Authentication Securing Methods for Mobile Identity: Issues, Solutions and Challenges

: Smartphone devices have become an essential part of our daily activities for performing various essential applications containing very conﬁdential information. For this reason, the security of the device and the transactions is required to ensure that the transactions are performed legally. Most regular mobile users’ authentication methods used are passwords and short messages. However, numerous security vulnerabilities are inherent in various authentication schemes. Fingerprint identiﬁcation and face recognition technology sparked a massive wave of adoption a few years back. The international mobile equipment identity (IMEI) and identity-based public key cryptography (ID-based PKC) have also become widely used options. More complex methods have been introduced, such as the management ﬂow that combines transaction key creation, encryption, and decryption in processing users’ personal information and biometric features. There is also a combination of multiple user-based authentications, such as user’s trip routes initialization with the coordinates of home and ofﬁce to set template trajectories and stay points for authentication. Therefore, this research aimed to identify the issues with the available authentication methods and the best authentication solution while overcoming the challenges.


Introduction
An identity card (IC) is used for compulsory registration and identification for each citizen to be identified in such a way that they can claim citizenship. Without identification, one cannot carry out citizenship-related tasks or enjoy citizenship advantages [1]. In recent years, many organizations have introduced online transactions on a mobile platform. Smart parking meters, smart traffic management, smart public transit, healthcare, precision agriculture, building management, public monitoring, and smart petrol stations are some of the mobile phone applications that have improved business efficiency and user satisfaction [2]. In addition to the COVID pandemic, the global online commerce volume has expanded dramatically [3]. This is where the mobile identity is required; to authenticate and log in, users need reliable digital identities [4].
Mobile identity is often tied to the subscriber identity module (SIM) card, where it can represent the owner and be used for authenticating the SIM card, thus representing, and authenticating the owner virtually. Simply put, mobile identity utilizes a user's identity attributes tied to a mobile device for identity verification, authentication, and authorization [5]. However, mobile threats are continuously being updated with new features, shifted into new distribution channels and supported by investments in the development of detection avoidance techniques [6]. We believe that it is crucial to perform • First, we have conducted a comprehensive review of the existing common mobile identity authentication issues based on recent research papers. • Second, this study highlights the vulnerabilities of 4G and 5G authentication and the necessity for it to evolve consistently. • Based on the extensive literature review conducted, we have proposed a solution on having a fourth entity as an authentication provider, known as mobile identity, that we think is the best approach to balance the requirement of security and the convenience of transactions.
The next section will discuss the common mobile authentication types found in the referred research papers and identify the issues. In Section 3, we will evaluate the proposed solution in terms of flows and functions and how it works. Some of the challenges will be addressed in Section 4, before we summarize this study in Section 5.

Mobile Authentication Method and Issues
Many research studies have produced solutions to address mobile online authentication issues, such as a mobile authentication system based on the Blowfish encryption algorithm [7], handover authentication protocols using ID-based PKC [8], a trajectorybased identity authentication method [9], the integration of cryptographic methods for anonymous biometric authentication [11], authentication using a public behavior dataset (i.e., keystrokes on touch screens) with different feature selections to improve the authentication accuracy [12], and using cipher policy attribute-based encryption bonded with the geographical location [13]. However, few have narrowed the issues down to the mobile identity authentication service, for example, the national electronic identities (eID) [4] and decentralized and self-sovereign identity (SSI) solutions [14]. This section will address the issues of standard authentication commonly used for mobile transactions.

Static Password Authentication
The static password is the earliest and most widely used means of authentication [2]. The system sets up two tuples of information for each legitimate user during registration: a commonly named username and password. User information provided during the Symmetry 2022, 14, 821 3 of 17 registration will be tied to the username. Each login will require the user to self-introduce by entering the username and authenticating it using a secret password. Figure 1 represents the idea of how registration is performed.

Static Password Authentication
The static password is the earliest and most widely used means of authentication [2]. The system sets up two tuples of information for each legitimate user during registration: a commonly named username and password. User information provided during the registration will be tied to the username. Each login will require the user to self-introduce by entering the username and authenticating it using a secret password. Figure 1 represents the idea of how registration is performed. This type of authentication purely depends on the user to memorize. Commonly, users will select a word that they can easily remember, potentially exposed to attack. Cybercriminals have created many tools that can help in guessing passwords. On the other hand, a complex password may be forgotten, and the user will have to reset that. This will take away the convenience of the authentication.
Static passwords are easy to forget, lose, or leak [11]. They are simple to crack using tactics such as guessing, dictionary attacks, brute force cracking, theft, replay assaults, Trojan horse attacks, and other methods [7]. They are also too risky to use independently, especially for the purpose of mobile identity authentication.

