Keywords
mobile banking, biometric authentication, user authentication, usability and privacy, multi-factor authentication, cybersecurity threats
-
Views
-
Downloads
How to cite this article
Naji Ali H and SALIM MAHMOOD AL-Dabbagh S. A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.12688/f1000research.173855.2)
NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.
Export Citation
Sciwheel
EndNote
Ref. Manager
Bibtex
ProCite
Sente
▬
✚
Systematic Review
Revised
A Systematic Literature Review on Biometric Authentication in Mobile Banking
[version 2; peer review: 2 approved]
PUBLISHED 07 May 2026
OPEN PEER REVIEW
REVIEWER STATUS
This article is included in the Fallujah Multidisciplinary Science and Innovation gateway.
Abstract
Corresponding author:
Hasan Naji Ali
Competing interests:
No competing interests were disclosed.
Grant information:
The author(s) declared that no grants were involved in supporting this work.
Copyright:
© 2026 Naji Ali H and SALIM MAHMOOD AL-Dabbagh S.
This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
How to cite: Naji Ali H and SALIM MAHMOOD AL-Dabbagh S. A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.12688/f1000research.173855.2)
First published: 06 Jan 2026, 15:5 (https://doi.org/10.12688/f1000research.173855.1)
Latest published: 07 May 2026, 15:5 (https://doi.org/10.12688/f1000research.173855.2)
Revised Amendments from Version 1
In this revised version, the manuscript has been strengthened in response to reviewer feedback. The main revisions include a more synthesized and critical discussion of the quantitative findings, particularly the reported FAR, FRR, EER, and accuracy values across the reviewed studies. The revised text now more clearly explains the conditions under which specific biometric modalities perform well or show limitations, with greater emphasis on real-world deployment considerations.
In addition, the section on usability and privacy challenges has been revised to better connect these issues to the implementation strategies used by major international banks discussed earlier in the review. This revision clarifies how banks balance security strength and user experience by combining biometrics with complementary authentication mechanisms such as OTP, device recognition, app-based approval, and secure tokens.
Finally, the conclusion and future directions have been expanded to provide a clearer forward-looking perspective, including a stronger recommendation for more standardized evaluation protocols in future primary studies. These changes improve the clarity, depth, and practical relevance of the review while preserving its original scope and contribution.
See the authors' detailed response to the review by Wojciech Wodo
See the authors' detailed response to the review by Geeta Sandeep Nadella
1. Introduction
Modern financial systems rely heavily on mobile banking because smartphones have become the standard, and digital dependence has grown worldwide. Mobile banking has other names, such as e-banking, online payments, online banking and internet banking. The electronic payments system provides bank clients and financial institution users with the ability to conduct transactions through the internet. Digital transformation through mobile technology simultaneously produces substantial security threats because cyber attackers now focus on stealing sensitive financial data and monitoring financial activities. A combination of passwords with personal identification numbers (PINs) and security questions proves inadequate as authentication methods because they remain susceptible to various attacks, such as brute force attacks alongside phishing and social engineering attacks and credential stuffing.1,2 The growing need for safer and easier-to-use authentication systems results directly from these system vulnerabilities. Biometric authentication has arisen as a disruptive solution that uses individual physical or behavioral characteristics such as fingerprints, facial recognition, voice, irises, and signatures to authenticate users with enhanced safety and precision. In mobile banking, user authentication serves the dual purpose of verifying identity and protecting access to financial services — a function that traditional knowledge-based methods increasingly fail to perform reliably as attack sophistication grows. Three principal authentication factor categories structure current approaches, and their respective trade-offs directly shape how mobile banking systems are designed:3 as illustrated in Figure 1.
1. Something you know: Refer to knowledge-based authentication (KBA) User authentication methods depend exclusively on information that only users possess. At present, passwords together with PINs function as standard authentication methods, although they face dangers from phishing schemes, brute-force attacks and password exposure incidents.4 User security questions function as a backup authentication process yet become vulnerable when attackers acquire access.5
2. Something you have: Also refer to possession-based authentication (PBA), users must possess hardware or equipment to use these authentication methods. One time password (OTP)6,7: Sent via short message send (SMS) messages, emails, or authenticator apps. Devices used for extra security face potential vulnerabilities when attackers conduct SIM swap attacks against them.8 Users can use hardware tokens together with smart cards to achieve maximum security; however, they require the physical possession of additional hardware devices.
3. Something you are: Also referring to biometric-based authentication (BBA), is a security method based on an individual’s unique biometric and/or biometric trait that can be used to verify the identity of the individual. For example, fingerprints, facials, iris patterns, and hand and voice recognition are common biometric identifiers. These traits are distinctive and extremely difficult to reproduce; thus, the BBA is much more secure than typical authentication methods such as passwords or PINs.9 The convenience of BBA is that the users do not need to remember a password much less often to bring physical tokens.10–12 The AI-driven verification system identifies people by their faces, although it delivers insufficient results under poor lighting conditions and when users wear masks.13 Another challenge, however, regarding the implementation of the BBA is that of privacy as well as protection of biometric data. Since biometric traits that are compromised cannot be switched for new passwords, long-term security becomes an issue. To address this irreversibility concern, the concept of cancelable biometrics has emerged as an important design principle. Cancelable biometrics refers to the intentional and repeatable transformation of biometric data into a distorted or protected representation that can be revoked and re-issued if compromised, much like a password. Rather than storing raw biometric templates, systems apply a transformation function so that the stored template can be cancelled and replaced with a new transformation if a breach occurs, while the original biometric trait itself remains unaffected. In mobile banking contexts, cancelable biometric schemes are particularly relevant because they allow institutions to protect stored templates against database attacks without requiring users to re-enroll with a new biometric. However, despite these concerns, such as the ability of adversaries to learn the distribution of nonbits, BBA technology has been widely adopted in many fields, including mobile devices, financial services and national security, because of its strong ability to enhance the process of authentication.14
4. Multi-factor authentication (MFA): This method combines two or more authentication methods for enhanced security. Users must authenticate through KBA password entry on a mobile banking application and receive receipt of an OTP.15,16 Security increases when the system maintains multiple authentication methods because compromised individual factors do not authorize unauthorized access. Additional extra security layers are appended when using biometric authentication, such as fingerprints, facial recognition, irises, voice, hands/palms,17 etc. Continuous authentication delivers two forms of protection by evaluating keyboard typing patterns and device motion along with swipe gestures. AI-based risk assessment conducts continuous assessments of user engagements to discover doubtful activities in real time.18,19 Table 1 presents an analysis of user authentication approaches, including their descriptions, strengths, weaknesses, and typical use cases.
Figure 1. Classification of general user authentication methods categorized as knowledge-based, possession-based, and biometric-based factors.
Table 1. Comparative analysis of major types of authentications based on their description, advantages, disadvantages and major applications.
| Authentication method | Description | Strengths | Weaknesses | Common use cases | Ref. |
|---|---|---|---|---|---|
| KBA | Users establish personal secret characters. | Simple, cost-effective, widely supported. | Vulnerable to brute force, phishing, and weak passwords. | Logins for websites, apps, and systems. | 20,21 |
| PBA | Uses physical or digital tokens (e.g., OTPs, smart cards). | Adds an extra layer of security, time-sensitive codes. | Tokens can be lost or stolen, requires users to carry a device. | Online banking, corporate networks, VPNs. | 22 |
| BBA | Uses unique physical traits (e.g., fingerprints, facial recognition). | Difficult to replicate, convenient, and secure. | Privacy concerns, potential for false positives/negatives, high implementation cost. | Smartphones, high-security facilities, banking. | 23,24 |
| MFA | Combines two or more authentication factors (e.g., PIN + OTP or biometric). | Highly secure, reduces risk of unauthorized access. | It can be inconvenient if factors are not readily available. | Banking, email, and enterprise systems. | 25 |
1.1 Motivation
The rapid increase in mobile banking has exposed financial facilities to well advanced cyber risks, and at the same time, it made the processes rather convenient. Password-based techniques of authentication are exposed to several attacks such as phishing attacks, brute-force attacks, and face challenges related to memorability and limits of mobile operating environment. Therefore, an incentive to approach biometric solutions that will provide higher security levels and user experience is present in the sphere of mobile banking.
By searching for previous studies for the period (2020-2025), we did not find a systematic literature review that focused specifically on the uses of BBA in mobile banking. There are some studies that focused on multi-factor authentication, while others focus on the use of all authentication methods in general and their uses in online banking. Therefore, in this research, we focused on studies that examined the use of biometric authentication in mobile banking.
Beyond identifying a gap in prior review literature, this study is motivated by the growing need to understand which biometric approaches are practically suitable for mobile banking, how they perform under real-world constraints, and how current banking implementations balance security, usability, and privacy. The review therefore aims not only to categorize existing methods, but also to synthesize their practical relevance, limitations, and deployment implications for secure mobile financial services.
So, the main contributions of this study are summarized as follows:
• Comprehensive systematic literature review (SLR): This study provides a detailed systematic literature review based-on the PRISMA methodology and summarizes recent studies (2020–2025) on biometric authentication, especially focusing on mobile banking systems.
• Design a taxonomy that includes all the biometric authentication methods used in previous studies, making it easier for the researcher to gain knowledge about these methods that are used in mobile banking.
• Analysis of Security Threats: Among the security threats that are identified and discussed in the context of both biometric authentication methods, the study lists such critical ones as biometric spoofing, malware, phishing, social engineering, a man-in-the-middle attack, etc. Besides, feasible measures against mitigation are also offered to make the institutions have an insight into how to persevere with the given threats.
