A Systematic Literature Review of the Types of Authentication Safety Practices among Internet Users

The authentication system is one of the most important methods for maintaining information security in smart devices. There are many authentication methods, such as password authentication, biometric authentication, signature authentication, and so on, to protect cloud users’ data. However, online information is not yet effectively authenticated. The purpose of this systematic literature review is to examine the current types of authentication methods as a safety practices for information security among Internet users. The PRISMA method was adopted to present a systematic literature review of 28 articles from three main databases (20 articles from Scopus, one article from Google Scholar, and seven articles from Dimension). This study used the Prediction Study Risk of Bias Assessment Tool to appraise the quality of the included studies. From the findings of the study, a total of three main themes were identified: password authentication, biometric authentication, and multiple-factor authentication. Multiple-factor authentication was found to be the most secure and most frequently recommended authentication method. It is highly recommended to implement three-factor authentication and multi-biometric model in the future, as it provides a higher surveillance level in terms of information security among cloud computing users. Keywords—Password authentication; biometric authentication; multi-factor authentication; information security; safety practices


I. INTRODUCTION
Smart telecommunication devices have become a fundamental element in most of our lives, and for many have become a trusted companion. It is where we store almost all our data and information. However, in Malaysia, the statistics for denial of service, malicious attacks, intrusion, and fraud indicated 6898 cases in 2016, 6686 cases in 2017, 7993 cases in 2018, 9890 cases in 2019, and 9646 cases in 2020 respectively [1]. The statistics show that information security incident reports increased from 2017 through 2019 and decreased slightly in 2020. The expanding number of smart devices and increasing availability of Internet access have changed the lives of many individuals. People began to use the Internet for different purposes, such as obtaining information, communicating, banking, entertainment, and many more [2].
The Internet also plays an important role as a teaching aid in universities [3]. Cloud computing allows users to save data online and access it from anywhere at any time via an Internet connection, instead of using a hard drive or other storage devices [4]. The development of cloud storage, however, has its own negative aspects, such as information security attacks. Data transmittal in the cloud environment can require a huge amount of bandwidth, which may allow hackers to retrieve the information [5] and the insufficiency of authentication is the cause of information attacks in cloud computing [6]. Data transparency and unauthorized information usage are the reasons behind these attacks [7]. With safe Internet usage awareness, being vulnerable to cyber threats and becoming a cyber victim can be avoided [8].
Authentication is a method for estimating the level of trust one can have that the source of information is who it is stated to be [9]. The authentication process happens when information is entered into the login system with a database. Then, the system checks whether the information entered matches the database information. If it matches, the user can access the system [10]. Social environment factors such as parents, friends, work colleagues, social media, and government policies play a vital role in educating Internet users about cybersecurity [11]. The public and organizations have to realize that cybercrime is highly risky, and that they have to take safety precautions to protect their information from being shared online [12]. An effective way to protect storage and authorization of data in the cloud environment is by having an appropriate authentication [13]. The general objective of this study is to examine the authentication methods used as a safety-enhancing practice for information security among Internet users. This study will benefit the Internet user society acknowledging that authentication plays an important role in enhancing a greater cloud environment. The higher the demand of Internet of Things (IoT) justifies the usefulness of safe authentication method. Further, research gap was noticed in the types of authentications used in the last five years. Hence, this paper intends to develop a systematic literature review by focusing on the types of authentications used in the last five years.
*Corresponding Author www.ijacsa.thesai.org II. METHOD Using a systematic literature review, an exhaustive exploration of the research topic was made to provide the objective summary of current studies related to the research topic. Systematic literature described as a qualitatively and quantitatively identifying, merging, and assessing all available data to produce results related to a specific research question [14]. It is also a study to analyse research problems by recognizing, evaluating, and integrating results of all related studies acknowledging one or more research objectives [15]. The Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) method was used to study authentication method as a safety practice for information security among Internet users. Studies related to the authentication method for the 5 years from 2016 through 2020 were reviewed. Figure 1 displayed the flow diagram of this systematic review process.

A. Systematic Review Process
The systematic review process can be classified into three stages which are identification, screening and included [36]. This process is in accordance with PRISMA 2020 Flow Diagram (as shown in Figure 1).