Dynamic Password Authentication
The SMS verification code is one of the most commons dynamic password authentications. Like the static password, the system will require identification information from the user, paired with the server's generated PIN or token for access authentication [7].
Additionally, users need to register themselves and provide a username and mobile phone number as a primary key tied to their information, as shown in Figure 2. During the login, the user will need to enter the username, and once the server validates that their profile exists, an SMS of the generated password will be sent to the correlated mobile number. The mobile phone user will then use the generated password for authenticating their access. SMS authentication codes are sent in plain text. This presents some vulnerability that is constantly exposed to high-risk threats.  This type of authentication purely depends on the user to memorize. Commonly, users will select a word that they can easily remember, potentially exposed to attack. Cybercriminals have created many tools that can help in guessing passwords. On the other hand, a complex password may be forgotten, and the user will have to reset that. This will take away the convenience of the authentication.
Static passwords are easy to forget, lose, or leak [11]. They are simple to crack using tactics such as guessing, dictionary attacks, brute force cracking, theft, replay assaults, Trojan horse attacks, and other methods [7]. They are also too risky to use independently, especially for the purpose of mobile identity authentication.

Dynamic Password Authentication
The SMS verification code is one of the most commons dynamic password authentications. Like the static password, the system will require identification information from the user, paired with the server's generated PIN or token for access authentication [7].
Additionally, users need to register themselves and provide a username and mobile phone number as a primary key tied to their information, as shown in Figure 2. During the login, the user will need to enter the username, and once the server validates that their profile exists, an SMS of the generated password will be sent to the correlated mobile number. The mobile phone user will then use the generated password for authenticating their access. SMS authentication codes are sent in plain text. This presents some vulnerability that is constantly exposed to high-risk threats.

Static Password Authentication
The static password is the earliest and most widely used means of authentication [2]. The system sets up two tuples of information for each legitimate user during registration: a commonly named username and password. User information provided during the registration will be tied to the username. Each login will require the user to self-introduce by entering the username and authenticating it using a secret password. Figure 1 represents the idea of how registration is performed. This type of authentication purely depends on the user to memorize. Commonly, users will select a word that they can easily remember, potentially exposed to attack. Cybercriminals have created many tools that can help in guessing passwords. On the other hand, a complex password may be forgotten, and the user will have to reset that. This will take away the convenience of the authentication.
Static passwords are easy to forget, lose, or leak [11]. They are simple to crack using tactics such as guessing, dictionary attacks, brute force cracking, theft, replay assaults, Trojan horse attacks, and other methods [7]. They are also too risky to use independently, especially for the purpose of mobile identity authentication.

Dynamic Password Authentication
The SMS verification code is one of the most commons dynamic password authentications. Like the static password, the system will require identification information from the user, paired with the server's generated PIN or token for access authentication [7].
Additionally, users need to register themselves and provide a username and mobile phone number as a primary key tied to their information, as shown in Figure 2. During the login, the user will need to enter the username, and once the server validates that their profile exists, an SMS of the generated password will be sent to the correlated mobile number. The mobile phone user will then use the generated password for authenticating their access. SMS authentication codes are sent in plain text. This presents some vulnerability that is constantly exposed to high-risk threats.

Biometric Authentication
Each individual has unique biological traits, and because biometrics cannot be easily falsified over an extended period of time, they can be utilized as a trustworthy method of identity authentication [15]. The emergence of biometric modalities also sparked a realization that this issue warrants further exploration and discussion. However, there is no clear baseline concerning the criteria and specifications required for security testing, specifically for biometric products, systems, etc. that the national government uses in adopting biometric technologies [14]. Therefore, some biometric authentication technologies have been accompanied by an optimization algorithm. Authors in [16] proposed a multimodal system based on an evolutionary algorithm for the security of the biometric system. However, some of the recent optimization algorithms can be adopted to overcome the challenge of the evolutionary algorithm used for the security of the biometric system, such as the algorithms suggested by [17] and [18].
Each legitimate user will capture their biometric information for this type of authentication. This is easier nowadays, because most smartphones are equipped with a built-in camera to capture face or iris, a voice recorder to capture voice, and a fingerprint reader to capture thumbprints. The biometric information will be preprocessed and bound with user information during registration. Each login will require the user to present their biometrics for authentication.
The risks of using biometrics are quite huge. Once breached, they are not available for recovery. The data are not renewable and hence, cannot be used once stolen. Some disadvantages of using biometric authentication are the high computational cost, required accuracy and usability during the unlocked state, plus hardware sensor devices that are not practical for frequent logins/authentications [12]. Another issue with biometric authentication is that it might slightly change over time. Table 1 lists the impact of having biometric changes [14].

Trip Trajectory Authentication
Different mobile phone users will have different personal trip trajectories and stay points. This type of authentication determines the validity of the present mobile device user based on his trajectory data [9]. The travel trajectory's system architecture is depicted in Figure 3, which includes the registration and authentication phases.
In the registration phase, a user registers his information, comprising his home and workplace coordinates and trip routes, in the template library, which is dynamically expanded to accommodate the user's trip regularities. While in the authentication phase, the data gathering module collects the user's daily travel trajectories using GPS-enabled mobile devices, calculating the similarity between the sample and template trajectories in order to determine likely stay point coordinates. The results of this calculation will be used to judge whether the user is valid or not.  In the registration phase, a user registers his information, comprising his home and workplace coordinates and trip routes, in the template library, which is dynamically expanded to accommodate the user's trip regularities. While in the authentication phase, the data gathering module collects the user's daily travel trajectories using GPS-enabled mobile devices, calculating the similarity between the sample and template trajectories in order to determine likely stay point coordinates. The results of this calculation will be used to judge whether the user is valid or not.
Additionally, using this type of authentication makes it hard to validate users who love to travel a lot. The frequent changes in user coordination and stay points will make it hard to authenticate.

