 32160, Malaysia
3 Centre for Research in Data Science (CERDAS), Universiti Teknologi PETRONAS,
Seri Iskandar 32610, Malaysia
* Correspondence: [email protected] (Z.A.Z.); [email protected] (A.M.)

Abstract: Smartphone devices have become an essential part of our daily activities for performing
various essential applications containing very confidential information. For this reason, the security
of the device and the transactions is required to ensure that the transactions are performed legally.
Most regular mobile users’ authentication methods used are passwords and short messages. How-
ever, numerous security vulnerabilities are inherent in various authentication schemes. Fingerprint
identification and face recognition technology sparked a massive wave of adoption a few years back.
The international mobile equipment identity (IMEI) and identity-based public key cryptography
(ID-based PKC) have also become widely used options. More complex methods have been introduced,
such as the management flow that combines transaction key creation, encryption, and decryption
in processing users’ personal information and biometric features. There is also a combination of
multiple user-based authentications, such as user’s trip routes initialization with the coordinates of





 home and office to set template trajectories and stay points for authentication. Therefore, this research
Citation: Zukarnain, Z.A.; Muneer, aimed to identify the issues with the available authentication methods and the best authentication
A.; Ab Aziz, M.K. Authentication solution while overcoming the challenges.
Securing Methods for Mobile
Identity: Issues, Solutions and Keywords: mobile; mobile identity; authentication; mobile authentication; mobile security; authentication
Challenges. Symmetry 2022, 14, 821. method; mobile payment
https://doi.org/10.3390/sym14040821

Academic Editor: Alexander

Shelupanov
1. Introduction
Received: 13 March 2022
Accepted: 6 April 2022
An identity card (IC) is used for compulsory registration and identification for each
Published: 14 April 2022
citizen to be identified in such a way that they can claim citizenship. Without identification,
one cannot carry out citizenship-related tasks or enjoy citizenship advantages [1]. In recent
Publisher’s Note: MDPI stays neutral
years, many organizations have introduced online transactions on a mobile platform. Smart
with regard to jurisdictional claims in
parking meters, smart traffic management, smart public transit, healthcare, precision agri-
published maps and institutional affil-
culture, building management, public monitoring, and smart petrol stations are some of the
iations.
mobile phone applications that have improved business efficiency and user satisfaction [2].
In addition to the COVID pandemic, the global online commerce volume has expanded
dramatically [3]. This is where the mobile identity is required; to authenticate and log in,
Copyright: © 2022 by the authors.
users need reliable digital identities [4].
Licensee MDPI, Basel, Switzerland. Mobile identity is often tied to the subscriber identity module (SIM) card, where it
This article is an open access article can represent the owner and be used for authenticating the SIM card, thus representing,
distributed under the terms and and authenticating the owner virtually. Simply put, mobile identity utilizes a user’s
conditions of the Creative Commons identity attributes tied to a mobile device for identity verification, authentication, and
Attribution (CC BY) license (https:// authorization [5]. However, mobile threats are continuously being updated with new
creativecommons.org/licenses/by/ features, shifted into new distribution channels and supported by investments in the
4.0/). development of detection avoidance techniques [6]. We believe that it is crucial to perform

Symmetry 2022, 14, 821. https://doi.org/10.3390/sym14040821 https://www.mdpi.com/journal/symmetry

Symmetry 2022, 14, 821 2 of 17

a study on finding the best method of guarding the confidentiality of transactions, integrity
of the information, and the availability of the services for mobile identity.
Additionally, because information security solutions impose more safety standards
on identity authentication, professionals consider increased security during the design
process of identity authentication, oblivious to the operation’s simplicity [7]. With the fast
growth of network edge devices, current cloud computing frameworks find it increasingly
challenging to meet network bandwidth and real-time needs as they transmit large amounts
of data to cloud data centers [8]. While the technological prerequisites for secure mobile
payment have been satisfied, there are no standards or standardized regulations that exist.
User authentication flow management is still in its infancy in mobile payment [9]. These
are among the challenges we need to look at for establishing a trusted and solid mobile
identity. This is a more critical issue than addressing accessibility alone, and security is a
primary concern. The SIM card, which is encrypted and integrated into each mobile device,
is undoubtedly the most secure method of storing identifying information [10].
Based on our survey of telecommunication companies, mobile authentication involves
many parties that can be grouped into three entities: the operator, the aggregator, and the
merchant. The operator is the mobile network service provider, the aggregator is the entity
that connects between operators and merchants, and the merchant is the mobile application
provider. All parties have their own secure authentication method. Making it more complex
will enhance security but will delay the transaction speed. Moreover, if authentication is
breached within one of the parties, it is hard to trace the source due to the involvement of
different organizations. Additionally, synchronizing the mobile authentication method into
one single platform will ease authentication security and threat management. Thus, the
contributions of this study are threefold, summarized as follows.
• First, we have conducted a comprehensive review of the existing common mobile
identity authentication issues based on recent research papers.
• Second, this study highlights the vulnerabilities of 4G and 5G authentication and the
necessity for it to evolve consistently.
• Based on the extensive literature review conducted, we have proposed a solution on
having a fourth entity as an authentication provider, known as mobile identity, that we
think is the best approach to balance the requirement of security and the convenience
of transactions.
The next section will discuss the common mobile authentication types found in the
referred research papers and identify the issues. In Section 3, we will evaluate the proposed
solution in terms of flows and functions and how it works. Some of the challenges will be
addressed in Section 4, before we summarize this study in Section 5.

2. Mobile Authentication Method and Issues

Many research studies have produced solutions to address mobile online authenti-
cation issues, such as a mobile authentication system based on the Blowfish encryption
algorithm [7], handover authentication protocols using ID-based PKC [8], a trajectory-
based identity authentication method [9], the integration of cryptographic methods for
anonymous biometric authentication [11], authentication using a public behavior dataset
(i.e., keystrokes on touch screens) with different feature selections to improve the authenti-
cation accuracy [12], and using cipher policy attribute-based encryption bonded with the
geographical location [13]. However, few have narrowed the issues down to the mobile
identity authentication service, for example, the national electronic identities (eID) [4] and
decentralized and self-sovereign identity (SSI) solutions [14]. This section will address the
issues of standard authentication commonly used for mobile transactions.

2.1. Static Password Authentication

The static password is the earliest and most widely used means of authentication [2].
The system sets up two tuples of information for each legitimate user during registration:
a commonly named username and password. User information provided during the
 2.1. Static Password Authentication
The static password is the earliest and most widely used means of authentication [2].
2.1.The
Static Password
system Authentication
sets up two tuples of information for each legitimate user during registration:
The static password
a commonly is the earliest
named username and most widely
and password. used meansprovided
User information of authentication
during the[2].reg-
Theistration
system will
sets up two to
be tied tuples of information
the username. Eachfor each
login legitimate
will user
require the during
user registration: by
to self-introduce
Symmetry 2022, 14, 821 3 of 17
a commonly
entering thenamed username
username and password.itUser
and authenticating information
using providedFigure
a secret password. during1 the reg-
represents
istration will
the idea ofbe tiedregistration
how to the username. Each login will require the user to self-introduce by
is performed.
entering the username and authenticating it using a secret password. Figure 1 represents
theregistration
idea of howwill be tied to is
registration the username. Each login will require the user to self-introduce
performed.
by entering the username and authenticating it using a secret password. Figure 1 represents
the idea of how registration is performed.

Figure 1. Static password authentication.