B. Identification
The systematic review process can be categorized into three stages. The first is the identification of keywords of a specific study, a process to enrich keywords in a search string. Keyword searching related to this study was based on synonym searching in thesauruses, dictionaries, and past research. Sa"di et al. [16] found that, in Merriam Webster's dictionary, "authentic" means "original, actual, or truthful" as well as "true" (http://www.merriamwebster.com/dictionary/authentic). However, in this study, the theme was mostly about the types of authentications. "Authentication" is defined as "verification" and "certification" in the thesaurus. The dictionary also defines authentication as verification, certification, and validation.
The terms "certification" and "validation" were removed from the search string as use of these terms did not return the expected theme of study from the databases. The search strategy was developed in March 2021, as shown in Table 1. below. This process retrieved a total of 740 papers (473 from Scopus, six from Google Scholar and 261 from Dimension). Before moving to the screening process, 194 duplicate papers obtained from all three main databases were manually removed (as shown in Figure 1).

C. Screening
The second stage of the systematic review is screening. From the three main databases, a total of 546 papers were screened based on inclusion and exclusion criteria as determined by the researchers (Scopus = 466 papers; Google Scholar = 6 papers; Dimension = 74 papers; as shown in Table  1). The first criterion was that the timeline of this review was only focused on papers published during a five-year period from 2016 to 2020. Second, only research articles in journals were included. Then, only articles published in the fields of computer science and social science were retrieved. In addition, only articles that had reached final publication stage are reviewed in this study. Last, only English-language articles were included. A total of 470 articles were excluded based on the inclusion and exclusion criteria (as shown in Table 2).
Seventy-six articles were retrieved from the inclusion and exclusion criteria process. All 76 articles were successfully moved into the next stage of the screening process, eligibility. Eligibility is a manual process of document exclusion, the purpose of which is to filter the articles based on their respective abstract, method, results, or findings section to ensure that the articles match the objective of the systematic review. A total of 48 articles were excluded in this process because their contents were mostly about pure engineering and science that did not address the objective of this review.

D. Inclusion
A total of 28 articles were eligible for inclusion in this systematic review [17 -44].

E. Selection and Data Collection
The main review process in this paper consisted of coding the themes, known as thematic analysis. A panel of five researchers from the field of cybersecurity, analysed the selected articles one by one. They independently reviewed www.ijacsa.thesai.org titles and abstracts of 76 screened articles and discussed all the inconsistencies found. The themes were then generated by the panel for validation, individually and in pairs. This is to ensure that there is no bias toward the themes discussed. The themes were then double-checked and renamed, if necessary, after several discussions among the panel of researchers. The researchers came up with several themes once the article reviewing process was completed. This process was repeated three times before the themes were finalized. The panel later auto generated a standardized data, extraction form to abstract the characteristics of a study, which included type of authentication, research objectives, research design, findings, contribution, and limitation. Reviewers worked independently and simultaneously to extract article data. Data extraction was completed only when conflicts of idea were resolved, and reviewers were assured that their view of the topic was neutral.

Database Keywords and Search String
Scopus TITLE-ABS-KEY (("password authentication" OR "two factor authentication" OR "multi-factor authentication" OR "token authentication" OR "biometric authentication" OR "transaction authentication" OR "computer recognition authentication" OR "single sign-on authentication" OR "email authentication" OR "laptop recognition authentication" OR "gadget recognition authentication" OR "fingerprint authentication" OR "fac* authentication" OR "device authentication" OR "mobile authentication" OR "android authentication" OR "ios authentication" OR "password verification" OR "two-factor verification" OR "multi-factor verification" OR "token verification" OR "biometric verification" OR "transaction verification" OR "computer recognition verification" OR "single sign-on verification" OR "email verification" OR "laptop recognition verification" OR "gadget recognition verification" OR "fingerprint verification" OR "fac* verification" OR "device verification" OR "mobile verification" OR "android verification" OR "ios verification") AND ("information security" OR " information protection" OR "information safety" OR "data security" OR "data protection" OR "data safety"))

Google Scholar
Phase 1: allintitle: "authentication" OR "verification", "security" Phase 2: allintitle: "password authentication" OR "two factor authentication" OR "multi-factor authentication" OR "token authentication" OR "biometric authentication" OR "transaction authentication" OR "computer recognition authentication" OR "single sign-on authentication" OR "email authentication" OR "laptop recognition authentication" OR "gadget recognition authentication" OR "fingerprint authentication" OR "facial authentication" OR "device authentication" OR "mobile authentication" OR "android authentication" OR "ios authentication" OR "password verification" OR "two-factor verification" OR "multi-factor verification" OR "token verification" OR "biometric verification" OR "transaction verification" OR "computer recognition verification" OR "single sign-on verification" OR "email verification" OR "laptop recognition verification" OR "gadget recognition verification" OR "fingerprint verification" OR "facial verification" OR "device verification" OR "mobile verification" OR "android verification" OR "ios verification" "information security" OR " information protection" OR "information safety" OR "data security" OR "data protection" OR "data safety"