Cryptography Authentication
Cryptography can be utilized to secure data during transmission, storage, and computation. Cryptography is a technique that utilizes a key and algorithm to convert plain text (readable text) to ciphertext (unreadable text) [13]. There are two types of cryptography used: symmetric and asymmetric. The same key is utilized in symmetric key cryptography to encrypt and decrypt. It consists of five elements: plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm. However, the asymmetric key cryptography uses different keys for encryption and decryption, referred as a public and private keys and known as public key infrastructure (PKI).

ID-Based PKC (Public Key Cryptography)
Traditional public-key cryptography (TPKC) was introduced based on PKI. Several protocols using the TPKC have been proposed, where each user will have a certificate to bind their identity and public key. Those certificates are produced by a trusted third party called the certificate authority (CA) [8]. However, the system has an overhead to be borne when the number of users increases.
To overcome the weaknesses in these TPKC protocols, identity-based public-key cryptography (ID-based PKC) has been proposed in the last several years. The Additionally, using this type of authentication makes it hard to validate users who love to travel a lot. The frequent changes in user coordination and stay points will make it hard to authenticate.

Cryptography Authentication
Cryptography can be utilized to secure data during transmission, storage, and computation. Cryptography is a technique that utilizes a key and algorithm to convert plain text (readable text) to ciphertext (unreadable text) [13]. There are two types of cryptography used: symmetric and asymmetric. The same key is utilized in symmetric key cryptography to encrypt and decrypt. It consists of five elements: plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm. However, the asymmetric key cryptography uses different keys for encryption and decryption, referred as a public and private keys and known as public key infrastructure (PKI).

ID-Based PKC (Public Key Cryptography)
Traditional public-key cryptography (TPKC) was introduced based on PKI. Several protocols using the TPKC have been proposed, where each user will have a certificate to bind their identity and public key. Those certificates are produced by a trusted third party called the certificate authority (CA) [8]. However, the system has an overhead to be borne when the number of users increases.
To overcome the weaknesses in these TPKC protocols, identity-based public-key cryptography (ID-based PKC) has been proposed in the last several years. The participant's identity itself is taken as the public key so that no certificate is needed to bind its identity and public key [8]. Figure 4 shows the flow of ID-based PKC authentication.
participant's identity itself is taken as the public key so that no certificate is needed to bin its identity and public key [8]. Figure 4 shows the flow of ID-based PKC authentication.

Geo-Encryption
Geo-encryption is an encryption method that uses the user's geographical location a the user's identity itself. It enables data encryption for a specific place that may be ident fied spatially and temporally. Without the position information received using an ant spoof GPS device, it is impossible to decode the data with the particular availability spoo ing module (SAASM). The GPS signal includes encrypted binary Y codes. SAASM receiv ers can track Y codes only when loaded with the correct decryption key [13]. This type o encryption is useful when there is a requirement for disabling decryption outside a spe ified geo-location.

Multi-Factor Authentication (MFA)
Instead of using a single authentication method, multi-factor authentication com bines another layer of authentication. For example, using a static password with a dy namic password is tied. Users will be required to enter the password, send entering th password, and send the request to an authentication server. Once the password is verified the authentication server will send a random generated PIN/password to the user's regi tered mobile number through SMS or to the user's registered email address. The user the needs to enter the generated password to complete the authentication. However, user will need to authenticate themselves twice or more using this MFA method [11].
For improvement, other combination methods are proposed for MFA, which reduc the authentication attempt by the user. For example, using bio-encryption combines th benefits of traditional cryptography with the security provided by biometrics [8]. Al hough this method is much more secure than the static-dynamic password combination it requires higher-end devices. Table 2 shows some of the mobile authentication metho and issues.

Geo-Encryption
Geo-encryption is an encryption method that uses the user's geographical location as the user's identity itself. It enables data encryption for a specific place that may be identified spatially and temporally. Without the position information received using an anti-spoof GPS device, it is impossible to decode the data with the particular availability spoofing module (SAASM). The GPS signal includes encrypted binary Y codes. SAASM receivers can track Y codes only when loaded with the correct decryption key [13]. This type of encryption is useful when there is a requirement for disabling decryption outside a specified geo-location.