Figure 1. Static password authentication.
Figure 1.This
Statictype
password authentication.purely depends on the user to memorize. Commonly,
of authentication
usersThis
willtype
selectofaauthentication
word that theypurely depends
can easily remember,on thepotentially
user to memorize.
exposed toCommonly,
attack. Cy-
users will select
This type ofhave
bercriminals a word that
authentication
created many they
purely can easily
tools depends remember,
that can helpon the in user potentially
to memorize.
guessing exposed
passwords. Onto theattack.
Commonly, other
Cybercriminals
users will select a have
word created
that many
they can tools
easilythat can
remember, help in guessing
potentially passwords.
exposed
hand, a complex password may be forgotten, and the user will have to reset that. This will to On the
attack. other
Cy-
hand, a complex
bercriminals
take away have password
created
the convenience manymay beauthentication.
of tools
the forgotten,
that can helpand the user will passwords.
in guessing have to resetOn that.
theThis
otherwill
take away
hand, a Static
complexthe convenience
password
passwords aremay of
easythe authentication.
betoforgotten, andor
forget, lose, theleak
user willThey
[11]. haveare
to reset that.
simple to This
crackwill
using
take Static
away
tactics thepasswords
such convenience
as guessing,areofeasy
the to forget, lose, or
authentication.
dictionary attacks, leakforce
brute [11]. cracking,
They are simple to crack
theft, replay using
assaults,
tactics
Staticsuch as guessing, dictionary attacks, brute forceThey
Trojan passwords
horse attacks,are easy
and to forget,
other methods lose,
[7].orThey
leak are alsocracking,
[11]. tooare theft,toreplay
simple
risky crack assaults,
using
to use independently,
Trojan
tactics horse
such as attacks,
guessing, and other
dictionary methods
attacks, [7]. They
brute are
force also too
cracking,risky to
theft, use independently,
replay assaults,
especially for the purpose of mobile identity authentication.
especially
Trojan horse for the purpose
attacks, and otherof mobile
methods identity
[7]. They authentication.
are also too risky to use independently,
especially for thePassword
2.2. Dynamic
Dynamic purposeAuthentication
of mobile identity authentication.
2.2. Password Authentication
TheSMS
The SMSverification
verificationcode codeisisoneoneofofthethemost
mostcommons
commonsdynamic
dynamic password
password authenti-
authentica-
2.2.cations.
Dynamic Password Authentication
tions. Like the static password, the system will require identification information fromfrom
Like the static password, the system will require identification information the
The
the SMS
user, verification
paired code is onegenerated
of the most commons dynamic password authenti-
user, paired withwith the server’s
the server’s generated PIN PIN or token
or token for access
for access authentication
authentication [7]. [7].
cations. Additionally,
Like the staticuserspassword,
needto tothe systemthemselves
register will require identification
and information
provideaausername
username andfrommobile
Additionally, users need register themselves and provide and mobile
thephone
user, paired with
number as the server’s
as aaprimary
primarykey generated
keytiedtiedto PIN
totheir or token
theirinformation,for
information,as access
asshownauthentication
shownin inFigure [7].
Figure2.2.During
During
phone number
Additionally,
the login, the users
user willneed
need to
to register
enter thethemselves
username, and
and provide
once theaserver
username and mobile
validates that their
the login, the user will need to enter the username, and once the server validates that their
phone number
profile exists,asana primary
SMS of key
the tied to
generated their information,
password will as
be shown
sent to
profile exists, an SMS of the generated password will be sent to the correlated mobile num-in
theFigure 2.
correlatedDuring
mobile
theber.
login,
Thethe
number. user
The
mobile will
mobile
phoneneed
phone
userto will
enter
userthenthe username,
will thenthe
use use and
the once
generated
generated the password
passwordserverforvalidates that their
for authenticating
authenticating their
profile
their exists,
access. an
SMSSMS of the generated
authentication codes password
are sent will
in be
plain sent
text. to
Thisthe
access. SMS authentication codes are sent in plain text. This presents some vulnerability correlated
presents some mobile
vulnera-
number.
bility
that The
is that mobile
is phoneexposed
constantly
constantly exposed user willtothen
to high-risk use the
high-risk
threats. generated password for authenticating
threats.
their access. SMS authentication codes are sent in plain text. This presents some vulnera-
bility that is constantly exposed to high-risk threats.

Figure2.2. Dynamic
Figure Dynamicpassword
passwordauthentication.
authentication.

2.3. 2.
Figure Biometric
DynamicAuthentication
password authentication.
Each individual has unique biological traits, and because biometrics cannot be easily
falsified over an extended period of time, they can be utilized as a trustworthy method
of identity authentication [15]. The emergence of biometric modalities also sparked a
realization that this issue warrants further exploration and discussion. However, there is
no clear baseline concerning the criteria and specifications required for security testing,
specifically for biometric products, systems, etc. that the national government uses in
Symmetry 2022, 14, 821 4 of 17

adopting biometric technologies [14]. Therefore, some biometric authentication technolo-

gies have been accompanied by an optimization algorithm. Authors in [16] proposed a
multimodal system based on an evolutionary algorithm for the security of the biometric
system. However, some of the recent optimization algorithms can be adopted to overcome
the challenge of the evolutionary algorithm used for the security of the biometric system,
such as the algorithms suggested by [17] and [18].
Each legitimate user will capture their biometric information for this type of authenti-
cation. This is easier nowadays, because most smartphones are equipped with a built-in
camera to capture face or iris, a voice recorder to capture voice, and a fingerprint reader to
capture thumbprints. The biometric information will be preprocessed and bound with user
information during registration. Each login will require the user to present their biometrics
for authentication.
The risks of using biometrics are quite huge. Once breached, they are not available
for recovery. The data are not renewable and hence, cannot be used once stolen. Some
disadvantages of using biometric authentication are the high computational cost, required
accuracy and usability during the unlocked state, plus hardware sensor devices that
are not practical for frequent logins/authentications [12]. Another issue with biometric
authentication is that it might slightly change over time. Table 1 lists the impact of having
biometric changes [14].

Table 1. Impact of change on biometrics [14].

Culture
Usability Performance
Condition Impact
FINGERPRINT RECOGNITION
Sweating/Dry skin Low High
Most comfortable and fastest
Change of fingerprint structure High Low
FACIAL RECOGNITION
Wearing Hijab Medium Medium
Unpredictability of facial
Make up Medium Medium
appearance (e.g.,: facial expressions)
Wearing glasses Low High
IRIS/EYE RECOGNITION
Cause of discomfort (e.g.,: Wearing contact lenses Low High
proximity close to camera) Eye blinks Medium Medium
Impact
Low—affecting or altering the environment as little as possible
Medium—affecting or changing the environment as much as possible
High—unalterable

2.4. Trip Trajectory Authentication

Different mobile phone users will have different personal trip trajectories and stay
points. This type of authentication determines the validity of the present mobile device
user based on his trajectory data [9]. The travel trajectory’s system architecture is depicted
in Figure 3, which includes the registration and authentication phases.
In the registration phase, a user registers his information, comprising his home and
workplace coordinates and trip routes, in the template library, which is dynamically ex-
panded to accommodate the user’s trip regularities. While in the authentication phase,
the data gathering module collects the user’s daily travel trajectories using GPS-enabled
mobile devices, calculating the similarity between the sample and template trajectories in
order to determine likely stay point coordinates. The results of this calculation will be used
to judge whether the user is valid or not.
 Symmetry 2022, 14, x FOR PEER REVIEW 5 of 18
Symmetry 2022, 14, 821 5 of 17

Figure3.3.Architecture
Figure Architectureof
ofsystem
systemfor
fortrip
triptrajectory
trajectoryauthentication.
authentication.

Additionally, usingphase,
In the registration this type of authentication
a user makes it hard
registers his information, to validate
comprising hisusers
homewho
and
love to travel a lot. The frequent changes in user coordination and stay points will
workplace coordinates and trip routes, in the template library, which is dynamically makeex-
it
hard to authenticate.
panded to accommodate the user’s trip regularities. While in the authentication phase, the
data gathering module collects the user’s daily travel trajectories using GPS-enabled mo-
2.5. Cryptography Authentication
bile devices, calculating the similarity between the sample and template trajectories in
orderCryptography
to determinecan be utilized
likely to secure
stay point data during
coordinates. The transmission,
results of thisstorage, and compu-
calculation will be
tation. Cryptography is a technique that
used to judge whether the user is valid or not. utilizes a key and algorithm to convert plain text
(readable text) to ciphertext
Additionally, using this(unreadable text) [13]. There
type of authentication makes areit two
hardtypes of cryptography
to validate users who
used: symmetric and asymmetric. The same key is utilized in symmetric
love to travel a lot. The frequent changes in user coordination and stay points key cryptography
will make
to encrypt and decrypt.
it hard to authenticate. It consists of five elements: plaintext, encryption algorithm, secret
key, ciphertext, decryption algorithm. However, the asymmetric key cryptography uses
different keys for Authentication
2.5. Cryptography encryption and decryption, referred as a public and private keys and
known as public key infrastructure (PKI).
Cryptography can be utilized to secure data during transmission, storage, and com-
putation. Cryptography
2.5.1. ID-Based PKC (Public is aKey
technique that utilizes a key and algorithm to convert plain
Cryptography)
text (readable text) to ciphertext (unreadable text) [13]. There are two types of cryptog-
Traditional public-key cryptography (TPKC) was introduced based on PKI. Several
raphy used:
protocols usingsymmetric
the TPKC and asymmetric.
have The same
been proposed, wherekeyeach
is utilized in symmetric
user will key cryp-
have a certificate to
tography
bind to encrypt
their identity andand decrypt.
public It consists
key. Those of fiveare
certificates elements:
produced plaintext, encryption
by a trusted algo-
third party
rithm,the
called secret key, ciphertext,
certificate authority decryption algorithm.
(CA) [8]. However, the However,
system hasthe an asymmetric
overhead to key cryp-
be borne
tography uses different keys
when the number of users increases. for encryption and decryption, referred as a public and pri-
vateTokeys and known as public key infrastructure (PKI).
overcome the weaknesses in these TPKC protocols, identity-based public-key
cryptography (ID-based PKC) has been proposed in the last several years. The participant’s
2.5.1. ID-Based
identity itself is PKC
taken(Public Key Cryptography)
as the public key so that no certificate is needed to bind its identity
and public key [8]. Figure 4 shows the flow(TPKC)
Traditional public-key cryptography was PKC
of ID-based introduced based on PKI. Several
authentication.
protocols using the TPKC have been proposed, where each user will have a certificate to
bind their identity and public key. Those certificates are produced by a trusted third party
called the certificate authority (CA) [8]. However, the system has an overhead to be borne
when the number of users increases.
To overcome the weaknesses in these TPKC protocols, identity-based public-key
cryptography (ID-based PKC) has been proposed in the last several years. The
 participant’s identity itself is taken as the public key so that no certificate is needed to bin
Symmetry 2022, 14, 821 its identity and public key [8]. Figure 4 shows the flow of ID-based PKC authentication.
6 of 17