• Survey of biometric authentication methods that are used in global banking practices: This study evaluates the authentication systems used by the major banks across the world, which refers to state-of-the-art biometric solutions in the real-world financial settings, filling the gap between academic evidence and industrial practice.
• Insight into usability and user perception: This paper discusses some of the usability and user perception issues in the application of biometrics to mobile banking, such as sensor reliability, privacy of stored biometric data, device and hardware constraints, and security vs. convenience trade-off. It provides guidance for financial institutions and policy makers in creating authentication systems that are secure as well as convenient to use.
• Future Research Directions: Lastly, this study identifies key gaps in current practices and recommends future work on adaptive and context-aware authentication, privacy-preserving biometric security, emerging threat models, and AI-driven protection. It serves as a valuable guide for advancing secure and user-friendly mobile banking authentication in both academia and industry.
1.2 Intended audience
The present manuscript is primarily intended for researchers, graduate students, and practitioners interested in biometric authentication in mobile banking, particularly those seeking a structured synthesis of current methods, implementation trends, and open challenges. To the academic community, the research can help in offering a synthesis of the state-of-the-art biometric authentication methods in mobile banking to serve as a reference point when carrying out further studies in the research subject. The review highlights to financial institutions, banking professionals, and policymakers some practical challenges, new security threats, and usability challenges that must be addressed to ensure that mobile banking can become more secure. The paper can also be of practical use to developers and system designers interested in deploying serviceable and easy-to-use authentication systems in financial applications.
The rest of this paper proceeds as follows: Section 2 presents an overview of mobile banking, biometric authentication, role of biometrics in mobile banking and comparative synthesis of authentication approaches, Section 3 presents the research methodology, detailing criteria and process we applied in choosing and assessing the academic papers that are collected. Section 4 provides a comprehensive analysis of the academic papers that are gathered, discussing methods used in mobile banking, threat facing mobile banking and biometric authentication methods in leading banks and challenges. Section 5 presents the limitations of our study, finally Section 6 presents conclusion and future directions.
2. Overview
2.1 Mobile banking
Mobile banking applications changed financial management by providing users with speed and security together with convenience. Users employ these applications to view their account balances and fund transfers and bill payments while also requesting loans through their mobile devices.26 Owing to technological progress, banking services have become more accessible for individuals located in distant areas, thus eliminating their need to visit bank branches. The security features of banks are enhanced through developments such as biometric authentication and encryption to protect against user risk exposure.2
2.2 Biometric authentication
Biometric authentication has also augmented digital security in that it is stronger and more convenient compared to the use of passwords or PIN-code-based access control systems. As compared to traditional systems, biometric authentication systems also validate identity using individual physiological and behavioral attributes i.e. fingerprints, facial characteristics, the pattern of the iris, voice recognitions, and the dynamics of keystroke27 which are naturally very hard to imitate or steal.28,29 Biometric authentication continues to gain momentum because mobile banking needs cryptographic protection, as do healthcare services,30 border security systems and enterprise network access systems. Biometric solutions have gained prominence among organizations and financial institutions to build improved security systems because these institutions face escalating cyber risks and data breaches.31 The benefits of enhanced security and convenience that biometrics provide systems include serious privacy and ethical risks, data safety and security challenges, and system weakness problems. Figure 2 shows the two types of biometric authentication and presents the common methods used.
Figure 2. Classification of common biometric authentication.
The security model of user authentication via biometrics has several powerful attributes that establish it as a modern choice to protect digital systems. The main advantage of biometric user authentication lies in its security because individual traits such as fingerprints, facial features and iris patterns are unique and difficult to steal or duplicate from traditional passwords.32,33 Biometric systems increase user convenience because users do not need to memorize complicated passwords or transport physical security measures.34 The system of biometric authentication contains important weaknesses that need to be addressed. System inaccuracies can produce either unauthorized access or user dissatisfaction due to false positive or false negative results.35 Biometric data cannot be altered after a breach occurs in the way that passwords can be changed, thus resulting in severe privacy and security issues when databases are compromised.36 User consent and data protection statutes generate serious ethical and legal issues that emerge when managing biometric data collection and storage processes. User access, which relies on biometric authentication, should be deployed with appropriate precautions while receiving supplemental security safeguards for data protection.37
Biometrics have their strengths and weaknesses,38 as well as the areas in which they are commonly used. For example, fingerprint and facial recognition work well with mobile phones because the phone already has scanning devices.39 Therefore, they are widely used in various digital systems, such as banking systems, healthcare systems, and other mobile applications. Table 2 provides a brief overview of their primary characteristics such as strong and weak points as well as the common uses in digital environments.
Table 2. Analysis of some biometric authentication approaches including descriptions, strengths, weaknesses, and typical use cases.
| Biometric method | Description | Strengths | Weaknesses | Common use cases | Ref. |
|---|---|---|---|---|---|
| Fingerprint Recognition | Scans and matches unique patterns in a user's fingerprint. | Highly accurate, fast, and widely adopted. | It can be affected by dirt or injuries; it requires physical contact. | Smartphones, laptops, access control systems. | 40,41 |
| Facial Recognition | Analyzes facial features to verify identity. | Contactless, convenient, and fast. | Can be fooled by photos or videos; lighting and angle variations may affect accuracy. | Smartphones, airports, security checkpoints. | 42–44 |
| Iris Recognition | Scans the unique patterns in the colored ring of the eye. | Extremely accurate and difficult to forge. | Requires specialized hardware; can be intrusive. | High-security facilities, government systems. | 45 |
| Voice Recognition | Analyzes vocal characteristics to verify identity. | Convenient and noninvasive. | It can be affected by background noise or voice changes due to illness. | Call centers, banking, smart home devices. | 46 |
| Retina Scanning | Scans the unique blood vessel patterns in the retina. | Extremely secure and accurate. | Invasive, requires proximity, and expensive hardware. | Military, high-security environments. | 47 |
| Hand Geometry | Measures the shape and size of the hand. | Reliable and easy to use. | Less unique compared to other biometrics, requires physical contact. | Time and attendance systems, access control. | 34 |
2.3 Role of biometrics in mobile banking
The adoption of mobile banking biometric authentication for purely secure account access has become widespread, driven by the accelerating digital transformation of modern financial services, with improved efficiency and user experience of verification processes. User account passwords combined with PIN-based authentication face growing risks from cyber intruders, who exploit phishing attacks, steal credentials and gain unauthorized system access.31,48 Online banking security evolves through biometric authentication, which is used physical and behavioral features to provide safe access and protection from fraud.28
Mobile banking security, along with fraud prevention, is one of the fundamental purposes of biometric authentication systems. The security of mobile banking in physical biometrics, such as fingerprint scans, facial verification, hand, iris and vein methods, is important for authenticating authorized users.32,49
Biometrics can strengthen authentication and make unauthorized access more difficult; however, they are not inherently resistant to spoofing or replication in all cases, especially under real-world attack conditions. As discussed in detail in Section 4.4.1.7, presentation attacks using photographs, masks, and AI-generated deepfakes represent a persistent and growing threat to biometric systems, and the degree of resistance depends heavily on the quality of liveness detection and the specific modality deployed.50 Continuous authentication from behavioral biometrics becomes essential since it analyzes touch interaction patterns and keystroke dynamics along with voice patterns and typing speed, making network breaches more difficult for cybercriminals.51 Biometrics serves as a key instrument for delivering improved accessibility while providing excellent user experience. The user experience becomes more convenient through biometric authentication since users obtain immediate and effortless access to mobile banking applications without needing passwords to remember. Security levels are enhanced through this system because users do not need to manage passwords. Financial inclusion grows stronger through biometric authentication because it enables users who lack literacy skills or disabilities to protect banking services by using their fingerprint or other traits instead of standard user authentication, such as passwords/PINs.46
Biometric authentication users of mobile banking benefit from its advantages while dealing with privacy risks and security vulnerabilities, which include data protection and system protection issues.52 Any unauthorized access to stored biometric information poses substantial risks to users because each person has permanent and distinctive data. To protect biometric data security banks, encryption advances in combination with blockchain-based storage systems and multiple authentication factors have been employed.53
By integrating AI and ML, mobile banking authentication systems can gain the ability to detect more fraudulent transactions alongside the delivery of personalized banking service options to customers.54 The future of mobile banking security is moving toward a safer and more efficient digital financial environment because biometric authentication maintains a balance between security and convenience and privacy.55
2.4 Comparative synthesis of authentication approaches
The concept of mutual compensation enables authentication security by properly utilizing each authentication variable to eliminate their individual weaknesses ( Table 1). A secure authentication system emerges when users provide PBA, KBA and BBA that protects against multiple types of security attacks. People trust the knowledge authentication type for its familiar design, yet this element remains exposed to password intrusion attacks.56 When ownership requirements for physical tokens or devices are applied together with passwords, the system provides enhanced security even when a password becomes exposed.57 The cost and risk exposure for the ownership element arises from losses connected to token or device disappearance or theft. Security measures benefit from the biometric element because it brings both security through uniqueness and convenience while belonging to the user. Strong protection of biometric data is essential to minimize password-related attacks while physical tokens remain necessary, yet the implementation leads to either positive or negative false negative outcomes.58
Although the three authentication categories (KBA, PBA, and BBA)16 each offer specific advantages, they leave gaps when used alone that can be exploited. KBA is simple but has the lowest security level in terms of phishing and brute-force attacks; PBA is a strong security mechanism based on use of one-time codes or tokens, but it is prone to device-loss attacks; BBA is a strong identity binding mechanism but raises privacy and hardware-cost issues. Thus, our analysis supports a hybrid multi-factor approach whereby complementary factors compensate for the weakness of each other. In environments that require high security, like mobile banking, a three-factor setup (password + token + biometric) offers the best balance of protecting against the theft and spoofing of credentials.13 However, in lower risk or resource constrained environments a two-factor scheme (i.e. PIN + OTP) may provide sufficient security with better usability. This aligns with recent banking practices summarized in Table 8, where most institutions adopt mixed MFA frameworks combining knowledge, possession, and inherence factors.
