Back to all available

A privacy-preserving framework for continuous mobile authentication using digital twins and multimodal biometrics

human-computer-interaction
data-mining-and-machine-learning
mobile-and-ubiquitous-computing
security-and-privacy
internet-of-things

Abstract

Background. One-time mobile authentication remains vulnerable to post-login compromise. Biometric templates, once exposed, cannot be revoked. Continuous authentication that models user behavior and physiology over time can raise security, but it must preserve privacy and resist spoofing and replay.

Methods. We propose a layered framework centered on a user's Digital Twin built from continuous, multimodal signals gathered passively from a smartphone and a companion wearable. The pipeline includes sensor ingestion, feature extraction, adaptive DT modeling per modality, context-aware fusion into a unified confidence score, and a decision module for seamless access, step-up challenges, or lockout. Privacy is enforced through template encryption, hardware-backed secure storage, and the use of zero-knowledge proofs and homomorphic encryption for verifications involving remote services.

Results. We conduct a theoretical security evaluation using the STRIDE methodology. The analysis maps threats such as spoofing, tampering, information disclosure, denial of service, and elevation of privilege to architectural mitigations, including multimodal liveness, secure enclaves for DT parameters, encrypted storage and transit, adaptive sensing, and fail-safe locks on precipitous confidence drops. A worked example illustrates how confidence responds to legitimate and illegitimate use and how the DT adapts during high-confidence sessions.

Discussion. The framework aims to balance the usability-security-privacy trilemma by achieving passive, high-fidelity verification while constraining data exposure through cryptographic protocols. We discuss deployment considerations such as energy management, computational overhead of cryptography, inclusivity and bias, and regulatory and ethical expectations in healthcare contexts, including consent and transparency. Limitations include the absence of empirical validation, reliance on secure hardware and wearables, and the need for dedicated adversarial ML defenses.
Ask to review this manuscript

Notes for potential reviewers

  • Volunteering is not a guarantee that you will be asked to review. There are many reasons: reviewers must be qualified, there should be no conflicts of interest, a minimum of two reviewers have already accepted an invitation, etc.
  • This is NOT OPEN peer review. The review is single-blind, and all recommendations are sent privately to the Academic Editor handling the manuscript. All reviews are published and reviewers can choose to sign their reviews.
  • What happens after volunteering? It may be a few days before you receive an invitation to review with further instructions. You will need to accept the invitation to then become an official referee for the manuscript. If you do not receive an invitation it is for one of many possible reasons as noted above.
  • PeerJ Computer Science does not judge submissions based on subjective measures such as novelty, impact or degree of advance. Effectively, reviewers are asked to comment on whether or not the submission is scientifically and technically sound and therefore deserves to join the scientific literature. Our Peer Review criteria can be found on the "Editorial Criteria" page - reviewers are specifically asked to comment on 3 broad areas: "Basic Reporting", "Experimental Design" and "Validity of the Findings".
  • Reviewers are expected to comment in a timely, professional, and constructive manner.
  • Until the article is published, reviewers must regard all information relating to the submission as strictly confidential.
  • When submitting a review, reviewers are given the option to "sign" their review (i.e. to associate their name with their comments). Otherwise, all review comments remain anonymous.
  • All reviews of published articles are published. This includes manuscript files, peer review comments, author rebuttals and revised materials.
  • Each time a decision is made by the Academic Editor, each reviewer will receive a copy of the Decision Letter (which will include the comments of all reviewers).

If you have any questions about submitting your review, please email us at [email protected].