Multi-Factor Authentication (MFA)
Instead of using a single authentication method, multi-factor authentication combines another layer of authentication. For example, using a static password with a dynamic password is tied. Users will be required to enter the password, send entering the password, and send the request to an authentication server. Once the password is verified, the authentication server will send a random generated PIN/password to the user's registered mobile number through SMS or to the user's registered email address. The user then needs to enter the generated password to complete the authentication. However, users will need to authenticate themselves twice or more using this MFA method [11].
For improvement, other combination methods are proposed for MFA, which reduce the authentication attempt by the user. For example, using bio-encryption combines the benefits of traditional cryptography with the security provided by biometrics [8]. Although this method is much more secure than the static-dynamic password combination, it requires higher-end devices. Table 2 shows some of the mobile authentication method and issues. User enters the username and authenticates using a secret password.
-Depends on user to memorize, is easy to forget, lose, or leak. -Exposed to guessing, dictionary attack, brute force cracking, stealing, replay attacks, Trojan horse attacks and others.
High [2,7,11] Dynamic password Register username and mobile phone number as a primary key.
The user's identification information is paired with the server's generated PIN or token.
-Code is sent in plain text. -Vulnerability is constantly exposed to high-risk threats. High [7] Biometric User captures their biometric information, then preprocess and bind it with user information. Each login will require the user to present their biometric data. Public Key Cryptography Plain text (readable text) is converted to ciphertext (unreadable text) with the help of the key and algorithm. The user will have a certificate to bind their identity and public key. - The system has an overhead to be borne when the number of users increases. -Cost increases and increasingly complex maintenance.
Low [8] ID-Based Public Key Cryptography The participant's identity is taken as the public key to bind its identity and public key. - The system has an overhead to be borne when the number of users increases. -Cost increases and increasingly complex maintenance.
Low [8] Geo-Encryption User's geographical location as the identity of the user. Data to be encrypted for a specific location obtained using an anti-spoof GPS receiver that can be identified in terms of space and time.
Only applicable when there is a requirement for disabling decryption outside specified geo-location.
Low [13] Multi-factor Combines authentication method used with another layer of authentication.
Users will need to authenticate themselves twice or more using this method.
Low [11] 2.7. Securing Authentication for Mobile Networks Authentication and key management are critical components of cellular network security because they establish mutual authentication between users and the network and generate cryptographic keys for the protection of both signaling and user plane data. Each generation of cellular networks has specified at least one type of authentication [19]. For instance, the fourth-generation mobile network (4G) specified 4G EPS-AKA, but the fifth-generation mobile network (5G) specifies three authentication methods: 5G-AKA, EAP-AKA [20], and EAP-TLS (transport layer security) [20].
Because 5G defines additional authentication techniques, wireless practitioners frequently inquire about the rationale for 5G's adoption of these new authentication methods and how they differ from 4G authentication [21]. The purpose of this section is to address those problems by performing a comparative analysis of 4G and 5G mobile authentication methods [22]. The analysis demonstrates that 5G authentication outperforms 4G authentication in several ways [23], including the use of a unified authentication framework that can support a more significant number of user cases, enhanced user equipment identity protection, enhanced home-network control, and increased key separation during key derivation. Additionally, this section highlights the vulnerabilities of 5G authentication and the necessity for it to evolve regularly. Prior generations' security and privacy challenges, notably in radio access networks (RANs), have been thoroughly explored. The following are only a few of the numerous concerns uncovered.

1.
Due to the absence of network authentication in 2G, attacks such as network spoofing by faked base stations are possible. For example, a faked base station can advertise a different tracking area code with a stronger signal strength to entice user equipment (UE) away from its legitimate cellular network and register with the faked base station [24].

2.
Inadequate secrecy in certain signaling messages, resulting in a violation of privacy.
For example, unencrypted paging information can be employed to detect the presence of a specific user and even trace the person to a precise location [25].
To address these concerns, the 3rd Generation Partnership Project (3GPP) provides an Authentication and Key Agreement (AKA) protocol and associated procedures that support entity authentication, message integrity, and message secrecy, among other security aspects [26]. The 3GPP AKA protocol is a challenge-and-response authentication scheme based on the sharing of a symmetric key between a subscriber and a home network. Following mutual authentication between a subscriber and a home network, cryptographic keying materials are generated to safeguard further communication between the subscriber and a serving network, which includes both signaling messages and user plane data (e.g., over radio channels) [26].
Additionally, because the 5G network is IP-based, it will be vulnerable to all IP-specific vulnerabilities. Based on these findings, ensuring a high level of security and privacy will be one of the most crucial parts of deploying 5G networks successfully. Table 3 is presented a comparative analysis of security and privacy of 3G, 4G and 5G cellular networks. We will compare authentication and privacy-preserving strategies for 4G and 5G cellular networks in terms of authentication and privacy models in this section. Figure 5 presents the classification of 4G and 5G cellular network authentication and privacypreserving schemes. [28] X √ X X X Long term evolution (LTE) jamming and spoofing mitigation strategies were investigated.

Schemes for Authentication in 4G and 5G Cellular Networks
We will compare authentication and privacy-preserving strategies for 4G and 5G cellular networks in terms of authentication and privacy models in this section. Figure 5 presents the classification of 4G and 5G cellular network authentication and privacy-preserving schemes. 1. Three-factor authentication with privacy Three-factor authentication with privacy falls into three categories: protocols based on smart cards, passwords, and biometrics. To address the following research question of whether we can combine the three factors, according to [30], smart cards show what you have, passwords show what you know, and biometrics show who you are. To achieve good biometric privacy, the authors proposed a three-factor authentication approach. The server accepts only if each factor (password, smart card, and biometric data) passes authentication. Compared to the three-factor authentication techniques suggested in [30] and [31], the protocol presented in [30] uses less computation. According to authors in Figure 5. Classification of 4G and 5G cellular network authentication and privacy-preserving schemes.