3. Methodology
The Preferred Items for Reporting Systematic Reviews and Meta-Analyses (PRISMA) guidelines were first released more than a decade ago.59 The PRISMA method assists researchers by providing standards for accurate reporting of systematic reviews and meta-analyses. Systematic reviews are considered by decision-makers in areas such as IoT, computer security, smart homes, supply chains, industries, and other domains as important sources of information that are collected in a systematic and transparent manner.60 Some of the PRISMA items have provided a comprehensive and systematic study of the applications of biometric authentication in the mobile banking sector.3 The literature review in Figure 3 includes the most recent studies related to biometric authentication technology, which are used in mobile banking to increase security. The activities listed below have had a significant effect on the results of systematic surveys. Out of the total 180 references, 97 papers met the inclusion criteria and are analyzed as part of the evidence set. The remaining references are cited to provide general background, definitions, or contextual support but were not included in the systematic synthesis.
Figure 3. Distribution of the 97 reviewed research papers by publication year (2020-2025), illustrating the growth trend in biometric research for mobile banking.
3.1 Research questions
This research aims to evaluate the biometric authentication methods currently adopted for online mobile banking user access. Also, this research examines the effects of cyber threats on online banking user authentication and presents examples of biometric authentication systems used by major banks worldwide, also examines the advantages, disadvantages, aims and challenges through the following research questions:
1. Which biometric authentication methods are currently used in mobile banking systems?
2. What are the main security threats and vulnerabilities affecting biometric authentication in mobile banking?
3. How do major banks worldwide implement and integrate biometric authentication into their mobile banking applications?
4. What is the key usability, privacy, and user acceptance challenges related to biometric authentication in mobile banking?
5. What are the limitations and future research directions in improving biometric-based authentication for secure and convenient mobile banking?
3.2 Search strategy
A collection of academic papers focused on biometric authentication served as the basis for our review. The selected time span begins on January 1, 2020, and ends on July 1, 2025. This stage involved focused examination of scientific digital libraries and databases alongside searches of keywords and reference management tools and search processes. The next sections delineate the processes described.
3.3 Scientific digital libraries
The analysis took place through major English-language scientific digital libraries and databases. Science Direct, Scopus, IEEE and Google Scholar formed the database scope for this SLR.
3.4 Search for keywords
The research questions of the SLR served as the foundation for creating the search keywords. The included figure presents alternative search terms. We have also added synonyms and alternatives. The synonym keywords are extracted from the corpus of online banking security related subjects in literature. The search query keywords appear in ( Figure 4) as they were applied to the digital libraries mentioned.
Figure 4. PRISMA flow diagram of the process of selecting and screening studies that were included in this systematic literature review.
3.5 Reference management
The research utilized “Mendeley Reference Manager” v2.132.061 to serve as the reference management system for collecting and handling retrieved scientific papers.
3.6 Selection of the study
We examined the research papers that led to the selection of suitable content for our final evaluation using specified inclusion and exclusion criteria. We examined each paper to check its application toward the study’s goals. The review used predefined inclusion criteria to identify and analyze suitable study materials, which led to reliable and valid research outcomes. All the results of this research stem from the number of papers that fulfilled the established criteria permitting their entry into our research.
3.6.1 Exclusion criteria
All studies that were not published in the English language were excluded. Additionally, book chapters, reviews, periodical articles, theses and duplicate papers are excluded. Industry white papers, technical reports, and international standards (e.g., ISO/IEC, NIST, PSD2 regulatory technical standards) were also excluded from the primary synthesis corpus, as this review focuses on peer-reviewed empirical and technical contributions. However, selected regulatory and standards documents are cited as contextual references in the discussion sections where relevant, particularly in the analysis of authentication assurance levels, presentation attack detection, and regulatory compliance frameworks. This boundary is acknowledged as a limitation of the review scope, and the inclusion of industry sources in future updates is recommended to complement the academic evidence base.
3.6.2 Inclusion criteria
The inclusion criterion was that the studies were published in English. Only journal publications and conferences that publish studies were included. The biometric authentication in mobile banking research studies covers the methods used in mobile banking, threats, strengths and weaknesses, as well as the methods used in major international banks and user usability challenges and limitations.
3.6.3 Results
The research process resulted in 97 articles through the elimination of duplicate and unrelated studies. Two complementary search queries were applied to ensure coverage of biometric authentication keywords ( Figure 4).
The screening process based on PRISMA is illustrated in Figure 4. A total of 913 records were identified in the four databases (Science Direct = 394, Scopus = 152, IEEE = 174, Google Scholar = 193). After elimination of 187 duplicates, 726 unique papers were screened. Following title and abstract screening, 523 papers were excluded, and 203 full-text articles were eligible for further screening. Based on the inclusion and exclusion criteria, 106 papers were deemed ineligible, and 97 studies were finally included in this systematic review.
4. Analysis and Discussion
This section presents various data samples drawn from relevant studies and provides an evaluation and interpretation of the SLR findings.
4.1 Biometric authentication methods used in mobile banking
This section provides an answer to research RQ1: “Which biometric authentication methods are currently used in mobile banking systems?”. The gathered literature appears in Table 3 for 41 studies that are analyzed in three parts: description, year and reference. The taxonomy in Figure 5 illustrates different online payment biometric approaches, which are classified as BBA and MFA. The taxonomy structure enables a complete comprehension of the different authentication approaches, which demonstrate that all current methods operating in online banking use biometrics. Table 3 provides a concise study-level overview of the reviewed papers, highlighting the diversity of biometric approaches and their immediate application focus rather than offering a full technical evaluation of each solution.
Table 3. Summary of sample data of the chosen studies (2020-2025) to 41 study, outlining each of the biometric authentication methods, its aims, and originated sources.
| Year | Ref. | Description |
|---|---|---|
| 2020 | 52 | A MFA for the Smart Online Banking System (SOBS) uses face recognition authentication (FRA) or biometric fingerprint authentication (BFA) with digital signatures are proposed to enable bank customers to complete transactions. |
| 62 | This study proposes a novel deep neural network based approach for facial feature extraction. | |
| 46 | This research aims to enhance security authentication based on voice recognition, can be utilized for speaker identification, regardless of the language being spoken. | |
| 50 | This research introduces a secure biometric online banking system which uses three-factor authentication to evaluate service requests through banking portals. These factors are (Password, random the system shows images to users who need to select three familiar images within the interface images and fingerprints). | |
| 17 | The authors propose an authentication model for securing mobile banking applications based on hand-based biometric authentication. | |
| 64 | Online banking authentication gets a supervised Machine Learning-based framework from the authors who developed it for continuous behavioral biometric user identification. This framework represents an improved variation of the “Biotouch” technology for touch dynamics identification. | |
| 68 | The paper introduces a biometric authentication system that uses two methods combining Biometric technology with proximity sensors to provide secure robust and flexible authentication. Biometric fingerprint identification security techniques unite with shuffling keypad methods to boost the security strength in Automated Teller Machines (ATM) operations. | |
| 63 | A new authentication system uses contactless vascular biometrics to recognize wrist veins as part of the modality system. | |
| 2021 | 69 | This study presents an online banking application designed to address vulnerabilities in existing online banking systems. This application based on facial recognition and proxy detection including “tripleDES” encryption to enhance the security of the work. |
| 28 | This study presents a framework based on mobile screen swipes and touch data as a behavioral verification method for user authentication in mobile banking. | |
| 70 | This study presents a fingerprint-based authentication model for ATM access control. | |
| 71 | This paper introduces a novel approach to anti-spoofing third-factor authentication method for (ATMs) which uses behavioral-based biometrics Keypad Typing Rhythm Identifier (KTRID). | |
| 72 | In this paper, the authors present two-level combined authentication method (2 L-IAM). At the first level, the end user login to their online Banking port using either PIN or Fingerprint Matching (FPM). At the second level, end users are authenticated by face recognition (FR) should they initiate a transaction classified as sensitive. | |
| 73 | This study incorporates user biometrics based on either fingerprint or facial recognition obtain and verify data from the Internet of Things (IoT) device through bank-registered authentication methods which include IP address tracking and digital certificates. | |
| 25 | This research develops a framework using Elliptical Curve Cryptography (ECC) within Virtual Private Network (VPN) security for performing safe financial operations through MFA using password and voice recognition based on both authentication codes and biometric identification systems. | |
| 74 | The DAKOTA framework proposes mobile banking security improvement through behavioral biometrics authentication methods based on sensor and touch screen-based continuous authentication. Touch screen data and motion sensor data serve distinct roles to increase application security. | |
| 2022 | 11 | This paper proposes a new authentication framework for detecting FingerVein (FV) is formed by the work for safe authorization utilizing Enhanced Sigmoid Reweighted based Convolutional Neural Network (ES- “RwCNN”). |
| 51 | This paper proposed continuous authentication on mobile devices incorporate touchscreen–swipe interactions without limit as well as keyboard input timing patterns. | |
| 75 | A novel approach to face anti-spoofing introduces a modified combination of differences of Gaussian (DOG) and angle-difference-ternary correlation-pattern (ADTCP) descriptors. | |
| 32 | This paper demonstrates an authentication framework which employs novel pupil segmentation through a combination of multiscale gray-level co-occurrence matrix (MSGLCM) with multirange circle Hough transform (MRRCHT). The pupil texture extraction proceeds accurately when using this segmentation method followed by Hough transform application to the outer Iris region. | |