Dimension
Phase 1: ("authentication" OR "verification") AND (security) Phase 2: ("password authentication" OR "two factor authentication" OR "multi-factor authentication" OR "token authentication" OR "biometric authentication" OR "transaction authentication" OR "computer recognition authentication" OR "single sign-on authentication" OR "email authentication" OR "laptop recognition authentication" OR "gadget recognition authentication" OR "fingerprint authentication" OR "facial authentication" OR "device authentication" OR "mobile authentication" OR "android authentication" OR "ios authentication" OR "password verification" OR "two-factor verification" OR "multi-factor verification" OR "token verification" OR "biometric verification" OR "transaction verification" OR "computer recognition verification" OR "single sign-on verification" OR "email verification" OR "laptop recognition verification" OR "gadget recognition verification" OR "fingerprint verification" OR "facial verification" OR "device verification" OR "mobile verification" OR "android verification") AND ("information security" OR " information protection" OR "information safety" OR "data security" OR "data protection" OR "data safety")

F. Quality Appraisal
This present study used the Prediction Study Risk of Bias Assessment Tool (PROBAST) to appraise the quality of the included articles. Based on PROBAST, five experts in this research group assessed the risk of bias by means of 22 multiple-choice questions with the responses No (N), Yes (Y), Unclear (U), and Not Applicable (X). The answer of "Y" for each signalling question was assigned 1 point, and that of "N," "U," or "X" was assigned 0 points. The total score ranged from 0 to 22. The five reviewers gave an overall score for each included study. An average score of 0-7 for each article is considered low quality, 8-14 is considered medium quality, and 15-22 is considered high quality [46] [47]. All 28 articles were retained in the final review, as they met the standard of medium quality.

G. Data Analytic Strategy (Synthesis Methods)
Twenty-eight articles were reviewed, evaluated, and analysed after the eligibility process in this study. The search was thoroughly done according to the objective of this review, which is to study the current types of authentication methods as safe practice for information security among Internet users. The studies were classified into relevant themes by using qualitative synthesis. This was done by reading the title, abstract, and keywords of each study. Furthermore, a thematic analysis was performed to classify themes related to type of authentication method. Through an article review process, www.ijacsa.thesai.org relevant groups were identified. Finally, a total of three main themes including password authentication, biometric authentication, and multifactor authentication methods emerged. Password-based methods were grouped into textual and graphical authentication. Biometric methods were classified into fingerprint, facial, retina or iris, voice, and digital signature authentication. Several review processes were done by the authors to finalize the themes and sub-themes.

A. Types of Authentication
Based on the analysis, this section discusses types of authentications, such as password authentication (textual and graphical authentication), biometric authentication (fingerprint, facial, retina, voice, and digital signature), and multifactor authentication.

 Password authentication
Password has been used to protect online information since the early existence of the Internet. Passwords often do not expire, and users tend to use the same password for a long period, which leads to cyberattacks [53]. Passwords are one of the most significant risk factors because they are vulnerable to threats and attacks. Thus, a well-formulated and structured password should be "easy to remember but hard to hack" [54]. In this paper, the review has found two sub-themes under password authentication: textual and graphical.  [42]. Furthermore, textual password authentication was studied by Akingbade [4]. Their study aimed to construct a protected login interface that could avoid cybersecurity attacks by using the 6 × 6 sized alpha numeric characters. The keyboard used in this experimental study was divided into letters, numbers, and symbols. Besides, users were allowed to select different of password lengths and different characters according to their preference. In fact, textual password method has been used in traditional bank environments, such as keying in the six-digit ATM personal identification number (PIN) [17]. In another experimental study that involved two groups: a control group and an experimental group; aimed to enhance the security of text-based passwords and to examine the effectiveness of creating a text-based password [43]. It was found that the experimental group experienced a more successful method of creating strong passwords that were also easy to remember. Another study, using a qualitative methodology aimed to understand the practice of mobile authentication user"s security awareness [41]. Twenty mobile device users made up the sample study, 19 of whom were aware of risk management in authentication. Additionally, used dynamic password technology, also known as One-Time Password (OTP) [38]. Each password is generated using the current time and can be only used once based on the function of the SM3 Hash Algorithm. This proposed scheme can be further improved to enhance network security. Moreover, applied multifactor authentication by using textual password authentication from server to user, then from user to server [36]. This approach provides users with anonymous identity, mutual authentication, surveillance against cyberattacks, and session key compliance in a multi-server environment.
2) Graphical password authentication: Graphical password authentication is more difficult to circumvent than biometric authentication, is more user-friendly, has easy-toremember passwords, and provides high-level security [34] [55]. The image-based authentication system is the main type of graphical password authentication [56]. This authentication method is based on recognition and recall approaches. Although this authentication method is highly secure, the ability to remember the password plays an www.ijacsa.thesai.org important role. Songcuan et al. further mentioned that used graphical password authentication in an experimental study measuring students" memory ability, speed of registration, and speed of authentication [39]. The results recorded 100% successful password memory in the first session and 90.90% in the second session. There is a decrease in memory percentage because the second session took place after two weeks of delay. Hence, these findings prove that memorability plays a huge role in this type of authentication. A survey on graphical password authentication using images as passwords was conducted [22] and found that the memorability of graphical passwords was better than that of textual passwords. The authors noted that graphical password technology was still immature; hence more research is needed to achieve a higher level of usefulness.