Figure 4. ID-based PKC authentication.

Figure 4. ID-based PKC authentication.
2.5.2. Geo-Encryption
2.5.2. Geo-Encryption
Geo-encryption is an encryption method that uses the user’s geographical location
as Geo-encryption
the user’s identityisitself. It enables data
an encryption method encryption for the
that uses a specific
user’splace that may be
geographical location a
identified spatially and temporally. Without the position information received using an
the user’s identity itself. It enables data encryption for a specific place that may be ident
anti-spoof GPS device, it is impossible to decode the data with the particular availability
fied spatially and temporally. Without the position information received using an ant
spoofing module (SAASM). The GPS signal includes encrypted binary Y codes. SAASM
spoof GPS device,
receivers can trackitYiscodes
impossible to decode
only when the data
loaded with with the
the correct particular
decryption keyavailability
[13]. This spoo
ingtype
module (SAASM).
of encryption The when
is useful GPS signal
there is includes encrypted
a requirement binary
for disabling Y codes.outside
decryption SAASM a receiv
specified geo-location.
ers can track Y codes only when loaded with the correct decryption key [13]. This type o
encryption is useful when there is a requirement for disabling decryption outside a spe
2.6. Multi-Factor Authentication (MFA)
ified geo-location.
Instead of using a single authentication method, multi-factor authentication combines
another layer of authentication. For example, using a static password with a dynamic
2.6.password
Multi-Factor
is tied.Authentication (MFA)to enter the password, send entering the password,
Users will be required
and send the
Instead of request
using ato single
an authentication
authenticationserver.method,
Once the password is authentication
multi-factor verified, the com
authentication server will send a random generated PIN/password
bines another layer of authentication. For example, using a static password to the user’s registered
with a dy
mobile number through SMS or to the user’s registered email address. The user then needs
namic password is tied. Users will be required to enter the password, send entering th
to enter the generated password to complete the authentication. However, users will need
password, and send
to authenticate the request
themselves tomore
twice or an authentication
using this MFAserver.
methodOnce
[11]. the password is verified
the authentication server will send a random generated PIN/password
For improvement, other combination methods are proposed for MFA, which to the user’s regi
reduce
tered
the mobile number
authentication through
attempt SMS
by the or For
user. to the user’susing
example, registered email address.
bio-encryption combines The
theuser the
benefits of traditional cryptography with the security provided by biometrics
needs to enter the generated password to complete the authentication. However, user [8]. Although
this
will method
need is much more secure
to authenticate than thetwice
themselves static–dynamic
or more password
using thiscombination,
MFA method it requires
[11].
higher-end devices. Table 2 shows some of the mobile authentication method and issues.
For improvement, other combination methods are proposed for MFA, which reduc
the authentication attempt by the user. For example, using bio-encryption combines th
benefits of traditional cryptography with the security provided by biometrics [8]. Al
hough this method is much more secure than the static–dynamic password combination
it requires higher-end devices. Table 2 shows some of the mobile authentication metho
and issues.
Symmetry 2022, 14, 821 7 of 17

Table 2. Authentication comparison.

Authentication Method Issues Risk Level Study

— Depends on user to memorize, is
easy to forget, lose, or leak.
User enters the username and — Exposed to guessing, dictionary
Static password authenticates using a attack, brute force cracking, High [2,7,11]
secret password. stealing, replay attacks, Trojan
horse attacks and others.

Register username and mobile

phone number as a primary key. — Code is sent in plain text.
Dynamic password The user’s identification — Vulnerability is constantly High [7]
information is paired with the exposed to high-risk threats.
server’s generated PIN or token.
— Once breached, it is not available
for recovery. The data are not
renewable.
User captures their biometric — Requires high computational
information, then preprocess and cost, accuracy, and usability
during the unlocked state, plus [12,14,
Biometric bind it with user information. Low
hardware sensor devices that are 15]
Each login will require the user to
present their biometric data. not practical for frequent
logins/authentications.
— Biometrics slightly change
over time.

User registers coordinates of home

and office and the trip routes as — Frequent changes in user
the initial template, dynamically coordinates and stay points for
extended trip regularities. Data users that travel a lot.
Trajectory acquisition uses mobile GPS to — Authentication failed due to Medium [9]
collect the daily trip trajectories, frequent change of trajectory
calculate the similarity between location for user that
the sample and the frequently travels.
template trajectories.
Plain text (readable text) is — The system has an overhead to
converted to ciphertext be borne when the number of
Public Key (unreadable text) with the help of users increases. Low [8]
Cryptography the key and algorithm. The user — Cost increases and increasingly
will have a certificate to bind their complex maintenance.
identity and public key.
— The system has an overhead to
The participant’s identity is taken be borne when the number of
ID-Based Public Key users increases.
as the public key to bind its Low [8]
Cryptography — Cost increases and increasingly
identity and public key.
complex maintenance.

User’s geographical location as the

identity of the user. Data to be
Only applicable when there is a
encrypted for a specific location
Geo-Encryption requirement for disabling decryption Low [13]
obtained using an anti-spoof GPS
outside specified geo-location.
receiver that can be identified in
terms of space and time.
Combines authentication method Users will need to authenticate
Multi-factor used with another layer themselves twice or more using Low [11]
of authentication. this method.

2.7. Securing Authentication for Mobile Networks

Authentication and key management are critical components of cellular network
security because they establish mutual authentication between users and the network
Symmetry 2022, 14, 821 8 of 17

and generate cryptographic keys for the protection of both signaling and user plane data.
Each generation of cellular networks has specified at least one type of authentication [19].
For instance, the fourth-generation mobile network (4G) specified 4G EPS-AKA, but the
fifth-generation mobile network (5G) specifies three authentication methods: 5G-AKA,
EAP-AKA [20], and EAP-TLS (transport layer security) [20].
Because 5G defines additional authentication techniques, wireless practitioners fre-
quently inquire about the rationale for 5G’s adoption of these new authentication methods
and how they differ from 4G authentication [21]. The purpose of this section is to address
those problems by performing a comparative analysis of 4G and 5G mobile authentication
methods [22]. The analysis demonstrates that 5G authentication outperforms 4G authenti-
cation in several ways [23], including the use of a unified authentication framework that
can support a more significant number of user cases, enhanced user equipment identity
protection, enhanced home-network control, and increased key separation during key
derivation. Additionally, this section highlights the vulnerabilities of 5G authentication and
the necessity for it to evolve regularly. Prior generations’ security and privacy challenges,
notably in radio access networks (RANs), have been thoroughly explored. The following
are only a few of the numerous concerns uncovered.
1. Due to the absence of network authentication in 2G, attacks such as network spoofing
by faked base stations are possible. For example, a faked base station can advertise a
different tracking area code with a stronger signal strength to entice user equipment
(UE) away from its legitimate cellular network and register with the faked base
station [24].
2. Inadequate secrecy in certain signaling messages, resulting in a violation of privacy.
For example, unencrypted paging information can be employed to detect the presence
of a specific user and even trace the person to a precise location [25].
To address these concerns, the 3rd Generation Partnership Project (3GPP) provides
an Authentication and Key Agreement (AKA) protocol and associated procedures that
support entity authentication, message integrity, and message secrecy, among other security
aspects [26]. The 3GPP AKA protocol is a challenge-and-response authentication scheme
based on the sharing of a symmetric key between a subscriber and a home network.
Following mutual authentication between a subscriber and a home network, cryptographic
keying materials are generated to safeguard further communication between the subscriber
and a serving network, which includes both signaling messages and user plane data (e.g.,
over radio channels) [26].
Additionally, because the 5G network is IP-based, it will be vulnerable to all IP-specific
vulnerabilities. Based on these findings, ensuring a high level of security and privacy will
be one of the most crucial parts of deploying 5G networks successfully. Table 3 is presented
a comparative analysis of security and privacy of 3G, 4G and 5G cellular networks.