| 76 | The authors proposed a multimodal Self-ONN based on Raw Electroencephalogram (EEG) and keystroke data. | |
| 77 | The research proposed an unavoidable authentication approach through mobile device fingerprinting-based identifier and authenticator for mobile banking applications (MDFIA). MDFIA functions as the name for this authentication system. | |
| 78 | This study proposes a facial authentication solution to enhance ATM security and privacy. | |
| 79 | This study develops an authentication application for online systems, including mobile banking, based on facial recognition and text extraction. | |
| 80 | The paper proposes a concept of using a person's vein pattern and OTP/PIN as a method of contactless authentication. It is an extremely safe verification procedure because no two people in the world, not even identical twins, can have the same palm vein structure or pattern. Additionally, it is more secure because it is nearly impossible to replicate the palm vein pattern. | |
| 49 | The authors proposed a web-based application authentication system for bank employees using passwords, fingerprints and OTP. | |
| 81 | The article presented a new real-time contactless palm vein recognition system MPSNet specifically developed for smartphones with red, green and blue image functionality. A standard back camera with an LED flashlight installed in smartphones enables the system to both detect and identify palm images. | |
| 82 | This paper introduces an authentication method with passwordless which includes smartphone-based face recognition and Bluetooth-Near Field Communication technology. The system functions through real-time face biometric authentication and secure NFC token transfer as well as Bluetooth detection of device connection for robust anti-phishing and anti-spoofing security that does not need passwords. | |
| 2023 | 83 | The article establishes a user authentication methodology which utilizes sensor measurements from smartphone devices along with multiple behavioral patterns along with machine learning strategies to address the identified issues. The proposed approach uses device touchscreen combined with motion sensors to obtain behavioral biometric data. |
| 84 | This paper proposes a new framework for continuous authentication for smartphones based on behavioral-based biometric by utilizing for user interaction on touchscreen. | |
| 30 | The proposed method in this paper develops a secure virtual smart card through digital encryption techniques with biometric verification (using Fingerprint) and a QR code and passwordless capabilities enabling safe access to healthcare systems and e-banking. | |
| 85 | The study established a multilayer 5FA system that selected Password/PIN together with OTP and Fingerprint along with Media Access Control (MAC) Address and Time-Based location to create a stable security solution for online banking. | |
| 86 | Authors propose a framework based on dynamic signatures for authentication which called: a “Cloud-based mobile biometric authentication framework (BAMCloud)”. | |
| 2024 | 13 | This paper proposed a MFA for securing mobile banking system that combines passwords, Face recognition and OTP to verify users. |
| 87 | This paper proposed a new framework of mobile payment for user verification depending on face ID recognition based on deep learning. | |
| 88 | This paper presents an android mobile banking application development. The application implements facial recognition technology together with PIN based templates through the Grassmann algorithm approach. The system becomes accessible for users to perform banking operations only after completing two authentication steps. | |
| 2025 | 89 | The authors developed an authentication system based on processing ECG (electrocardiogram) signals on mobile devices to achieve high levels of accuracy. The process uses distinct qualities of ECG signals to deliver safe mobile device authentication which demonstrates that biometric authentication can boost security protocols. |
| 90 | A new deep learning framework described in this paper connects three different biometric modes through electrocardiogram (ECG) with fingerprint features and finger knuckle print (FKP). The combined application of these methods enables an authentication system that reaches high levels of security and efficiency for banking and healthcare applications and higher-security applications. | |
| 91 | In this project a machine learning authentication system will be developed to protect online voting using facial and fingerprint recognition as security measures for better system protection. The system consists of two fundamental elements which include both the machine learning authentication mechanism and web-based voting platform. | |
| 92 | This study proposes a new framework based on MFA which combines three types of fusion technique (feature-level, score-level, and decision level) integrated into three types of biometrics modalities (fingerprint, facial recognition, and iris). | |
| 93 | This paper presents a hybrid face biometric authentication that integrates the strength of deep learning specifically CNN and (ResNet) with Local Binary Pattern (LBP) method. |
Figure 5. Biometric authentication taxonomy in internet banking, methods based on knowledge, possession and biometrics factors.
4.1.1 Biometric authentication methods
The BBA category uses two types of biometrics, including physical traits, which consist of fingerprints, facial IDs, irises, hands and veins,11,17,32,62,63 alongside behavioral traits, which include voice patterns,46 “biotuch” (dynamic/continuous touch authentication),28,64 and tapping behavior. The other behavioral biometric trait was implemented by,65 who proposed a new activity recognition model for smartphone applications based on physical activities that are detected by collecting data from different sources, such as biometric sensors or body-worn sensors. Biometric authentication relies on users’ unique biological traits to strengthen identity verification and improve security. The authentication approach of behavioral biometrics shows great reliability in authorization but creates problems involving data protection and storage security requirements. Organizations use biometric information in addition to developing preventative solutions to combat unapproved system access and illegal information handling.66 Various users sometimes encounter difficulties when organizations attempt to establish biometric authentication systems. Online banking system implementations of biometric technology require thorough consideration of hardware needs together with quality standards and acceptance levels from users.67 Table 3 provides a description and year for each study.
4.1.2 Integration of biometrics within MFA
Any authentication system built with a single authentication factor remains vulnerable to security threats regardless of the use of fingerprint scans, facial recognition, palm recognition, passwords or PIN. Authentication system developers develop their systems via integrated MFA.94 The integration of BBA methods, including fingerprints, faces, irises, hands, veins and behavioral biometrics, serves as the main authentication component for the MFA and 2FA systems.95 PBA authentication methods consist of OTPs combined with tokens and NFC96 and operate when enhanced with other supporting factors. Various security elements, such as proxies, QR codes, geolocation, IP address MAC addresses and “CAPTCHA,” have joined the MFA and 2FA approaches to increase security measures. Multiple authentication methods used together by banks create enhanced system security, which implements multiple defense barriers for attackers to break. The security system becomes protected by multiple layers if attackers gain access to one part because the remaining layers shield the system from further attacks.97,98 Users must first type their password before submitting their fingerprint for authorization purposes during system access. This authentication logic increases the security level by making it difficult for attackers to compromise the system despite knowing the user password.99 Online banking can establish a secure and all-encompassing authentication system through 2FA and MFA, which reduces the threats caused by depending on a single authentication mechanism. Based on 41 studies, this research examines the use of biometric authentication methods in online mobile banking, including their role within MFA. These methods are presented in Table 4 and Figure 5. Table 4 provides a comprehensive list of these authentication strategies, complete with their corresponding references. A comparative analysis of the strengths and weaknesses of these methods is subsequently presented in Table 5, which is discussed in Section 4.1.3.
Table 4. Overview of biometric integrated within the MFA techniques used in the studies reviewed with modalities used and references provided.
| Authentication Method | Password | PIN | OTP | Fingerprint | Face | Iris | Palm/Hand | Vein | Voice | Continuous Authentication | Signature | MAC | Location | Captcha | Proxy | QR | EEG | ECG | Keystroke | Keypad | IP Address | FKP | NFC |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Ref. | |||||||||||||||||||||||
| 52 | O | O | |||||||||||||||||||||
| 62 | O | ||||||||||||||||||||||
| 46 | O | ||||||||||||||||||||||
| 64 | O | ||||||||||||||||||||||
| 11 | O | ||||||||||||||||||||||
| 13 | O | O | O | ||||||||||||||||||||
| 86 | O | ||||||||||||||||||||||
| 28 | O | ||||||||||||||||||||||
| 70 | O | ||||||||||||||||||||||
| 72 | O | O | O | ||||||||||||||||||||
| 25 | O | O | |||||||||||||||||||||
| 73 | O | O | O | O | O | ||||||||||||||||||
| 51 | O | O | |||||||||||||||||||||
| 74 | O | ||||||||||||||||||||||
| 17 | O | ||||||||||||||||||||||
| 87 | O | ||||||||||||||||||||||
| 85 | O | O | O | O | O | O | |||||||||||||||||
| 50 | O | O | O | ||||||||||||||||||||
| 69 | O | O | |||||||||||||||||||||
| 30 | O | O | |||||||||||||||||||||
| 71 | O | ||||||||||||||||||||||
| 84 | O | ||||||||||||||||||||||
| 75 | O | ||||||||||||||||||||||
| 32 | O | ||||||||||||||||||||||
| 76 | O | O | |||||||||||||||||||||
| 83 | O | ||||||||||||||||||||||
| 77 | O | O | |||||||||||||||||||||
| 78 | O | ||||||||||||||||||||||
| 79 | O | O | |||||||||||||||||||||
| 80 | O | O | O | ||||||||||||||||||||
| 49 | O | O | O | O | |||||||||||||||||||
| 88 | O | O | |||||||||||||||||||||
| 89 | O | ||||||||||||||||||||||
| 90 | O | O | O | ||||||||||||||||||||
| 91 | O | O | |||||||||||||||||||||
| 92 | O | O | O | ||||||||||||||||||||
| 93 | O | ||||||||||||||||||||||
| 81 | O | ||||||||||||||||||||||
| 68 | O | O | O | ||||||||||||||||||||
| 63 | O | ||||||||||||||||||||||
| 82 | O | O |
Figure 5 presents a detailed taxonomy scheme of authentication methods that were specifically developed to protect online banking systems. The taxonomy system groups authentication methods into four basic categories, including the PBA, BBA and KBA approaches and MFA methods. The BBA is divided into two parts: physical biometrics, including fingerprints, faces, irises, hands/palms and veins, and behavioral traits, including voices, touch screens, EEGs, keypads, signatures and ECGs. KBA includes authentication factors such as passwords and PINs. The PBA includes OTP and NFC. Other types of authentications include MAC address, IP address, CAPTCHA, QR, proxy and location. MFA represents a stronger security approach because it combines two or more authentication methods to enhance user verification. This research focuses heavily on biometric authentication by providing detailed information about fingerprints, facial recognition, irises, palm, voice recognition methods, touchscreens, and keystroke dynamics as behavioral verification indicators. This taxonomy explains MFA, which requires users to combine different authentication components such as passwords together with OTP or fingerprints in combination with the MAC address to increase security. The taxonomy establishes itself as a beneficial reference for recognizing the complex authentication methods that modern digital finance systems implement.