 Biometric authentication
The security of biometric identification depends on body patterns such as fingerprints or facial features [57]. This type of authentication has the uniqueness derived from a human body [58]. Biometric authentication has been increasingly used as it provides a more secured process of identifying users [44]. Biometric authentication methods are more likely to be convenient, secure, and strong used compared with traditional authentication methods [59]. This section discusses fingerprint, facial feature, retina/iris, voice, and digital signature authentication.

3) Fingerprint authentication: In the protocol proposed by
Zhu et al. [44], the first two modules of this scheme can be classified into enrolment and authentication phases. These two phases enable data to be protected better rather than in a onestep login phase and provides higher resistance against some possible threats. Moreover, ArunPrakash et al. [20] said that personal data stored in cloud computing can be protected because authentication can be completed only when the fingerprint encryption matches the enrolment phase data. This way, it is impossible for any harmful cyber threats to occur. Besides, they proposed a scheme for mobile banking application users to apply an efficient and privacy-preserving biometric identification outsourcing scheme in mobile banking applications [31]. This study suggested using a multibiometric system for a more significant variability. 4) Facial authentication: Musambo and Phiri [29] have proposed a facial authentication scheme for university students. It was found that the system only obtained 66% detection rate. This was due to the lighting conditions when the images are captured and the complexion of students" face. Another researcher also proposed a facial authentication scheme to be used in online banking services [18]. The proposed scheme can deny access for unauthorized usage and determines ways to identify different testing images. Ten different images were taken from the same user. The results of authentication accuracy were 97.50% from the first image. In the second image, a result of 100% successful authentication was achieved.