1.
Three-factor authentication with privacy Three-factor authentication with privacy falls into three categories: protocols based on smart cards, passwords, and biometrics. To address the following research question of whether we can combine the three factors, according to [30], smart cards show what you have, passwords show what you know, and biometrics show who you are. To achieve good biometric privacy, the authors proposed a three-factor authentication approach. The server accepts only if each factor (password, smart card, and biometric data) passes authentication. Compared to the three-factor authentication techniques suggested in [30] and [31], the protocol presented in [30] uses less computation. According to authors in [32], biometric systems fall into three categories: traditional [33], wearable (e.g., smartphone), and hybrid [34]. Regarding wearable biometrics and implantable medical devices, we refer the reader to both recent surveys [33].

Authentication and key agreement with privacy
The AKA protocol is a symmetric cryptography-based challenge-response system. With RFC 3310, the Universal Mobile Telecommunications System (UMTS) has implemented the 3GPP's AKA protocol, also known as the 3G standard [35]. Authors in [36], therefore, suggested an enhanced authentication and key agreement methodology based on public key cryptography. The protocol is vulnerable to a variety of attacks, including replay, man-in-the-middle, and denial-of-service (DoS) attacks [37]. The following question is: Is it truly required for the AKA protocol to conceal communication content from an external adversary? Authors in [38] developed a hybrid method based on LTE-AKA modifications that employs both symmetric and asymmetric key encryption to identify and avoid both insider and outsider threats.

3.
Handover authentication with privacy Existing handover authentication systems for LTE wireless networks can be categorized into three types depending on their cryptographic primitives: (1) symmetrical key-based schemes, (2) public key-based schemes, and (3) hybrid techniques. There are two kinds of base stations in LTE wireless networks: home eNodeB (HeNB) and eNodeB. (eNB). According to [39], the 3GPP project's proposed changeover mechanism from an eNB/HeNB to a new eNB/HeNB cannot provide backward security. The authors specifically presented a handover authentication technique for LTE network mobility scenarios. The technique in [39] is based on the concept of proxy signature and provides various security features, including perfect forward and backward secrecy. Additionally, the approach [39] is more efficient in terms of computational cost and communication overhead than [40] the handover scheme, although identity privacy is not considered.

4.
Mutual authentication with privacy To establish mutual authentication while maintaining privacy, suggested security systems for 4G/5G networks must maintain location privacy, identity privacy, data integrity, and authenticity, as illustrated in Figure 6. Authors in [41], on the other hand, introduced the IDM3G protocol for ensuring mutual authentication and identity privacy in 3G. The IDM3G protocol is divided into two phases: (1) authentication of the UMTS Subscriber Identity Module (USIM) by the provision of a personal identification number, and (2) mutual authentication between the USIM and the mobile operator. The IDM3G protocol is more efficient than both protocols in terms of the quantity of messages exchanged along the path [42], but location privacy is not addressed. In a similar vein to the IDM3G protocol, authors in [43] introduced the BIO3G protocol for safe and privacy-preserving biometric authentication in 3G mobile contexts. In comparison to the IDM3G protocol, the BIO3G protocol cannot withstand DoS attacks and does not consider location or identity privacy [41].

Deniable authentication with privacy
Deniable authentication differs from standard authentication in that a third party cannot be persuaded by the receiver [44]. Authors in [45] suggested a non-interactive authentication methodology to accomplish deniable authentication. The protocol in [45] is based on the shared session secret and the ElGamal signature scheme, and it not only considers the security issues proposed by [46], such as forgery, impersonation, deniability, and completeness, but it can also maintain security when the session secret has already been compromised. As a result, in cellular networks, the employment of message authentication codes (MACs) between two parties can provide deniable authentication. Authors in [47] defined an experimental protocol for the Internet community named EAP-PSK under RFC 4764, which provides less scalability and security. RFC 3748 [48] and RFC 2284 specify the Extensible Authentication Protocol (EAP), which is widely used in wireless networks.

Authentication and Privacy-Preserving Techniques Employ Countermeasures
Some important countermeasures employed by the authentication and privacy-preserving techniques for 4G and 5G cellular networks are described in this subsection. These defenses fall into three categories: cryptographic techniques, human factors, and intrusion detection techniques.

5.
Deniable authentication with privacy Deniable authentication differs from standard authentication in that a third party cannot be persuaded by the receiver [44]. Authors in [45] suggested a non-interactive authentication methodology to accomplish deniable authentication. The protocol in [45] is based on the shared session secret and the ElGamal signature scheme, and it not only considers the security issues proposed by [46], such as forgery, impersonation, deniability, and completeness, but it can also maintain security when the session secret has already been compromised. As a result, in cellular networks, the employment of message authentication codes (MACs) between two parties can provide deniable authentication. Authors in [47] defined an experimental protocol for the Internet community named EAP-PSK under RFC 4764, which provides less scalability and security. RFC 3748 [48] and RFC 2284 specify the Extensible Authentication Protocol (EAP), which is widely used in wireless networks.