Table 3. Comparative analysis of security and privacy of 3G, 4G and 5G cellular networks.

Privacy-
Study 3G 4G 5G Authentication Remark
Preserving

√ √ √ √ Investigated authentication and

[21] 0 privacy-protection methods for 4G and 5G
wireless mobile networks.
√ Outlined the 3GPP standard’s security
[26] X X X 0
structures and mechanisms.
√ Outlined the security and privacy issues that 5G
[27] X X X X
networks face.

√ Long term evolution (LTE) jamming and

[28] X X X X spoofing mitigation strategies were
investigated.
√
[29]0 X X X Proposed the cryptographic algorithms for LTE.
√
Remarks: : indicates fully supported; X: indicates not supported; 0: indicates partially supported.
 Long term evolution (LTE) jamming
[28] X √ X X X and spoofing mitigation strategies
were investigated.
Proposed the cryptographic algorithms
[29] 0 √ X X X
for LTE.
Symmetry 2022, 14, 821 9 of 17
Remarks: √: indicates fully supported; X: indicates not supported; 0: indicates partially supported.

2.7.1. Schemes for Authentication in 4G and 5G Cellular Networks

2.7.1.
We Schemes for Authentication
will compare in and
authentication 4G and 5G Cellular Networks
privacy-preserving strategies for 4G and 5G cel-
We will compare
lular networks in terms ofauthentication
authenticationand
andprivacy-preserving strategies
privacy models in this section.for 4G and
Figure 5G
5 pre-
cellular
sents the networks in terms
classification of 4G of
andauthentication and privacy
5G cellular network models inand
authentication thisprivacy-preserv-
section. Figure 5
presents
ing the classification of 4G and 5G cellular network authentication and privacy-
schemes.
preserving schemes.

Figure5.
Figure Classification ofof4G4G
5. Classification and 5G cellular
and network
5G cellular authentication
network and privacy-preserving
authentication schemes.
and privacy-preserving
schemes.
1. Three-factor authentication with privacy
1. Three-factor
Three-factorauthentication
authenticationwith withprivacy
privacy falls into three categories: protocols based
on smart cards, passwords,
Three-factor authentication andwith
biometrics.
privacy To address
falls the following
into three categories:research
protocols question
based
ofsmart
on whether wepasswords,
cards, can combine andthe three factors,
biometrics. according
To address the to [30], smart
following cardsquestion
research show whatof
you have, passwords show what you know, and biometrics show who you
whether we can combine the three factors, according to [30], smart cards show what you are. To achieve
goodpasswords
have, biometric show
privacy,
whattheyou
authors
know, proposed a three-factor
and biometrics show who authentication
you are. Toapproach.
achieve
The server
good accepts
biometric onlythe
privacy, if each factor
authors (password,
proposed smart card,
a three-factor and biometric
authentication data) passes
approach. The
authentication.
server accepts onlyCompared to the (password,
if each factor three-factorsmart
authentication
card, andtechniques suggested
biometric data) inau-
passes [30]
and [31], the Compared
thentication. protocol presented in [30] uses authentication
to the three-factor less computation. Accordingsuggested
techniques to authorsinin[30]
[32],
biometric
and systems
[31], the fallpresented
protocol into threein categories:
[30] uses traditional [33], wearable
less computation. (e.g.,tosmartphone),
According authors in
and hybrid [34]. Regarding wearable biometrics and implantable medical devices, we refer
the reader to both recent surveys [33].
2. Authentication and key agreement with privacy
The AKA protocol is a symmetric cryptography-based challenge–response system.
With RFC 3310, the Universal Mobile Telecommunications System (UMTS) has imple-
mented the 3GPP’s AKA protocol, also known as the 3G standard [35]. Authors in [36],
therefore, suggested an enhanced authentication and key agreement methodology based on
public key cryptography. The protocol is vulnerable to a variety of attacks, including replay,
man-in-the-middle, and denial-of-service (DoS) attacks [37]. The following question is: Is it
truly required for the AKA protocol to conceal communication content from an external
adversary? Authors in [38] developed a hybrid method based on LTE-AKA modifications
that employs both symmetric and asymmetric key encryption to identify and avoid both
insider and outsider threats.
3. Handover authentication with privacy
Existing handover authentication systems for LTE wireless networks can be cate-
gorized into three types depending on their cryptographic primitives: (1) symmetrical
key-based schemes, (2) public key-based schemes, and (3) hybrid techniques. There are two
 Symmetry 2022, 14, 821 10 of 17

kinds of base stations in LTE wireless networks: home eNodeB (HeNB) and eNodeB. (eNB).
According to [39], the 3GPP project’s proposed changeover mechanism from an eNB/HeNB
to a new eNB/HeNB cannot provide backward security. The authors specifically presented
a handover authentication technique for LTE network mobility scenarios. The technique
in [39] is based on the concept of proxy signature and provides various security features,
including perfect forward and backward secrecy. Additionally, the approach [39] is more ef-
ficient in terms of computational cost and communication overhead than [40] the handover
scheme, although identity privacy is not considered.
4. Mutual authentication with privacy
To establish mutual authentication while maintaining privacy, suggested security
systems for 4G/5G networks must maintain location privacy, identity privacy, data in-
tegrity, and authenticity, as illustrated in Figure 6. Authors in [41], on the other hand,
introduced the IDM3G protocol for ensuring mutual authentication and identity privacy
in 3G. The IDM3G protocol is divided into two phases: (1) authentication of the UMTS
Subscriber Identity Module (USIM) by the provision of a personal identification number,
and (2) mutual authentication between the USIM and the mobile operator. The IDM3G pro-
tocol is more efficient than both protocols in terms of the quantity of messages exchanged
along the path [42], but location privacy is not addressed. In a similar vein to the IDM3G
protocol, authors in [43] introduced the BIO3G protocol for safe and privacy-preserving
biometric authentication in 3G mobile contexts. In comparison to the IDM3G protocol, the
Symmetry 2022, 14, x FOR PEER REVIEW 11 of 18
BIO3G protocol cannot withstand DoS attacks and does not consider location or identity
privacy [41].

Figure 6. Mutual
Figure authentication
6. Mutual with
authentication privacy
with techniques
privacy classified.
techniques classified.

5. 5. Deniable
Deniable authentication
authentication with
with privacy
privacy
Deniable
Deniable authentication
authentication differs from
differs fromstandard
standardauthentication
authentication in in
that a third
that party
a third party
cannot
cannotbe be
persuaded
persuadedby the receiver
by the [44].[44].
receiver Authors in [45]
Authors insuggested a non-interactive
[45] suggested au-
a non-interactive
thentication methodology
authentication methodologyto accomplish
to accomplishdeniable authentication.
deniable The protocol
authentication. in [45]
The protocol in is
[45]
is based
based on theon shared
the shared session
session secret
secret andand the the ElGamal
ElGamal signature
signature scheme,
scheme, andand it not
it not only
only
considers
considers thethe security
security issues
issues proposed
proposed by by [46],
[46], suchsuch as forgery,
as forgery, impersonation,
impersonation, deniability,
deniability,
and completeness, but it can also maintain security when the session
and completeness, but it can also maintain security when the session secret has alreadysecret has already been
compromised. As a result, in cellular networks, the employment of
been compromised. As a result, in cellular networks, the employment of message authen- message authentication
codescodes
tication (MACs) between
(MACs) two parties
between can provide
two parties deniable
can provide authentication.
deniable Authors
authentication. in [47]
Authors
defined
in [47] an experimental
defined an experimentalprotocol for the
protocol forInternet community
the Internet communitynamed EAP-PSK
named EAP-PSK underun-
RFC
der4764,
RFCwhich
4764, provides less scalability
which provides and security.
less scalability RFC 3748
and security. [48]3748
RFC and [48]
RFCand2284RFCspecify
2284the
Extensible
specify Authentication
the Extensible Protocol (EAP),
Authentication Protocol which is widely
(EAP), whichused in wireless
is widely used networks.
in wireless
networks.