5) Iris/Retina authentication:
Retina authentication provides unique biometric structure, shape, and specified image specification, and it has one of the longest lifespans of biometric data. A user who authenticates by this method even with glasses or contact lens will still be able to effectively use this process. However, this authentication method may not be well received by cloud computing users. This is because this form of authentication has not been widely practiced and expensive [29]. A multifactor authentication combining fingerprint and iris was formulated [24]. They used a qualitative methodology to enhance the authenticating system for cloud computing users by using finger vein and iris authentication. Their results showed that the finger vein"s biometric template cannot be duplicated; hence, this methodology can strengthen security systems compared with other authentication methods.  [42] Cloud computing users www.ijacsa.thesai.org 6) Voice authentication: Voice authentication is a conversion of a human voice into an electrical signal that can be digitally coded to recognize a user from the coded voice data [60]. People usually speak faster than they write; hence, voice authentication can be considered a time-preserving method. Memon [28] proposed a multifactor biometric authentication including fingerprint, face, and voice for smartphone users. He found that this biometric used in smartphones is more robust and secure compared with singlelayered biometric. Additionally, Trysnyuk et. al. [40] proposed a voice message identification method to improve the standard password authentication. It was found that the security of this method can be enhanced by applying another layer of password or biometric authentication. 7) Digital signature authentication: Digital signature is a behavioral biometric which has high acceptance rate and ease in data collection [28]. Digital signature is less cumbersome compared with handwritten signature. It was suggested that a multifactor authentication model was used based on digital signature and password [25]. However, this study found the scheme can only be applied for a small proportion of users. In addition, digital signature was also implemented in a health care system with fingerprint verification [19]. As proposed, the signature verification process has several steps. The main purpose of this signature authentication is to protect patients" health record and to avoid misplacing of their personal data. It was found that the patient"s information was highly secured as it increases the system performance rate compared to singlefactor authentication. Moreover, combined password, iris verification, and digital signature in their authentication scheme is needed to secure health care records [35]. This scheme comprises key generation and signature encryption stage. The key generation stage creates random number combinations to be used as a private key. Iris features are used because of clear-cut texture of the cornea. This study results show that the multifactor authentication method provides security and confidentiality to health care records. The authors suggested the use of hybrid technologies in the future to enhance health care data security.
 Multiple-factor authentication Multiple-factor authentication involves two or more phases of authentication and is widely used because it increases the mechanism of data protection compared with single factor authentication. The authors in [27] [37] used two-factor authentication in their proposed scheme combining password verification and fingerprint authentication. Password identification comprises of OTP and secret question, whereas fingerprint authentication is required as a second factor to verify the user"s identity. The system will accept or reject authentication based on the fingerprint received during each authentication process. Besides, a scheme using two-factor authentication for the password change process is also proposed [36]. This verification process is a two-way; server to user and user to server. This two-way authentication gives a protected multi-server environment. Another researcher proposed a three-factor authentication (3FA) scheme to be used in a mobile banking environment among 200 Android users [37]. The OTP received must be typed correctly in the provided field and biometric authentication is then used to activate the account with fingerprint access. The authors found that twofactor authentication makes a cloud environment more robust. The concept of mutual authentication scheme key agreement in a single-server environment has been implemented to improve the security [33] [61]. Qi and Chen [32] then introduced an approach through implementation of BAN logic. This project aimed to provide a new method based on mutual authentication that allows use of the same session key. Both studies involve multifactor authentication of fingerprint and textual authentication. Furthermore, Reshma and Shivaprasad [34] combined textual and graphical authentication to provide a better authentication system for cloud computing users and to avoid data breaches. Besides, Balaji and Saravanakumar [21] presented a biometric method using thirty different fingerprints with eight different repetitions along with textual authentication. The results show that the scheme reduces false rejection rate and false acceptance rate.
Then, Yellamma et al. [42] proposed a biometric scheme with registration and verification processes by designing a new coding rule to prevent hackers from attacking the cloud environment. The findings show that the scheme provides higher security from malicious attacks. Moreover, Patel et. al. [30] suggested an authentication model consisting of fingerprint, facial, PIN, and OTP. The results of study were disrupted due to the delay in OTP receiving. This study later suggested improving the method of biometric collection for future studies and the availability of mobile network to effectively receive the OTP. Additionally, Sathishkumar et al. [23] designed an authentication model for online voting. The authentication mode involves fingerprint, facial, and OTP. The advantages of using this proposed voting framework are that the frequency of voting is higher but fewer personnel are required. It is hoped to facilitate a fairer voting system that allows more people to practice their voting rights. Besides, Qi and Chen [33] proposed an authentication consisting of palm print, four-digit user password, and OTP. The results show that this method functions well and provides a lower false rejection ratio. The study aims to work more on the combination of multi-biometric scheme.

V. CONCLUSION
Based on the discussion above, the summary of the types of authentications reviewed in this paper is presented below (as shown in Figure 3.) Previously, much of the authentication was created based on traditional password i.e. using textual. With the advances in technology, a value can be added to the password authentication by using biometric data, which led to multifactor authentication and a more secure cloud environment. Thus, with the multilayer authentication, it is difficult for hackers to attack the system, especially related to the use of passwords. Further, more awareness on authentication is needed among Internet users to help create a secure online environment. In future, different biometric authentication methods can be combined for greater key encryption, which improves information security. Biometric authentication should also be used whenever there is in need www.ijacsa.thesai.org for higher security. OTP can be used to increase surveillance and safety templates, as it changes on the device with each use. In addition, information security awareness should be taught to users so that they know how to safely access the Internet. Future research should combine authentication methods in large-scale studies and increase the sample size for better results. It is also recommended that future studies evolve in a multi-server environment. This systematic review also concluded that no study was done to examine the types of authentication methods being used in Malaysia among Internet users. Most of the studies were found to be in India, China, countries from Middle East, and Europe. Research about authentication method used in Malaysia is highly recommended. This is because Malaysia is one of the leading communication technology countries with almost 89% of its population which is equivalent to 25.4 million Internet users. Future research can propose a secure authentication scheme according to the suitability of subjects of study. We hope this study can provide cloud users with increased awareness of the types and importance of authentication.