Authentication and Privacy-Preserving Techniques Employ Countermeasures
Some important countermeasures employed by the authentication and privacy-preserving techniques for 4G and 5G cellular networks are described in this subsection. These defenses fall into three categories: cryptographic techniques, human factors, and intrusion detection techniques.
First, a physical unclonable function (PUF) is a gadget that takes advantage of intrinsic randomness produced during production to provide a unique 'fingerprint' or trust anchor for a physical entity [49]. These devices have a number of potential uses, ranging from anti-counterfeiting, identity, authentication, and key generation to advanced protocols such as oblivious transfer, key exchange, key renovation, and virtual proof of reality. Another possibility is to use PUFs, which are clone-proof, cost-effective, and resistant to a variety of physical attacks. A PUF takes advantage of the inherent random variations created by manufacturing processes to generate secret keys on the fly [49].
Second, physical-layer authentication (PLA), which is based on the dynamic nature of physical layer properties, is gaining traction as a viable method for increasing wireless security [50]. PLA has recently attracted considerable academic interest due to its information-theory security and simplicity. However, numerous academics have concentrated on PLA and its potential for increasing wireless security [51].

Results
Although many studies exist, the research gaps in multi-factor authentication remain open for different combinations. To fill this literature gap, we will further discuss the proposed combination of MFA authentication methods for mobile identity. Depending on the user's mobile phone capability, there are two proposed combination options: mobile phone SIM number with biometric fingerprint or SIM number with geo-location information. Both fingerprint and geo-location will be used as the encryption key to secure the transaction data.
In this study, we propose the use of biometric authentication, specifically fingerprint authentication, due to its unique criteria, which between each person. However, not every device can capture biometrics due to its own limitations. Considering the multitype of mobile devices with a probability of not having a biometric recognition module, we take into count the geo-location identification, as we know that every mobile device will have its own built-in GPS module.
The strong side of geo-location authentication is that most impersonation attempts are made outside the user's area, and some are even made outside the user's country. At present, limiting the geo-location transaction source is performed on the IP level. However, there are some scenarios where the restriction brings trouble to the legitimate user. For example, some countries have used geo-location to restrict the use of the internet due to internal reasons such as riots. During this time, the internet connection for the whole country was shut down. This led to some civilians trying to reach the internet using a VPN service provider, and their IPs changed to external IPs, which ended up being blocked by the system. Due to this, GPS geo-location sounds a bit promising to counter the issue. Now, back to the proposed authentication. Referring to Figure 7, the authentication system design should require a SIM number representing the user's identity, International Mobile Equipment Identity (IMEI), first and second fingerprints and initial geo-location during registration, and the user's information to create an account. Considering the biometric impacts shown in Table 1, a second fingerprint is needed as a backup authentication key upon authentication failure.
the system. Due to this, GPS geo-location sounds a bit promising to counter the issue. Now, back to the proposed authentication. Referring to Figure 7, the authentication system design should require a SIM number representing the user's identity, International Mobile Equipment Identity (IMEI), first and second fingerprints and initial geo-location during registration, and the user's information to create an account. Considering the biometric impacts shown in Table 1, a second fingerprint is needed as a backup authentication key upon authentication failure. Once an account is created, the user can perform the transaction on any platforms that are connected to the authentication server (AS). Whenever the user initiates a transaction that requires authentication, the system will first identify if the user's mobile device can capture the fingerprint or not. If the fingerprint capture module is present on the phone, then the SIM number and fingerprint will be used for authentication. However, if not, the combination of SIM number and geo-location will be used instead. Figure 8 shows the flow for the authentication.
The user will need to provide the fingerprint upon authentication for a device that supports fingerprints. The fingerprint will be sent with the SIM number to the AS for verification. Once authorized, the AS will issue an encrypted token used to validate the transaction. The online application server will use the token and cross-check with AS for verification. However, if the fingerprint authentication fails, the user may use the second fingerprint to replace the failed one. Once an account is created, the user can perform the transaction on any platforms that are connected to the authentication server (AS). Whenever the user initiates a transaction that requires authentication, the system will first identify if the user's mobile device can capture the fingerprint or not. If the fingerprint capture module is present on the phone, then the SIM number and fingerprint will be used for authentication. However, if not, the combination of SIM number and geo-location will be used instead. Figure 8 shows the flow for the authentication. On mobile devices that do not support biometric recognition, the user will need to validate their geo-location. Once validated, the SIM number, device IMEI and the validated location will be sent to AS for verification. AS will cross-check if the provided information of mobile number and IMEI are identical with the record, and the provided location is matched with the GPS location or registered location or within a nearby radius. If either SIM number and IMEI, or SIM number and geo-location, are correct, the user then will be authorized and receive the token. The authentication flow for these combinations is expressed in Figure 9. The user will need to provide the fingerprint upon authentication for a device that supports fingerprints. The fingerprint will be sent with the SIM number to the AS for verification. Once authorized, the AS will issue an encrypted token used to validate the transaction. The online application server will use the token and cross-check with AS for verification. However, if the fingerprint authentication fails, the user may use the second fingerprint to replace the failed one.
On mobile devices that do not support biometric recognition, the user will need to validate their geo-location. Once validated, the SIM number, device IMEI and the validated location will be sent to AS for verification. AS will cross-check if the provided information of mobile number and IMEI are identical with the record, and the provided location is matched with the GPS location or registered location or within a nearby radius. If either SIM number and IMEI, or SIM number and geo-location, are correct, the user then will be authorized and receive the token. The authentication flow for these combinations is expressed in Figure 9. On mobile devices that do not support biometric recognition, the user will need to validate their geo-location. Once validated, the SIM number, device IMEI and the validated location will be sent to AS for verification. AS will cross-check if the provided information of mobile number and IMEI are identical with the record, and the provided location is matched with the GPS location or registered location or within a nearby radius. If either SIM number and IMEI, or SIM number and geo-location, are correct, the user then will be authorized and receive the token. The authentication flow for these combinations is expressed in Figure 9. A more systematic and theoretical analysis is required for making this authentication method clearer and more realistic. The system will start by executing a biometric module check on the device. As an example for the Android operating system, the Java class android.hardware.biometrics.BiometricManager can be used to check the availability of biometric devices [52]: A more systematic and theoretical analysis is required for making this authentication method clearer and more realistic. The system will start by executing a biometric module check on the device. As an example for the Android operating system, the Java class android.hardware.biometrics.BiometricManager can be used to check the availability of biometric devices [52]: Or in IOS using [53]: var biometryType: LABiometryType {get} These code lines are samples for common smartphone types used nowadays. Other types will have their own code functions for serving the same purpose. As a result, once it has confirmed whether a biometric reader exists, the authentication system can now proceed with the subsequent flow, which is to check the SIM number for a mobile device with fingerprint recognition or the SIM number with IMEI extraction for devices that are not supported.