2.7.2. Authentication and Privacy-Preserving Techniques Employ Countermeasures

Some important countermeasures employed by the authentication and privacy-pre-
serving techniques for 4G and 5G cellular networks are described in this subsection. These
defenses fall into three categories: cryptographic techniques, human factors, and intrusion
detection techniques.
Symmetry 2022, 14, 821 11 of 17

2.7.2. Authentication and Privacy-Preserving Techniques Employ Countermeasures

Some important countermeasures employed by the authentication and privacy-preserving
techniques for 4G and 5G cellular networks are described in this subsection. These de-
fenses fall into three categories: cryptographic techniques, human factors, and intrusion
detection techniques.
First, a physical unclonable function (PUF) is a gadget that takes advantage of intrinsic
randomness produced during production to provide a unique ‘fingerprint’ or trust anchor
for a physical entity [49]. These devices have a number of potential uses, ranging from
anti-counterfeiting, identity, authentication, and key generation to advanced protocols such
as oblivious transfer, key exchange, key renovation, and virtual proof of reality. Another
possibility is to use PUFs, which are clone-proof, cost-effective, and resistant to a variety
of physical attacks. A PUF takes advantage of the inherent random variations created by
manufacturing processes to generate secret keys on the fly [49].
Second, physical-layer authentication (PLA), which is based on the dynamic nature
of physical layer properties, is gaining traction as a viable method for increasing wire-
less security [50]. PLA has recently attracted considerable academic interest due to its
information-theory security and simplicity. However, numerous academics have concen-
trated on PLA and its potential for increasing wireless security [51].

3. Results
Although many studies exist, the research gaps in multi-factor authentication remain
open for different combinations. To fill this literature gap, we will further discuss the
proposed combination of MFA authentication methods for mobile identity. Depending on
the user’s mobile phone capability, there are two proposed combination options: mobile
phone SIM number with biometric fingerprint or SIM number with geo-location informa-
tion. Both fingerprint and geo-location will be used as the encryption key to secure the
transaction data.
In this study, we propose the use of biometric authentication, specifically fingerprint
authentication, due to its unique criteria, which between each person. However, not every
device can capture biometrics due to its own limitations. Considering the multitype of
mobile devices with a probability of not having a biometric recognition module, we take
into count the geo-location identification, as we know that every mobile device will have
its own built-in GPS module.
The strong side of geo-location authentication is that most impersonation attempts
are made outside the user’s area, and some are even made outside the user’s country. At
present, limiting the geo-location transaction source is performed on the IP level. However,
there are some scenarios where the restriction brings trouble to the legitimate user. For
example, some countries have used geo-location to restrict the use of the internet due
to internal reasons such as riots. During this time, the internet connection for the whole
country was shut down. This led to some civilians trying to reach the internet using a VPN
service provider, and their IPs changed to external IPs, which ended up being blocked
by the system. Due to this, GPS geo-location sounds a bit promising to counter the issue.
Now, back to the proposed authentication. Referring to Figure 7, the authentication system
design should require a SIM number representing the user’s identity, International Mobile
Equipment Identity (IMEI), first and second fingerprints and initial geo-location during
registration, and the user’s information to create an account. Considering the biometric
impacts shown in Table 1, a second fingerprint is needed as a backup authentication key
upon authentication failure.
 the system. Due to this, GPS geo-location sounds a bit promising to counter the issue.
Now, back to the proposed authentication. Referring to Figure 7, the authentication sys-
tem design should require a SIM number representing the user’s identity, International
Mobile Equipment Identity (IMEI), first and second fingerprints and initial geo-location
during registration, and the user’s information to create an account. Considering the bio-
Symmetry 2022, 14, 821 12 of 17
metric impacts shown in Table 1, a second fingerprint is needed as a backup authentica-
tion key upon authentication failure.

Figure 7.
Figure 7. Mobile
Mobile identity
identity registration.
registration.

Once
Once ananaccount
accountisiscreated, thethe
created, user cancan
user perform
perform the the
transaction
transactionon any
on platforms
any platformsthat
are
thatconnected to thetoauthentication
are connected serverserver
the authentication (AS). (AS).
Whenever the user
Whenever theinitiates a transaction
user initiates a trans-
that requires
action authentication,
that requires the system
authentication, will first
the system willidentify if the ifuser’s
first identify mobile
the user’s device
mobile can
device
capture the fingerprint or not. If the fingerprint capture module is present
can capture the fingerprint or not. If the fingerprint capture module is present on the on the phone,
then
phone,thethen
SIM the
number and fingerprint
SIM number will be used
and fingerprint forused
will be authentication. However,
for authentication. if not, theif
However,
Symmetry 2022, 14, x FOR PEER REVIEW 13 of 18
combination
not, the combination of SIM number and geo-location will be used instead. Figure the
of SIM number and geo-location will be used instead. Figure 8 shows flow
8 shows
for the authentication.
the flow for the authentication.
The user will need to provide the fingerprint upon authentication for a device that
supports fingerprints. The fingerprint will be sent with the SIM number to the AS for ver-
ification. Once authorized, the AS will issue an encrypted token used to validate the trans-
action. The online application server will use the token and cross-check with AS for veri-
fication. However, if the fingerprint authentication fails, the user may use the second fin-
gerprint to replace the failed one.

Figure8.
Figure 8. Biometric-geo
Biometric-geo mobile
mobile identity
identityauthentication.
authentication.

The user will

On mobile need to
devices provide
that do notthe fingerprint
support uponrecognition,
biometric authentication for a will
the user device that
need to
supports fingerprints.
validate their The fingerprint
geo-location. will be
Once validated, thesent
SIMwith the SIM
number, number
device IMEIto andthethe
ASvali-
for
verification.
dated location Once
willauthorized,
be sent to AS thefor
ASverification.
will issue anASencrypted token used
will cross-check to provided
if the validate the
in-
transaction.
formation ofThe online
mobile application
number serverare
and IMEI will use the with
identical tokentheandrecord,
cross-check
and the with AS for
provided
verification. However,
location is matched if the
with the fingerprint
GPS location authentication fails, theor
or registered location user mayause
within the second
nearby radius.
fingerprint
If either SIMtonumber
replace and
the failed
IMEI,one.
or SIM number and geo-location, are correct, the user then
will On mobile devices
be authorized that dothe
and receive nottoken.
support
Thebiometric recognition,
authentication flow forthethese
usercombinations
will need to
validate their geo-location.
is expressed in Figure 9. Once validated, the SIM number, device IMEI and the validated
location will be sent to AS for verification. AS will cross-check if the provided information
of mobile number and IMEI are identical with the record, and the provided location is
matched with the GPS location or registered location or within a nearby radius. If either
 Figure 8. Biometric-geo mobile identity authentication.

On mobile devices that do not support biometric recognition, the user will need to
validate their geo-location. Once validated, the SIM number, device IMEI and the vali-
Symmetry 2022, 14, 821 dated location will be sent to AS for verification. AS will cross-check if the provided
13 ofin-
17
formation of mobile number and IMEI are identical with the record, and the provided
location is matched with the GPS location or registered location or within a nearby radius.
If either SIM number and IMEI, or SIM number and geo-location, are correct, the user then
SIM number and IMEI, or SIM number and geo-location, are correct, the user then will
will be authorized and receive the token. The authentication flow for these combinations
be authorized and receive the token. The authentication flow for these combinations is
is expressed in Figure 9.
expressed in Figure 9.

Figure 9. Identity validation and token issuance.