Together, Table 4 and Figure 5 serve an analytical purpose by revealing how biometric methods are rarely deployed in isolation and are instead most often embedded within broader MFA architectures that combine knowledge-based, possession-based, and contextual factors. Among the authentication methods identified in the reviewed studies, face, fingerprint, password, PIN, and continuous touchscreen authentication were the most frequently used, appearing 15, 13, 7, 6, and 6 times, respectively, in total. OTP and vein-based methods appeared 4 times each, whereas voice and iris appeared only 2 times each in the reviewed data. The authentication system uses several types of verification, including CAPTCHA and keypads, which appear in 3 cases each. One mention exists for each of these authentication methods: palm, keystroke, time-based location, MAC address, IP address, proxy, QR, signature, EEG, ECG, FKP and NFC. MFA security becomes more effective because face and fingerprint detection are used multiple times with additional KBA, such as password/PIN and OTP. Multiple security layers protect sensitive online banking data since MFA operates together with 2FA by employing several authentication techniques. Figure 6 presents the frequency of authentication methods in biometric authentication methods contexts that are implemented in the banking sector.
Figure 6. Frequency distribution of authentication techniques used in biometric systems among studied mobile banking studies.
4.1.3 Evaluation of the methods of mobile banking
Table 5 analyzes different authentication methods from our study based on their strengths and weaknesses and corresponding research sources. Simple security systems based on passwords and PINs continue to be popular because they are quick to set up while attackers take advantage of vulnerabilities that result in brute-force attacks and phishing schemes as well as shoulder surfing. User authentication through PIN combined with facial recognition delivers better usability while providing touchless access at the cost of reduced security effectiveness. The implementation of passwords, fingerprints, faces, OTP and locations coupled with MAC address recognition increases security, whereas the use of external communications remains a weak point, and spoofing presents a persistent threat. Biometric authentication through fingerprint scans mixed with facial identification combined with iris analysis creates secure user authentication solutions despite their limitations in terms of external conditions and the need for specific hardware systems. Emerging techniques such as EEG and touchscreen behavior offer unique behavioral or physiological markers but face limitations in practicality and consistency. MFA represents a powerful security method that achieves adequate protection from MFA, while users experience decreased convenience and dependence on devices during authentication processes. Different digital systems require customized authentication strategies that depend on their unique operational needs according to this analysis.
Table 5. Comparison of the authentication strategies employed in mobile banking (2020-2025), with their key strengths and weaknesses.
| Method | Strengths | Weaknesses | Reference |
|---|---|---|---|
| Password | Simple to implement and widely used | Susceptible to brute-force, phishing, reuse attacks | 60,100,101 |
| PIN | Quick, minimal memory load | Easy to observe (shoulder surfing); often reused | 101 |
| Graphical Password | More memorable; harder to guess | Usability issues; vulnerable to observation | 102,103 |
| QR Code | Fast, contactless authentication | Can be used for phishing; requires camera | 104 |
| OTP | Temporary and time-bound; improves security | Phish able; reliant on delivery medium (SMS/email) | 101,105 |
| MAC Address | Device specific; useful in background authentication | Spoof able; not user-unique | 3,106 |
| CAPTCHA | Prevents bots; low cost | Poor usability; accessibility issues | 107 |
| Proxy Detection | Identifies IP masking attempts | Can yield false positives; circumventable | 108 |
| Geolocation | Provides context-aware authentication | Spoof able; raises privacy concerns | 109 |
| Signature Verification | Familiar; good for legal systems | Inconsistent; easy to forge | 110 |
| NFC | Fast, contactless, widely used in mobile payments | Limited range; vulnerable to relay attacks | 111 |
| 2FA/MFA | High security combines multiple factors | Less convenient; requires multiple devices or tokens | 3 |
| Fingerprint | Convenient; widely supported in devices | Not reliable when wet/damaged; spoof able | 49 |
| Face ID | Touchless; user-friendly | Can be spoofed by photos or masks; lighting affects accuracy | 12 |
| Iris Scan | Highly accurate and unique | Expensive hardware; less user-friendly | 112 |
| Palm Recognition | High accuracy; touchless | Requires specialized scanners | 17 |
| Voice Recognition | No touch input; good for phone auth | Affected by background noise and illness | 46 |
| Vein Pattern | Internal biometric; hard to replicate | Requires IR scanners; costly | 80 |
| EEG (Brainwave) | Highly secure and unique | Impractical; requires specialized equipment | 76 |
| Keystroke | No additional hardware needed | Inconsistent due to emotional state or fatigue | 2 |
| Touchscreen (swipe, tap, scroll) | Continuous passive auth; behavioral uniqueness | Variability in usage, mood, and devices | 64 |
The results summarized in Table 5 emphasize that each category of authentication provides different benefits and weaknesses and confirms the fact that there is no one method which provides total protection against the wide range of cyber threats in the mobile banking environment. Instead, a combined optimization of security strength, usability and implementation cost is required to achieve practical and scalable protection. KBA methods, including passwords and PINs, are the most common because they are so simple and easy to implement. However, they are also the weakest layer of defense, because they are highly vulnerable against brute-force, phishing, and credentials-reuse attacks.3,100,101 Moreover, users often use predictable passwords or reuse the same passwords for different platforms, which makes compromise much easier. PINs are faster to enter, and they have very little cognitive load, but they are short and vulnerable to observation (shoulder surfing) which limits their effectiveness on their own.
PBA methods such as OTP, NFC-based tokens provide stronger protection with an introduction of time factor or hardware-binding factor. OTPs greatly decrease the chances of the credential replay but rely on the reliability of the communication and can be decrypted on their way or stolen via a SIM-swap attack. NFC cards and hardware tokens provide a physical guarantee although they involve the user carrying or maintaining an external tool, increasing usability and logistical costs.111
BBA methods with reference to the fingerprint and facial recognition processes provide an ideal compromise between security and convenience, that is why they quickly become standard in any large mobile banking application.12,49 Fingerprint recognition is more accurate and faster to verify, and facial recognition can be used contactless and more conveniently. However, they are vulnerable to the quality of sensors, lighting, and spoofing as well as cause serious privacy issues because biometric identifiers are not reversible once compromised.
More expensive modalities, like iris, vein or palm recognition, are very resistant to anti-spoofing and very accurate, but expensive specialized sensors preclude their mass-market use. For example, routine account access may rely upon simple 2FA such as PIN + OTP and high value or cross-border transactions may require full MFA including a biometric check. This strategy offers both convenience and high level of security.
Moreover, incorporating AI-based behavioral monitoring into the MFA pipelines will enable a continuous risk evaluation process and allow making real-time adjustments without undermining the usability. Generally, the comparative synthesis implies that the most resilient way of authentication of mobile banking is hybrid, context-aware and adaptive MFA architectures. By combining the desirable attributes of the various factors such as password familiarity, token possession and biometric factors, but at the same time balancing the weaknesses of these factors, it will be possible to ensure high assurance and acceptance by the user for banks. The findings of this comparative evaluation reflect contemporary trends in international banking practice, in which the most important institutions are increasingly using biometric and MFA in tandem to enhance resilience against changing cyber threats.113,114
Although the heterogeneity of the reviewed studies made it impossible to conduct a complete quantitative meta-analysis, a systematic summary of the reported performance ranges was built to support the quantitative patterns and trends of biometric modalities deployed on mobile devices. The summarized values of false acceptance rate (FAR), false rejection rate (FRR), and equal error rate (EER) - and indication whether liveness detection and spoofing resistance mechanisms were used - are shown in Table 6, which is for studies published between 2020 and 2025.