Mobile Device with Fingerprint Recognition
In the devices with fingerprint modules, the authentication system will require specific privileges and entitlement before extracting the SIM details. These can be obtained during the registration of the user identity account on AS. These code libraries can be used to check on the fingerprint recognition device on the mobile devices subjected to certain conditions on Android [54]: public String getSubscriberId () and CFStringRef CTSIMSupportCopyMobileSubscriberIdentity(CFAllocatorRef allocator); in IOS.
The following steps of the authentication system are to obtain the fingerprint [55]. An asymmetric encryption method is used where the user scans the fingerprint, and it will be used as an encryption key for the transaction details and to receive a token from AS. It is then sent to the application server for verification. The application server will check the validity of the token with the SIM number and proceed to complete the transaction once AS has verified the user identity.
Or in IOS using [53]: Or in IOS using [53]: var biometryType: LABiometryType {get} These code lines are samples for common smartphone types used nowadays. Other types will have their own code functions for serving the same purpose. As a result, once it has confirmed whether a biometric reader exists, the authentication system can now proceed with the subsequent flow, which is to check the SIM number for a mobile device with fingerprint recognition or the SIM number with IMEI extraction for devices that are not supported.

Mobile Device with Fingerprint Recognition
In the devices with fingerprint modules, the authentication system will require specific privileges and entitlement before extracting the SIM details. These can be obtained during the registration of the user identity account on AS. These code libraries can be used to check on the fingerprint recognition device on the mobile devices subjected to certain conditions on Android [54]: public String getSubscriberId () and CFStringRef CTSIMSupportCopyMobileSubscriberIdentity(CFAllocatorRef allocator); in IOS.
The following steps of the authentication system are to obtain the fingerprint [55]. An asymmetric encryption method is used where the user scans the fingerprint, and it will be used as an encryption key for the transaction details and to receive a token from AS. It is then sent to the application server for verification. The application server will check the validity of the token with the SIM number and proceed to complete the transaction once AS has verified the user identity.
These code lines are samples for common smartphone types used nowadays. Other types will have their own code functions for serving the same purpose. As a result, once it has confirmed whether a biometric reader exists, the authentication system can now proceed with the subsequent flow, which is to check the SIM number for a mobile device with fingerprint recognition or the SIM number with IMEI extraction for devices that are not supported.

Mobile Device with Fingerprint Recognition
In the devices with fingerprint modules, the authentication system will require specific privileges and entitlement before extracting the SIM details. These can be obtained during the registration of the user identity account on AS. These code libraries can be used to check on the fingerprint recognition device on the mobile devices subjected to certain conditions on Android [54]: Or in IOS using [53]: var biometryType: LABiometryType {get} These code lines are samples for common smartphone types used nowada types will have their own code functions for serving the same purpose. As a re it has confirmed whether a biometric reader exists, the authentication system proceed with the subsequent flow, which is to check the SIM number for a mob with fingerprint recognition or the SIM number with IMEI extraction for device not supported.

Mobile Device with Fingerprint Recognition
In the devices with fingerprint modules, the authentication system will re cific privileges and entitlement before extracting the SIM details. These can be during the registration of the user identity account on AS. These code libraries ca to check on the fingerprint recognition device on the mobile devices subjected conditions on Android [54]: public String getSubscriberId () and CFStringRef CTSIMSupportCopyMobileSubscriberIdentity(CFAllocatorRef allocator); in IOS.
The following steps of the authentication system are to obtain the fingerprin asymmetric encryption method is used where the user scans the fingerprint, and used as an encryption key for the transaction details and to receive a token from then sent to the application server for verification. The application server will validity of the token with the SIM number and proceed to complete the transac AS has verified the user identity. Or in IOS using [53]: var biometryType: LABiometryType {get} These code lines are samples for common smartphone types used nowadays. Other types will have their own code functions for serving the same purpose. As a result, once it has confirmed whether a biometric reader exists, the authentication system can now proceed with the subsequent flow, which is to check the SIM number for a mobile device with fingerprint recognition or the SIM number with IMEI extraction for devices that are not supported.