Figure 9. Identity validation and token issuance.
A more systematic and theoretical analysis is required for making this authentication
method A moreclearersystematic
and more and theoretical
realistic. The analysis
system will is required
start by for makingathis
executing authentication
biometric module
method
check on clearer
the and more
device. As realistic.
an example The for
systemthe will start operating
Android by executing a biometric
system, the module
Java class
Symmetry 2022, 14, x FOR PEER REVIEW 14 of 18
check on the device. As an example for the Android
android.hardware.biometrics.BiometricManager
Symmetry 2022, 14, x FOR PEER REVIEW canoperating
be used tosystem, check the the availability
Java class an- of 14 of 18
droid.hardware.biometrics.BiometricManager
biometric devices
Symmetry 2022, 14, x FOR PEER REVIEW [52]: can be used to check the availability of bi-
Symmetry 2022, 14, x FOR PEER REVIEW 14 of 18
ometric devices [52]:
public class BiometricManager
public class BiometricManager
extends Object
public class BiometricManager
publicextends Object
class BiometricManager
java.lang.Object
java.lang.Object extends Object
extends Object
android.hardware.biometrics.BiometricManager
java.lang.Object
android.hardware.biometrics.BiometricManager
java.lang.Object
Or in IOS using [53]:
Or in IOS Orusing using [53]: android.hardware.biometrics.BiometricManager
[53]:
android.hardware.biometrics.BiometricManager
in IOS
var biometryType: LABiometryType {get}
Or
var in IOS using [53]:
Or in IOS usingcode
These [53]: linesbiometryType:
are samples for common LABiometryType
smartphone {get} types used nowadays. Other
types will These
have code
their lines
own are
varcode samples
biometryType:
functions for common
for serving smartphone
LABiometryType
the same types {get}
purpose. used
As anowadays.
result, once Other
var biometryType: LABiometryType {get}
These typescode willlines
have are samples
their
These codeown for
code common
functions
lines arereader smartphone
samples for serving
for common types
the used
same nowadays.
purpose.
smartphone As Other
a
types can result,
usednow once
nowada
it has confirmed whether a biometric exists, the types
authentication system
typesThese will
it
codetheir
have
has
linesown
confirmed
types
are samples
code
whether
will haveflow,
for common
functions
a for
biometric
their which
own code
smartphone
serving
reader the same
exists, the
used nowadays.
purpose. As
authentication a result, Other
systemonce can Asnow
proceed withtheirthe subsequent is tofunctions
checkthe the
for
SIM serving
number theforsame
As a aresult,
purpose.
mobile device a re
ittypes will have
has confirmed
proceed whether
with
it
own code
hasthe a
confirmed
functions
biometric
subsequent flow,
whether
for serving
reader which
a exists,
is to
biometric the same
check
readerthe
purpose.
authentication
SIM
exists,number
thesystem for can
a
once
now
mobile
authentication device
system
it haswith fingerprint
confirmed recognition
whether or the SIM
a biometric reader number
exists,with
theSIMIMEI extractionsystem
authentication for devicescan that are
now
proceed withfingerprint
with the subsequent
proceed withflow,
recognition thewhichor theisSIM
subsequent to check
number
flow, the
whichwithisnumber
IMEI
to check for
thea mobile
extraction SIM device
fornumber
devices that
for are
a mob
not supported.
proceed with the subsequent flow, which is to check the SIM number for a mobile device
with fingerprint
not supported.recognition
with fingerprint or the recognition
SIM numberorwith IMEInumber
the SIM extraction withforIMEI
devices that arefor device
extraction
withsupported.
not fingerprint recognition or the SIM number with IMEI extraction for devices that are
notwithsupported.
not 3.1. Mobile Device
supported. Fingerprint Recognition
3.1. Mobile Device with Fingerprint Recognition
3.1. Mobile In Device
the devices with fingerprint
with Fingerprint modules, the authentication system will require spe-
Recognition
In thewith3.1. Mobile
devices Device
with with Fingerprint
fingerprint modules, Recognition
the SIM
authentication system
3.1. cific
Mobile Device Fingerprint
In the devices with fingerprint modules,extracting
privileges and entitlement Recognition
before the
the authentication details.
system will These can will
require be require spe-
obtained
specific
during cific privileges
the registration and
In the entitlement
devices
of the user with before
identity extracting
fingerprint the
modules, SIM details.
the code These
authentication can be
system obtained
will re
In theand
privileges devices with fingerprint
entitlement before modules,
extracting theaccount
the
SIM on AS.These
authentication
details. These can be libraries
system will can
require
obtained be used
spe-
during
during
toprivileges
check onof the
the registration
cific privileges of the
and user identity
entitlement account
before on AS.
extracting These
the code
SIM libraries
details. can
These be used
can be
cificregistration
the and thefingerprint
entitlement
user identity recognition
before
account ondevice
extracting on the
the
AS. These SIM mobile
codedetails. devices
libraries These
can be subjected
canused to to
be obtained certain
check
to
conditions check on
on Androidthe
during fingerprint
the recognition
registration
[54]: of the device
user on
identity the mobile
account devices
on AS. subjected
These code to certain
libraries ca
during
on the the registration
fingerprint of the
recognition user
device identity
on theaccount
mobile on AS. These
devices code to
subjected libraries
certaincan be used
conditions
conditions
public on Android
String getSubscriberId [54]:
device on()
to check on the fingerprint recognition device on the mobile devices subjected
to check
on Android on [54]:
the
publicfingerprint String recognition the () mobile devices subjected to certain
conditions ongetSubscriberId
Android [54]:
conditions
and on Android [54]:
and String public
public
String getSubscriberId ()
getSubscriberId ()
CFStringRef CTSIMSupportCopyMobileSubscriberIden-
and
CFStringRef CTSIMSupportCopyMobileSubscriberIden-
tity(CFAllocatorRef allocator);
and
and
tity(CFAllocatorRef allocator);
CFStringRef CTSIMSupportCopyMobileSubscriberIden-
in IOS. CFStringRef CTSIMSupportCopyMobileSubscriberIden-
tity(CFAllocatorRef allocator);
in
The tity(CFAllocatorRef
IOS.following steps of the authentication allocator); system are to obtain the fingerprint [55]. An
asymmetric The following steps
in IOS. method is used
encryption of the authentication
where system
the user arethe
scans to obtain the fingerprint
fingerprint, and it will[55]. be An
in IOS.
in IOS. asymmetric encryption The following method is used where the user scans the fingerprint, and it will be
used
The as an encryption
following steps ofkey thefor the steps
authentication
of the authentication
transaction details
system are and
system are
to receive
to obtain
to obtain
a token
the fingerprint from the fingerprin
[55].AS.AnIt is
thenused
asymmetric
as
to an
sentencryption
the encryption
asymmetric
application
method is
key for the method
encryption
server
usedfor
transaction
whereverification. details
is used
the user scans Thewhereandthe to user
application receive
the fingerprint, servera token
scans
and
the
will from AS.
fingerprint,
check
it will be the
Itand
is
then
validity sent to
used
of the token the application
as an
with encryption server key forforverification.
the transaction The application
details and server
to receivewill a check
token the
from
used as an encryption key for the
the SIM numberdetails
transaction and proceed
and to to complete
receive a token the from
transaction
AS. It isonce
AS validity
has verified ofthen
the
the token
sent
user with
to the the
identity. SIM number
application server andforproceed to complete
verification. the transaction
The application serveronce will
then sent to the application server for verification. The application server will check the
AS has verified the user identity.
validity of the token with the SIM number and proceed to complete the transac
validity of the token with the SIM number and proceed to complete the transaction once
AS has verified the user identity.
Symmetry 2022, 14, 821 14 of 17

The following steps of the authentication system are to obtain the fingerprint [55]. An
asymmetric encryption method is used where the user scans the fingerprint, and it will be
used as an encryption key for the transaction details and to receive a token from AS. It is
then sent to the application server for verification. The application server will check the
validity of the token with the SIM number and proceed to complete the transaction once
AS has verified the user identity.

3.2. Mobile Device without Fingerprint Recognition

Like the earlier condition in the previous section, the devices without fingerprint
modules also require specific privileges but use different code libraries for extracting the
SIM number and IMEI depending on the mobile device type. Once the SIM number and
IMEI are successfully recorded, then geo-location will be obtained using the mobile device’s
GPS receiver.
The captured GPS location will be compared to the initial location defined in the AS,
and if identical or within an accepted radius, the token will be issued. However, if the
location is outside the accepted range, the user will be required to verify the GPS location
manually from a registered device. Once verified, the transaction details and received
token from AS will be encrypted using the initially defined geo-location before moving to
the application server. The application server will check the validity of the token with the
SIM number and IMEI, then proceed to complete the transaction once AS has verified the
user identity.
The difference in geo-location captured by GPS will be recorded and analyzed by
AS from time to time. The new location will also be whitelisted, allowing for future
authentication within acceptable frequency and occurrence. This will reduce the number of
user interventions required for authentication.