Table 6. Summary of reported biometric and multimodal authentication systems in recent literature, highlighting their typical datasets or devices, reported EER/FAR/FRR rates, accuracy, presence of liveness detection, and spoofing resistance levels.
| Typical dataset/Device | EER / FAR/FRR (%) | Accuracy % | Liveness detection | Spoofing resistance | Ref. |
|---|---|---|---|---|---|
| Prototype survey (170 users, Brunei) | — / — / — | N/A | N/A | Medium | 52 |
| CAS-PEAL DB (99k images, 1040 users) | — / — / — | 98.52 | N/A | N/A | 62 |
| Custom dataset (23 users), SecuGen scanner | — / — / — | N/A | N/A | N/A | 50 |
| HKPU 3D/2D Hand DB (570 samples) | — / — / — | 94.7–100 | N/A | Moderate | 17 |
| Custom app (51 users, Android sensors) | 1.88–9.85/ — / — | 82.5–98.2 | N/A | Moderate–High | 64 |
| MFS100 Sensor, Simulated ATM | — / — / — | 100 | Yes (Basic) | High | 68 |
| UC3M-CV2 (Smartphone NIR camera) | 6.82–18.7/ — / — | N/A | N/A | Partial (No PAD) | 63 |
| Custom Dataset (20 img/user, smartphone) | — / — / — | 97 | Yes (Proxy detection) | High | 69 |
| Prototype Web Portal + Survey (n = 170) | — / — / — | N/A | N/A | Moderate | 72 |
| IoT Prototype (Design Science) | — / — / — | N/A | N/A | High | 73 |
| Simulated Cloud Banking Prototype (VPN) | — / — / — | N/A | Partial (Inherent) | Strong | 25 |
| Custom dataset (45 users, Samsung/Xiaomi) | 3.5/ — / — | ~99 | N/A | High | 74 |
| N/A | — / —/2.35 | 97.05 | Yes (Inherent) | High | 11 |
| 13 user datasets (Nexus 7 tablets) | ~0.1/ — / — | Up to 100 | Yes (Implicit) | High | 51 |
| NUAA, MSU-MFSD, Replay-Attack DBs | 1.57/ — / — | 99.03 | Yes (Texture-based) | High | 75 |
| CASIA v4, MMU V2 | 0.44/ — / — | 87.7–94.5 | Yes (Implicit) | High | 32 |
| Custom ATM dataset (Raspberry Pi) | — / — / — | ≈82–85 | Yes (Real-time) | Low–Moderate | 78 |
| Real user documents (Web portal) | — / — / — | N/A | Partial (Live capture) | Moderate–High | 79 |
| NIR Scanner Prototype (Raspberry Pi) | — / — / — | High (≥98) | Yes (Contactless) | High | 80 |
| Custom Android app (15 users) | — / — / — | ≈90 | N/A | Moderate | 49 |
| Smartphone RGB cameras (NTUST, XJTU DBs) | 0.49/ — / — | ≈99 | Yes (Live capture) | Very High | 81 |
| Android (BLE/NFC); MobileFaceNet (MS-Celeb DB) | — / — / — | N/A | Yes (Real-time) | High | 82 |
| HMOG dataset (100 users, Galaxy S4) | 3.35/—/ — | 98.75% (F1) | Yes (Implicit) | High | 83 |
| Serwadda et al. dataset (Smartphones) | 0.179/ — /— | 89 | N/A | Moderate–High | 84 |
| Custom mobile app (IoT/Healthcare) | — / — /— | N/A | Yes (Mutual auth.) | High | 30 |
| Custom mobile/web prototype (Firebase) | — / — / — | N/A | Yes (Context-aware) | High | 85 |
| Custom dataset (Smartphones/Tablets) | 0.24/ — / — | 96.23% | Yes (Dynamic) | High | 86 |
| Prototype app (Android + Firebase) | — / — / — | N/A | Yes (Context-aware) | High | 13 |
| AR, MUCT DBs + mobile frames | — / — / — | 99.85 | Yes (Real-time) | High | 87 |
| Custom Android app (Razorpay API) | — / — /0.28 | ≈97–98 | Yes (Real-time) | Moderate–High | 88 |
| ECG-ID, Heartprint, Custom BMD101 DBs | 5.61/ — / — | 94.39 | Yes (Inherent) | Very High | 89 |
| Synthetic DBs (PhysioNet, SOCOFing, IIT) | 0.20 / 0.20/0.21 | 99.80 | Yes (ECG validation) | Very High | 90 |
| Custom Kaggle dataset (Web platform) | — / — / — | 98.0 | N/A | Moderate | 91 |
| LFW, FVC2004, CASIA, UBIRIS DBs | 0.085/ 0.02/0.15 | 99.47 | Yes (DL-based PAD) | Very High | 92 |
| Custom dataset (not stated) | — / — / — | >98 | N/A | Moderate | 93 |
Table 6 shows that most of the reported biometric authentication systems published since 2020 reported accuracy above 95%, and most multimodal or deep learning-based systems reported EER below 1%. However, these quantitative findings are to be taken with a grain of salt. Studies with controlled datasets, small populations, or prototype settings reported the highest accuracy, and those that were intended to operate in less constrained mobile settings were more likely to have a broader error range. Fingerprint, face and multimodal schemes usually worked well on devices with mature sensors and with liveness detection added, whereas more specialized modalities like iris, vein, EEG or ECG showed good security potential but tend to rely on limited acquisition conditions or extra hardware. Practically, the evidence gathered to date indicates that fingerprint and facial recognition are currently the most deployment-ready technologies in mobile banking since they have the most viable combination of accuracy, device availability, and familiarity with users. Multimodal fusion seems especially useful in higher-risk scenarios when the increase in complexity is warranted. In the meantime, nearly half of the reviewed studies did not present FAR and FRR in a comprehensive or similar fashion, and only some studies explicitly tested the presentation attack detection or spoofing resistance. Therefore, the main quantitative finding is not that biometric systems work, but that the performance claims are hard to compare across studies due to the vast differences in the design of datasets, testing conditions, the size of the population, and reporting practices.
4.2 Threat-facing mobile banking
Internet banking provides users with efficient convenience but remains at risk from multiple cybersecurity threats, which endanger both financial service integrity and confidentiality as well as system availability.115,116 The financial sector poses three prominent security threats against banking consumers, which include phishing scams that trick customers to disclose sensitive data as well as malware intrusions stealing control of devices for login interception117 and man-in-the-middle (MiTM) attacks that break communication between customers and banking institutions. Ransomware attacks,118 along with brute force methods and credential stuffing, exploit password weaknesses by targeting ordinary users who repeat their passwords across different accounts. Moreover, social engineering methods119 allow users to surrender their confidential information. Security threats affect both personal users and cause substantial damage to financial institution reputation and operational stability. We provide answers to RQ2 in this section: “What are the main security threats and vulnerabilities affecting biometric authentication in mobile banking?”. These studies include:
4.2.1 Malware attacks
Mobile banking malware attacks have become increasingly dangerous because smartphone users continually increase their banking activities on mobile devices. The mobile-specific malware category includes banking Trojans and fake banking applications, which lead to theft of login data while also intercepting SMS authentication codes through screen overlay tactics.120 The threats take advantage of users downloading harmful applications together with deceitful links that imitate genuine banking platforms. The protection of mobile banking needs strong security measures and app store monitoring while offering user education programs since mobile users demonstrate limited security awareness and malware persists in adapting.100,121
4.2.2 Man-in-the-Middle (MiTM) attacks
The (MiTM) attack allows cybercriminals to intercept communications between two parties while they cannot detect the security threat. Internet senders become vulnerable to cybercriminals through MiTM attacks, as attackers intercept their sent sensitive information, including login credentials and transaction details, during transmission. Online attackers take advantage of unsecured networks particularly well to launch attacks against public Wi-Fi networks because these networks present communication opportunities. The combination of SSL/TLS encryption protocols with safe programming practices and user training about risk networks makes sensitive banking information secure during online financial activities.56,122,123
4.2.3 Replay attack
An attacker generates fraud by intercepting authentic transmission data to fool an intended recipient into taking actions that might include transaction authorization. The fraudulent method of playing replays allows attackers to pose as victims and redirect transaction details to a bank for resulting payments or account transfers.124 Attackers exploit old communication protocols without session state validation and timestamping, which they leverage for their attacks. All submitted transactions must pass through time-based authentication protocols, whereas financial institutions need to use nonce-secured requests with session tokens for attack prevention.56,125,126
4.2.4 Phishing attacks
Criminal online attackers conduct phishing operations for social engineering by pretending to be trusted parties to steal sensitive data that includes usernames with passwords and credit card details. Criminals execute phishing attacks in online banking through fake websites or emails, which are intended to be actual banking sites because they trick users to provide login details and sensitive financial information. Phishing attacks succeed by targeting human mistakes combined with trust to obtain sensitive information, which requires users to develop heightened awareness to stop them.121,127
4.2.5 Social engineering
Attackers use social engineering as a method to force users to reveal sensitive data or perform actions that endanger their banking account security through online interfaces. Attackers use deception techniques such as urgency fabrication along with impersonation and trust-building tactics to trick users.57,128,129
4.2.6 SQL injection
The attackers conduct SQL injection attacks by adding harmful code to the data strings before they reach the SQL database for processing. SQL injection allows hackers to obtain user credentials, including usernames and passwords. The stolen credentials serve as keys to unauthorized access of user accounts.14,130,131
4.2.7 Keylogger
A keylogger functions as malicious software that tracks computer keystrokes. A keylogger logs every keystroke typed on a system that has been compromised and captures sensitive data, including passwords, usernames, etc. Your computer can acquire keyloggers through a few methods, including opening tainted attachments and clicking on harmful links together with downloading files from unverified sources. A keylogger that uses the system to record keystrokes becomes operational after installation on a computer.29
4.2.8 Weak password
Weak passwords pose security threats to online banking since they provide easy opportunities for attackers to guess them. The entry of unauthorized actors becomes easier when passwords are weak because they gain instant access to sensitive data and user accounts and execute fraudulent schemes.123,132
4.2.9 Denial-of-Service (DoS) attacks
DoS attacks block access for genuine users in online banking operations through a combination of abusive network traffic that saturates system resources. Service interruptions alongside customer dissatisfaction result from this situation, which leads to financial losses for the bank. Some attacks that initiate denial-of-service conditions serve as shields for other more dangerous threats, including data theft.98,101
4.2.10 Session hijacking
Unauthorized session access, which enables an attacker to exploit user identity for online bank account access, is known as “session hijacking.” Network connection interceptions, along with exploiting system vulnerabilities, enable attackers to conduct unlawful activities while acquiring private information.133
4.2.11 Presentation attacks and digital injection attacks
Among the most critical and rapidly evolving threats to biometric authentication in mobile banking are presentation attacks and digital injection attacks. These two attack classes are distinct in their mechanism, but both aim to deceive biometric verification systems into granting unauthorized access.