Mobile Device with Fingerprint Recognition
In the devices with fingerprint modules, the authentication system will require specific privileges and entitlement before extracting the SIM details. These can be obtained during the registration of the user identity account on AS. These code libraries can be used to check on the fingerprint recognition device on the mobile devices subjected to certain conditions on Android [54]: public String getSubscriberId () and CFStringRef CTSIMSupportCopyMobileSubscriberIdentity(CFAllocatorRef allocator); in IOS.
The following steps of the authentication system are to obtain the fingerprint [55]. An asymmetric encryption method is used where the user scans the fingerprint, and it will be used as an encryption key for the transaction details and to receive a token from AS. It is then sent to the application server for verification. The application server will check the validity of the token with the SIM number and proceed to complete the transaction once in IOS. The following steps of the authentication system are to obtain the fingerprint [55]. An asymmetric encryption method is used where the user scans the fingerprint, and it will be used as an encryption key for the transaction details and to receive a token from AS. It is then sent to the application server for verification. The application server will check the validity of the token with the SIM number and proceed to complete the transaction once AS has verified the user identity.

Mobile Device without Fingerprint Recognition
Like the earlier condition in the previous section, the devices without fingerprint modules also require specific privileges but use different code libraries for extracting the SIM number and IMEI depending on the mobile device type. Once the SIM number and IMEI are successfully recorded, then geo-location will be obtained using the mobile device's GPS receiver.
The captured GPS location will be compared to the initial location defined in the AS, and if identical or within an accepted radius, the token will be issued. However, if the location is outside the accepted range, the user will be required to verify the GPS location manually from a registered device. Once verified, the transaction details and received token from AS will be encrypted using the initially defined geo-location before moving to the application server. The application server will check the validity of the token with the SIM number and IMEI, then proceed to complete the transaction once AS has verified the user identity.
The difference in geo-location captured by GPS will be recorded and analyzed by AS from time to time. The new location will also be whitelisted, allowing for future authentication within acceptable frequency and occurrence. This will reduce the number of user interventions required for authentication.

Challenges
Many challenges and open issues need to be addressed in securing mobile identity authentication. It is essential because mobile identity represents us in the virtual world of transactions. This will probably be the only identity recognition that we will use in all daily activities. Any discrepancy in security will cause severe damage to many parties. We have highlighted the challenges and open issues related to mobile identity in the subsection below.

Different Policies and Regulations
Different policies and regulations related to mobile identity are in use in different countries. Due to the differences, there is no global standard, and it is hard to standardize the mobile identity authentication requirements. There are also different organizations developing different mobile identity infrastructures. Hence, the coverage or a mobile identity system is hard to expand beyond boundaries due to this limitation.
This issue can only be addressed if there is a mobile identity base system capable of integrating multiple mobile identity providers into a single platform. Alternatively, it can be a single software with multiple customizable modules, which can be configured with different required settings such as the Systems Applications and Products (SAP).

High-End Devices
The authentication method that was presented in this study requires a high-end device that supports biometric recognition. However, there are still many low-end devices in widespread use. Even if all the devices support the GPS authentication method, it may expose them to location spoofing.
The minimum requirement for this authentication method is that mobile devices with GPS support the anti-spoofing module, such as the selective availability spoofing module (SAASM). On the other hand, we believe that all devices supporting biometric recognition and anti-spoof geo-location modules will come sooner.

Changes in User's Information
The mobile identity is tied to the SIM number. We frequently hear that people keep changing their SIM number, also having multiple SIM cards and shared SIMs. This is quite troublesome in maintaining the integrity of the identity, especially when recycling mobile numbers is also widespread and still growing. The challenge is to make information change convenient at the consumer end. The harder it becomes, the lesser public involvement in registering for mobile identity. This limits the expansion potential of the mobile identity system.
To overcome this issue, the user identity cannot be tied to a mobile number or known as a Mobile Station International Subscriber Directory Number (MSISDN). It may be identified using the MSISDN account number, which is only known by the customer and the service provider. The account number may act as the physical identity card number and will be permanently assigned to the user. So, the mobile identity system, instead of using an MSISDN number, should register the user using the user's service provider account number. In this case, changing or having multiple SIMs should not be an issue.

Conclusions
In this paper, we attempted to present the combination of multi-factor authentication that requires less user intervention. Due to security concerns, we introduced the asymmetric encryption protocol where the user's input itself is used as the encryption key. The PKI concept was used but without the requirement to engage certificate authority (CA), thus involving less cost.
As mentioned earlier in this study, due to the uniqueness of fingerprints to identify the user and the accuracy of using GPS for location identification, fingerprint authentication and geo-location identification can be used to correctly authenticate the user, as these methods are unique and affordable to implement. We can see from all advertisements that mobile phones nowadays do have hardware support for both types of authentications. Having a dedicated server for authentication of mobile user identities will ease transaction validation and reduce the possible threats. The way mobile identity works is somewhat similar to a computer's single sign on (SSO) scheme, where the number of attempts by users to validate themselves is reduced because all authentications are performed through the server.
However, the challenges and limitations of different policies and regulations, high-end device requirements, and the changeability of user information need to be addressed to make this authentication method more convenient, secure, and reliable for representing the user in the virtual world. Mobile identity is for more than simply providing access. Security is also an important consideration.