4. Challenges
Many challenges and open issues need to be addressed in securing mobile identity
authentication. It is essential because mobile identity represents us in the virtual world
of transactions. This will probably be the only identity recognition that we will use in all
daily activities. Any discrepancy in security will cause severe damage to many parties.
We have highlighted the challenges and open issues related to mobile identity in the
subsection below.

4.1. Different Policies and Regulations

Different policies and regulations related to mobile identity are in use in different
countries. Due to the differences, there is no global standard, and it is hard to standardize
the mobile identity authentication requirements. There are also different organizations
developing different mobile identity infrastructures. Hence, the coverage or a mobile
identity system is hard to expand beyond boundaries due to this limitation.
This issue can only be addressed if there is a mobile identity base system capable of
integrating multiple mobile identity providers into a single platform. Alternatively, it can
be a single software with multiple customizable modules, which can be configured with
different required settings such as the Systems Applications and Products (SAP).

4.2. High-End Devices

The authentication method that was presented in this study requires a high-end device
that supports biometric recognition. However, there are still many low-end devices in
widespread use. Even if all the devices support the GPS authentication method, it may
expose them to location spoofing.
The minimum requirement for this authentication method is that mobile devices with
GPS support the anti-spoofing module, such as the selective availability spoofing module
(SAASM). On the other hand, we believe that all devices supporting biometric recognition
and anti-spoof geo-location modules will come sooner.
Symmetry 2022, 14, 821 15 of 17

4.3. Changes in User’s Information

The mobile identity is tied to the SIM number. We frequently hear that people keep
changing their SIM number, also having multiple SIM cards and shared SIMs. This is
quite troublesome in maintaining the integrity of the identity, especially when recycling
mobile numbers is also widespread and still growing. The challenge is to make information
change convenient at the consumer end. The harder it becomes, the lesser public involve-
ment in registering for mobile identity. This limits the expansion potential of the mobile
identity system.
To overcome this issue, the user identity cannot be tied to a mobile number or known as
a Mobile Station International Subscriber Directory Number (MSISDN). It may be identified
using the MSISDN account number, which is only known by the customer and the service
provider. The account number may act as the physical identity card number and will
be permanently assigned to the user. So, the mobile identity system, instead of using
an MSISDN number, should register the user using the user’s service provider account
number. In this case, changing or having multiple SIMs should not be an issue.

5. Conclusions
In this paper, we attempted to present the combination of multi-factor authentication
that requires less user intervention. Due to security concerns, we introduced the asymmetric
encryption protocol where the user’s input itself is used as the encryption key. The PKI
concept was used but without the requirement to engage certificate authority (CA), thus
involving less cost.
As mentioned earlier in this study, due to the uniqueness of fingerprints to identify the
user and the accuracy of using GPS for location identification, fingerprint authentication
and geo-location identification can be used to correctly authenticate the user, as these
methods are unique and affordable to implement. We can see from all advertisements that
mobile phones nowadays do have hardware support for both types of authentications.
Having a dedicated server for authentication of mobile user identities will ease transaction
validation and reduce the possible threats. The way mobile identity works is somewhat
similar to a computer’s single sign on (SSO) scheme, where the number of attempts by
users to validate themselves is reduced because all authentications are performed through
the server.
However, the challenges and limitations of different policies and regulations, high-end
device requirements, and the changeability of user information need to be addressed to
make this authentication method more convenient, secure, and reliable for representing
the user in the virtual world. Mobile identity is for more than simply providing access.
Security is also an important consideration.

Author Contributions: Conceptualization, A.M. and M.K.A.A.; methodology, M.K.A.A. and Z.A.Z.;
validation, M.K.A.A., Z.A.Z. and A.M.; formal analysis, A.M., Z.A.Z.; investigation, Z.A.Z., A.M.;
writing—original draft preparation, M.K.A.A. and A.M.; writing—review and editing, Z.A.Z.; visual-
ization, M.K.A.A. and Z.A.Z.; supervision, Z.A.Z.; project administration, A.M.; funding acquisition,
Z.A.Z. All authors have read and agreed to the published version of the manuscript.
Funding: This research received no external funding.
Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.
Data Availability Statement: Not applicable.
Acknowledgments: We are grateful to the editor and three anonymous reviewers for their valuable
suggestions and comments, which significantly improved the quality of the manuscript.
Conflicts of Interest: The authors declare no conflict of interest.
Symmetry 2022, 14, 821 16 of 17

References
1. Khan, A.R. National Identity Card: Opportunities and Threats. J. Asian Res. 2018, 2, 77. [CrossRef]
2. Alavalapati, G.R.; Devanapalli, S.; Kolloju, P.; Ji, S.; Vanga, O. Provably secure pseudo-identity-based device authentication for
smart cities environment. Sustain. Cities Soc. 2018, 41, 878–885.
3. Habib, S.; Hamadneh, N.N. Impact of Perceived Risk on Consumers Technology Acceptance in Online Grocery Adoption amid
COVID-19 Pandemic. Sustainability 2021, 13, 10221. [CrossRef]
4. Pöhn, D.; Grabatin, M.; Hommel, W. eID and Self-Sovereign Identity Usage: An Overview. Electronics 2021, 10, 2811. [CrossRef]
5. SLA Digital. What Is Mobile Identity? Mobile Identity. Available online: https://sla-digital.com/blog/what-is-mobile-identity/
(accessed on 17 January 2022).
6. Alazab, M.; Alazab, M.; Shalaginov, A.; Mesleh, A.; Awajan, A. Intelligent mobile malware detection using permission requests
and API calls. Futur. Gener. Comput. Syst. 2020, 107, 509–521. [CrossRef]
7. Yu, Y.; He, J.; Zhu, N.; Cai, F.; Pathan, M.S. A new method for identity authentication using mobile terminals. Proc. Comput. Sci.
2018, 131, 771–778. [CrossRef]
8. He, D.; Zeadally, S.; Wu, L.; Wang, H. Analysis of handover authentication protocols for mobile wireless networks using
identity-based public key cryptography. Comput. Netw. 2017, 128, 154–163. [CrossRef]
9. Zhigang, G.; Zhichao, C.; Wenjie, D.; Jianhui, Z.; Huijuan, L. Identity authentication based on trajectory characteristics of mobile
devices. J. Syst. Architect. 2021, 112, 101857.
10. GSMA. Mobile Identity—Unlocking the Potential of the Digital Economy. GSM Association. October 2019. Available on-
line: https://www.gsma.com/identity/wp-content/uploads/2014/10/GSMA-SIA-paper_FINALNov-2014.pdf (accessed on 14
January 2022).
11. Feng, W.; Ge, B.S.; Yong, C.; Xianrong, Z.; Hong, W.; Sun, M.; Li, H. Identity Authentication Se-curity Management in Mobile
Payment Systems. J. Glob. Inf. Manag. 2020, 28, 1.
12. El-Soud, M.W.A.; Gaber, T.; AlFayez, F.; Eltoukhy, M.M. Implicit authentication method for smartphone users based on rank
aggregation and random forest. Alex. Eng. J. 2020, 60, 273–283. [CrossRef]
13. Salim, A.; Tripathi, S.; Tiwari, R.K. Applying Geo-Encryption and Attribute Based Encryption to Implement Secure Access Control
in the Cloud. Int. J. Comput. Netw. Commun. 2019, 11, 121–135. [CrossRef]
14. Nor, Z.Z.; Nur, I.R.; Ahmad, D.J.; Farhan, A.M.; Mohdm, M.M.A. Biometric Acceptance in Malaysia Voyage. e-Security 2021, 50,
2–46.
15. Huaibei, L. Biometric identification of identity authentication technology. Straits Sci. 2012, 10, 41–43.
16. Muthukumar, A.; Kasthuri, C.; Kannan, S. Multimodal biometric authentication using particle swarm optimization algorithm
with fingerprint and iris. ICTACT J. Image Video Proc. 2012, 2, 369–374.
17. Dong, J.; Zhang, G.; Luo, B.; Yang, Q.; Guo, D.; Rong, H.; Zhu, M.; Zhou, K. A distributed adaptive optimization spiking neural P
system for approximately solving combinatorial optimization problems. Inf. Sci. 2022, 596, 2050054. [CrossRef]
18. Ju, X.; Rosenberger, J.M.; Chen, V.C.P.; Liu, F. Global optimization on non-convex two-way interaction truncated linear multivariate
adaptive regression splines using mixed integer quadratic programming. Inf. Sci. 2022, 597, 38–52. [CrossRef]
19. Alraih, S.; Shayea, I.; Behjati, M.; Nordin, R.; Abdullah, N.F.; Abu-Samah, A.; Nandi, D. Revolution or Evolution? Technical
Requirements and Considerations towards 6G Mobile Communications. Sensors 2022, 22, 762. [CrossRef]
20. Jang, U.; Lim, H.; Kim, H. Privacy-Enhancing Security Protocol in LTE Initial Attack. Symmetry 2014, 6, 1011–1025. [CrossRef]
21. Ferrag, M.A.; Maglaras, L.; Argyriou, A.; Kosmanos, D.; Janicke, H. Security for 4G and 5G cellular networks: A survey of existing
authentication and privacy-preserving schemes. J. Netw. Comput. Appl. 2018, 101, 55–82. [CrossRef]
22. Behrad, S.; Bertin, E.; Crespi, N. A survey on authentication and access control for mobile networks: From 4G to 5G. Ann.
Telecommun. 2019, 74, 593–603. [CrossRef]
23. Behrad, S.; Bertin, E.; Crespi, N. February. Securing authentication for mobile networks, a survey on 4G issues and 5G answers.
In Proceedings of the 2018 21st Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN), Paris, France,
19–22 February 2018; pp. 1–8.
24. Li, Z.; Wang, W.; Wilson, C.; Chen, J.; Qian, C.; Jung, T.; Zhang, L.; Liu, K.; Li, X.; Liu, Y. March. FBS-Radar: Un-Covering Fake Base
Stations at Scale in the Wild; NDSS: San Diego, CA, USA, 2017.
25. Shaik, A.; Borgaonkar, R.; Asokan, N.; Niemi, V.; Seifert, J.-P.; Capkun, S. Practical Attacks Against Privacy and Availability in
4G/LTE Mobile Communication Systems. arXiv 2016, arXiv:1510.07563. [CrossRef]
26. Cao, J.; Ma, M.; Li, H.; Zhang, Y.; Luo, Z. A Survey on Security Aspects for LTE and LTE-A Networks. IEEE Commun. Surv.
Tutorials 2013, 16, 283–302. [CrossRef]
27. Panwar, N.; Sharma, S.; Singh, A.K. A survey on 5G: The next generation of mobile communication. Phys. Commun. 2016, 18,
64–84. [CrossRef]
28. Lichtman, M.; Jover, R.P.; Labib, M.; Rao, R.; Marojevic, V.; Reed, J.H. LTE/LTE-A jamming, spoofing, and sniffing: Threat
assessment and mitigation. IEEE Commun. Mag. 2016, 54, 54–61. [CrossRef]
29. Bikos, A.; Sklavos, N. LTE/SAE Security Issues on 4G Wireless Networks. IEEE Secur. Priv. 2012, 11, 55–62. [CrossRef]
30. Lee, J.; Ryu, S.; Yoo, K. Fingerprint-based remote user authentication scheme using smart cards. Electron. Lett. 2002, 38, 554–555.
[CrossRef]
Symmetry 2022, 14, 821 17 of 17