Presentation attacks (also known as spoofing attacks) are an attack where a physical or digital object is placed in front of a sensor to represent a legitimate user. Examples are printed photographs, video recordings that are replayed, 3D-printed masks, silicone fingerprint replicas, and, most often, high-fidelity deepfake-generated faces. The success of such attacks is determined by the quality of the artifact and the strength of the liveness detection mechanism used. Liveness detection Liveness detection (also called Presentation Attack Detection PAD) tries to differentiate between a live and a spoofed biometric sample using texture, motion, depth, or physiological cues. Nevertheless, existing PAD systems have been shown to suffer severe performance loss when tested on a variety of datasets or deployment environments, a problem that is actively being tackled by the U.S. National Institute of Standards and Technology (NIST) in its ongoing Face Analysis Technology Evaluation (FATE) program, which tests the best PAD systems under controlled conditions and shows that even state-of-the-art systems are not perfect against advanced attack scenarios.
Digital injection attacks are an entirely new, more technologically advanced threat. Instead of putting an artifact prior to a sensor, an attacker intercepts or bypasses the sensor altogether by injecting artificial or corrupted biometric data directly into the software pipeline at the data transmission layer - between the capture device and the corresponding engine. This type of attack leverages vulnerabilities in application APIs, mobile operating system interfaces, or unsafe data channels and not sensor vulnerabilities. Generative Adversarial Networks (GANs) have dramatically reduced the cost of injection attacks: now an attacker can create realistic synthetic face images or fingerprint templates that closely match the biometric profile of an enrolled user, and inject them into the authentication pipeline, without having to gain physical access to the user device or biometric sensor. Face morphing attacks are a similar GAN-based threat in which the faces of two people are mixed together in one image that can be verified as both persons, potentially being especially dangerous with digital identity enrollment processes like eKYC employed by banks. The injection attacks defense needs integrity protection of the biometric data pipeline, such as anti-spoofing at software level, sensor authentication through certificates, and integrity verification of the authentication application at runtime. In mobile banking deployments, these requirements interact directly with the security architecture of the mobile operating system and the degree of hardware-backed protection available on the device.
The reviewed literature addresses presentation attacks in several studies, with Table 6 showing that approximately half of the included studies report some form of spoofing resistance evaluation. Nevertheless, digital injection attacks are not often addressed as a distinct category of threat in the surveyed articles, although their number is increasingly becoming common in real-life eKYC fraud. This disjunction indicates that future studies on mobile banking biometric authentication ought to further explicitly model and analyze both attack surfaces and not just physical spoofing in order to offer a more comprehensive security assurance model.
The attacks mentioned earlier show vulnerability to the supply chain and third-party or endpoint access of online banking systems, which results in supply chain attacks that involve attackers using external third-party software or vendors to access systems. The security vulnerabilities in banking systems enable hackers to break online banking security, which might result in unauthorized access and data breaches. Attackers execute endpoint attacks by focusing on both the user’s devices and end points. The attackers want to infiltrate the user’s device to access confidential banking data, which results in both financial fraud and unauthorized transactions.126
Financial institutions need to use the security measures presented in Table 7 to build protective online banking systems that secure user financial details. Financial institutions establish better online banking security through a complete strategy that integrates technical solutions such as firewalls and antiviruses, educates users about risks and develops essential policies plus continuous observations of systems. Table 7 summarizes these threats while presenting countermeasures that could serve to prevent them.
Table 7. Online banking user authentication threats with potential controls.
| Attacks | Potential controls | Reference |
|---|---|---|
| Malware Attacks |
| 31,124,134 |
| Man-in-the-Middle (MitM) Attacks |
| 135,136 |
| Replay Attacks |
| 125,132 |
| Phishing Attacks |
| 57,137,138 |
| Social Engineering |
| 137,139,140 |
| SQL Injection |
| 130 |
| Keylogger |
| 141 |
| Weak Passwords |
| 142,143 |
| DoS |
| 144 |
| Session Hijacking |
| 133 |
4.3 Biometric Authentication Used in International Banks
The investigation of RQ3: “How do major banks worldwide implement and integrate biometric authentication into their mobile banking applications?” takes place in this section. The analysis of authentication practices utilized by international banks provides fundamental knowledge about contemporary changes in online banking safety measures. The selected banks and their user authentication techniques are summarized in Table 8, which illustrates how various major financial institutions authenticate their users. The purpose of Table 8 and Table 9 is to provide an illustrative synthesis of reported banking practices drawn from the reviewed and cited sources, rather than a definitive audit of the current security architecture of each institution.
The information in Table 8 reveals the user authentication strategies used by several well-known financial institutions, including JPMorgan Chase, Bank of America, HSBC, Barclays, Deutsche Bank, BNP Paribas, Santander, ING, Standard Chartered, DBS Bank, HSBC Hong Kong, RBC (Royal Bank of Canada), and NAB (National Australia Bank).
Financial institutions utilize MFA systems because they prioritize the defense of customer online account security. Financial institutions mainly employ password authentication as their principal security procedure. Account holders need to build passwords for their financial institutions, which adhere to prescribed guidelines (such as the NIST password policy) that require eight characters or more in length with a mixture of upper and lowercase letters and numbers and symbols. The initial security measure that defends against unapproved system access is the use of passwords. OTP authentication serves as a security approach that numerous financial institutions within the banking sector currently use. New device users must provide a unique OTP password that arrives through SMS or email to finish their login process. Users must provide the received code before their login process can become fully secure. OTP serves only single login sessions and operates with limited validity, making it highly unlikely for attackers to obtain the password. The rising trend in banking shows that physiological biometric identification serves banks as a safer authentication option than passcodes do. Special physical attributes such as fingerprints and facial recognition serve as verification tools to identify customers during their process.113 The authentication method poses challenges to falsify essential data, thus making it an optimal barrier against unauthorized access. Security functions at these banks are implemented via 2FA technology. Users need to enter two security factors along with their password during first-time logins from new devices by providing an OTP or biometric verification. Security protection from 2FA145 creates a double authentication requirement that makes unauthorized access attempts practically impossible. Banks offer alternative authentication solutions for customers, which include USB security keys as well as security questions and challenge/response authentication and voiceprint authentication and device fingerprints.146 Device fingerprints determine the devices used by users, whereas voiceprint authentication depends on a person’s voice specifics.147 A challenge/response system requires the customer to enter authorization codes that originate from bank transmissions to their mobile device. Security keys connected to a USB port work as extended measures for online banking safety by enabling users to enhance transfer constraints through their computer’s USB connector. As customers complete the login process, the system asks them to answer security questions that have already been chosen by the platform, thus activating security authentication. Bank security measures receive ongoing assessment and updates from these banks to maintain timely protection of customer account safety against new security challenges.
We highlighted the use of biometrics in leading banks, extracted from Table 8, to determine the most used authentication methods. Table 9 illustrates the role of the biometric methods used by leading banks.
Table 8. Summary of biometric authentication methods implemented by major global banks, with emphasis put on their security settings and location of operations.
| Bank | Country | Authentication methods | Ref. |
|---|---|---|---|
| JPMorgan Chase | USA | Username/password, OTP via SMS/email, biometric (Face ID, Touch ID), device recognition | 25 |
| Bank of America | USA | Username/password, OTP via SMS/email, biometric login via app (Face/Touch ID), app-based MFA | 3 |
| HSBC | UK/Global | Secure Key (hardware/token), Mobile Security Key (in-app), biometric login, OTP | 106,148 |
| Barclays | UK | PIN sentry device, biometric login, app-based MFA, SMS/email OTP | 149 |
| Deutsche Bank | Germany | Username/password, mobile TAN (mTAN), photo TAN, biometric login, push notification approval | 150,151 |
| BNP Paribas | France | Password + OTP (SMS/email), biometric login, mobile token, app-based confirmation | 152 |
| Santander | Spain/Global | Password, OTP via SMS/email, Mobile Sign (in-app approval), biometric authentication | 153 |
| ING | Netherlands | PIN/password, fingerprint/Face ID via app, in-app transaction approval | 114,154 |
| Standard Chartered | UK/Asia/Africa | Username/password, OTP via SMS/email, app-based security token, biometric login | 155 |
| DBS Bank | Singapore | Biometric login, digibank Secure Device, app-based push approval, OTP | 105,114 |
| HSBC Hong Kong | Hong Kong | Mobile Security Key, Face ID/Touch ID, OTP via SMS, transaction signing | 154 |
| RBC (Royal Bank of Canada) | Canada | Username/password, OTP, biometric login, 2FA through Secure Cloud | 155 |
| NAB (National Australia Bank) | Australia | Password, SMS OTP, biometric login via mobile app, device recognition | 25 |
Table 9. Biometric authentication methods implemented in leading banks.