31. Fan, C.-I.; Lin, Y.-H. Provably Secure Remote Truly Three-Factor Authentication Scheme with Privacy Protection on Biometrics.
IEEE Trans. Inf. Forens. Secur. 2009, 4, 933–945. [CrossRef]
32. Blasco, J.; Chen, T.; Tapiador, J.; Peris, P. A Survey of Wearable Biometric Recognition Systems. ACM Comput. Surv. 2016, 49, 1–35.
[CrossRef]
33. Rathgeb, C.; Uhl, A. A survey on biometric cryptosystems and cancelable biometrics. EURASIP J. Inf. Secur. 2011, 2011, 3.
[CrossRef]
34. Camara, C.; Peris-Lopez, P.; Tapiador, J.E. Human Identification Using Compressed ECG Signals. J. Med. Syst. 2015, 39, 1–10.
[CrossRef]
35. Pedrycz, W.; Vasilakos, A.; Karnouskos, S. Guest Editorial—Special issue on computational intelligence in telecommunications
networks and internet services—Part II. IEEE Trans. Syst. Man Cybern. Part C Appl. Rev. 2003, 33, 429–431. [CrossRef]
36. Deng, Y.; Fu, H.; Xie, X.; Zhou, J.; Zhang, Y.; Shi, J. A novel 3GPP SAE authentication and key agreement protocol. In Proceedings
of the 2009 IEEE International Conference on Network Infrastructure and Digital Content, Beijing, China, 6–8 November 2009;
pp. 557–561.
37. Ali, R.F.; Muneer, A.; Dominic, P.D.D.; Taib, S.M.; Ghaleb, E.A. August. Internet of Things (IoT) Security Challenges and Solutions:
A Systematic Literature Review. In Proceedings of the International Conference on Advances in Cyber Security, Penang, Malaysia,
24–25 August 2021; pp. 128–154. [CrossRef]
38. Hamandi, K.; Abdo, J.B.; Elhajj, I.H.; Kayssi, A.; Chehab, A. A privacy-enhanced computationally-efficient and comprehensive
LTE-AKA. Comput. Commun. 2017, 98, 20–30. [CrossRef]
39. Cao, J.; Ma, M.; Li, H. Unified handover authentication between heterogeneous access systems in LTE networks. In Proceedings
of the 2012 IEEE Global Communications Conference (GLOBECOM), Anaheim, CA, USA, 3–7 December 2012; pp. 5308–5313.
[CrossRef]
40. Bohák, A.; Buttyán, L.; Dóra, L. An authentication scheme for fast handover between WiFi access points. In Proceedings of the
3rd International Conference on Wireless Internet, Austin, TX, USA, 22–24 October 2007. [CrossRef]
41. Dimitriadis, C.K.; Polemi, D. An identity management protocol for Internet applications over 3G mobile networks. Comput. Secur.
2006, 25, 45–51. [CrossRef]
42. Kormann, D.P.; Rubin, A.D. Risks of the Passport single signon protocol. Comput. Netw. 2000, 33, 51–58. [CrossRef]
43. Dimitriadis, C.K.; Shaikh, S.A. A Biometric Authentication Protocol for 3G Mobile Systems: Modelled and Validated Using CSP
and Rank Functions. Int. J. Netw. Secur. 2007, 5, 99–111.
44. Di Raimondo, M.; Gennaro, R. New Approaches for Deniable Authentication. J. Cryptol. 2009, 22, 572–615. [CrossRef]
45. Lee, W.-B.; Wu, C.-C.; Tsaur, W.-J. A novel deniable authentication protocol using generalized ElGamal signature scheme. Inf. Sci.
2007, 177, 1376–1381. [CrossRef]
46. Shao, Z. Efficient deniable authentication protocol based on generalized ElGamal signature scheme. Comput. Stand. Interfaces
2004, 26, 449–454. [CrossRef]
47. Bersani, F.; Tschofenig, H. The EAP-PSK Protocol: A Pre-Shared Key Extensible Authentication Protocol (EAP) Method; IETF: Marina
del Rey, CA, USA, 2007. [CrossRef]
48. Aboba, B.; Blunk, L.; Vollbrecht, J.; Carlson, J.; Levkowetz, H. Extensible Authentication Protocol (EAP); IETF: Marina del Rey, CA,
USA, 2004. [CrossRef]
49. Gao, Y.; Al-Sarawi, S.F.; Abbott, D. Physical unclonable functions. Nat. Electron. 2020, 3, 81–91. [CrossRef]
50. Wang, X.; Hao, P.; Hanzo, L. Physical-layer authentication for wireless security enhancement: Current challenges and future
developments. IEEE Commun. Mag. 2016, 54, 152–158. [CrossRef]
51. Xie, N.; Li, Z.; Tan, H. A Survey of Physical-Layer Authentication in Wireless Communications. IEEE Commun. Surv. Tutor. 2020,
23, 282–310. [CrossRef]
52. Developers. BiometricManager. Available online: https://developer.android.com/reference/android/hardware/biometrics/
BiometricManager (accessed on 14 January 2022).
53. Developers. biometryType. Available online: https://developer.apple.com/documentation/localauthentication/lacontext/28
67583-biometrytype (accessed on 24 January 2022).
54. Developers. TelephonyManager. Available online: https://developer.android.com/reference/android/telephony/
TelephonyManager.html#getSubscriberId%28%29 (accessed on 27 January 2022).
55. Murray, D. Ios-Reversed-Headers. Available online: https://github.com/davidmurray/ios-reversed-headers/blob/master/
CoreTelephony/CTSIMSupport.h (accessed on 27 January 2022).