From Table 9 we note that: Fingerprint and Facial recognition are the two most used biometric mechanisms probably because most of the smartphones now support them and they are highly accepted by users. Voice recognition is rarer, and more often in mobile-based banking. Palm veins are quite unusual, but there are higher security and usage in physical (store for payments) authentication scenarios. Mobile banking for convenient and secure login is the most common area of biometric applications. Some banks (for example, DBS Bank) merge several biometric devices, for example: fingerprint, face and voice – suggestive of a multi-modal approach in security improvement.
Figure 7 depicts visual representation of how often each of the biometric authentication methods are used by the banks. As you can observe, fingerprints and facial recognition outrun the competitors, while voice and palm vein scanning are far rarer.
Figure 7. Distribution of biometric authentication technologies (e.g., fingerprint, facial, voice, palm) adopted by major banks in the world, reflecting adoption trends and popularity in mobile banking services.
4.4 Usability and user perception challenges and limitations
The literature indicates a persistent trade-off between usability and security strength in mobile banking authentication. Although biometrics may help reduce friction compared with relying on passwords alone, their adoption depends on how reliably they perform under real-world conditions and how effectively they can be integrated into broader banking workflows. Notably, the banking practices summarized earlier in Table 8 show that major banks rarely rely on a single biometric factor alone. Instead, they typically combine biometric authentication with app-based approval, OTP, device recognition, secure tokens, or transaction verification mechanisms. This implementation pattern helps explain the usability–security trade-off reported in the literature: banks tend to use fingerprint or facial recognition to simplify routine logins, while retaining stronger step-up authentication for new devices, sensitive transactions, or higher-risk situations. In this sense, usability and privacy challenges are not separate from implementation strategy; rather, they directly shape how banks deploy biometrics in practice. Institutions appear to manage this trade-off by using low-friction biometrics for convenience while maintaining layered controls to preserve security assurance as risk increases.
Usability and user perception are important factors influencing the adoption and effectiveness of biometric authentication techniques in mobile banking. As indicated in various other studies156,157 one of the issues many users face when using biometric systems is irritation related to the unreliability of these systems, such as inability to recognize their fingerprint when their fingers are wet, in situations of skin damage, or due to technical purposes of sensors. In the same light, facial recognition has been observed to perform poorly in low-light situations or when the user is wearing glasses or face mask. Such technical shortcomings may undermine the trust in the system and make people turn off the security features or switch to the less safe options (e.g., back to the passwords or PINs).
On top of technical problems, user perception plays an important part in the adoption of biometrics. A study conducted by158 has revealed that a high percentage of users were worried about the personal safety and confidentiality of biometric data particularly when this data was stored on cloud-based platform instead of being secured on the gadget. The level of confidence in banks and their confidentiality of information was a deciding factor as to whether the user activated biometric authentication. Moreover, some studies like,38 have pointed out the issue of the inaccessibility of MFA, especially to ageing people and individuals with disabilities who might have a hard time using or comprehending some MFA techniques. Overall, literature points at the necessity to design authentication systems in a way that composes security and simplicity to use, availability, and visibility, so that security apparatus will not be an obstacle to user interaction. Online banking user authentication techniques and cyber threats maintain an uncertain outlook, but the resulting risks remain massive.58
In this section we answered RQ4 which stated: “What is the key usability, privacy, and user acceptance challenges related to biometric authentication in mobile banking?”.
These challenges represent the main difficulties that must be addressed when enhancing the security of online banking systems, in addition to user authentication procedures. We have classified the most important challenges as follows:
4.4.1 Artificial intelligence challenge
The adoption of artificial intelligence through machine learning by cyberattacks presents a threat to online banking infrastructure, which includes network breaches and defeats detection systems. The implementation of ML involves several methods for breaching online banking authentication systems.159–161
4.4.1.1 Bias in biometric systems
Biometric systems powered by artificial intelligence produce irregular results when processing users from diverse population demographics, including ethnicities, as well as gender and age groups. A lack of diversity in training data can result in unfair FAR or FRR errors that produce trust and legal challenges among specific users.162
4.4.1.2 Adversarial attacks
Information security risks exist because AI authentication systems can be deceived through adversarial examples that adversaries specifically generate to trick them (such as manipulated fingerprints, deepfakes or altered patterns). Researchers aim to build authentication models with resistance to manipulation because this remains a critical research topic.125,163,164
4.4.1.3 Deep fakes can be produced
Artificial deep fakes demand ML techniques for their production. Artificial works labeled deep fakes combine someone else’s likeness by replacing it with extant images and footage. Any recorded online banking registration activity can be faked through deep fakes to steal user login credentials used in the fake video.163,165–167
4.4.1.4 ML technology
ML enables the automation of assaults against banking systems that operate through the internet. The automation of attacks targeting online banking systems becomes possible through the application of ML techniques for addressing guessing attacks as well as brute-force attacks and DoS attacks.144 The attackers benefit from simpler ways to run successful assaults against online banking infrastructure. Phishing attacks can be launched with the assistance of ML.168 Phishing attacks use deceptive methods to force users to reveal their critical account information, including bank card numbers and network access secrets. AI facilitates the development of convincing phishing emails along with corresponding websites that target users.159 These attacks become more deceptive because they offer a higher probability of deceiving users.
ML provides banks with tools to protect their systems from cyberattacks, enabling them to enhance the security and resilience of their systems. By utilizing ML, banks enhance both their risk management and compliance practices to detect and prevent fraud together with malware and phishing attacks.169 The application approach of ML determines whether it offers either risk or an opportunity to use online banking systems.170
4.4.1.5 High computational and energy demands
The functionality of real-time authentication based on AI processing through onboard device resources is restricted to older and less expensive mobile devices. Cloud storage introduces new security risks during processing combined with greater processing delays.171
4.4.1.6 Explainability and transparency
The issue of explainability and transparency in mobile banking deserves attention because biometric authentication systems are often complicated. Since these systems heavily depend on complicated algorithms, the AI-based and machine learning algorithms to make authentication decisions, unsuspecting individuals and even the systems operators are often locked out of the process of how such decisions are made. Failure to find an obvious justification in denying access or scoring suspicious users may cause frustration, mistrust, and losses to user abandonment. In addition, regulatory and ethical aspects, audit, accountability, and determination of fairness are also critical regarding transparent systems, especially when it is biometric data of a sensitive nature. Improving explainability will enable developers to pinpoint and redress errors or bias and give users a more effective understanding of how their data are utilized, enhancing trust and confidence in the mobile banking authentication in general.171,172
4.4.1.7 Spoofing and presentation attacks
The presented attack and spoofing vulnerability are one of the greatest disadvantages of biometric authentication in mobile banking systems. These attacks consist of hoodwinking the system by fueling fake or imaginary biometrics, including silicon fingerprints,132 photographs with a high resolution of the face, or even complex masks made of 3D printers.173 As an example, can an attacker lift a fingerprint off a surface and re-mold it in gelatin or latex material or defeat facial recognition by having a video replay or a 3D mask.174 Most bio-metric systems have attempted to counteract these threats by utilizing liveness except tools, which might include blinking or feel of the skin texture, although not universally and reliably as in the case with all devices. Spoofing attacks can succeed better in low end smartphones or applications with weak security. Also, the use of liveness detection may affect user experience in some cases, which makes developers turn it off or modify it in some way.43 With ever evolving spoofing techniques such as usage of deep fakes and masks embedded with motion, the present-day biometric systems are struggling to provide secure authentication. This does not only endanger user accounts to unauthorized access but also jeopardizes the user faith; it raises legal and regulatory issues to financial institutions. Implementing multimodal biometric authentication, constant surveillance and AI-based spoof protection is essential in building solid mobile banking security.175
4.4.1.8 Dependency and hardware limitations
In mobile banking, the performance of biometrics depends highly on the hardware capacity of their devices. Premium smartphones are additionally obvious to have improved sensors, such as depth cameras or ultrasonic fingerprint readers,176 which enable more authentication with high degrees of accuracy and safety. On the other hand, the cameras that come with the low-end or older devices are of basic 2D type or capacitive sensors, and these are more error prone and could be more easily spoofed. Such hardware mismatches may cause uneven authentication experiences, false acceptance rate/false rejection rate and exclusion of users with an outdated device.177 Also, the scarcity of hardware support makes the process of developing apps harder and does not allow implementing higher levels of security, which, in turn, makes mobile banking platforms less secure and readily accessible.
4.4.2 False Acceptance/False Rejection Rates (FAR/FRR)
FAR and FRR are some of the errors ( Figure 8), which make biometric authentication systems vulnerable. FAR is defined as access given to unauthorized users when it is not supposed to be which is wrong and FRR is defined as being denied by the unauthorized user when it is not supposed to be the case. Such errors may be caused, among others, with improper lighting, inclusions or damage of sensors, alterations of physical appearance of the user (age, injury, facial hair), or inconsistent behavior of the sensors among different devices. When FAR is high this compromises security whereas when FRR is high this affects usability and user satisfaction, two important functions in mobile bank applications. Designing a workable balance between these rates is a major difficulty in the design of biometric systems.177
Figure 8. Illustration of the trade-off between FAR and FRR in biometric authentication.
4.4.3 Balancing security and usability
This right balance between security and usability is one of the major issues of implementing biometric authentication methods giving in mobile banking. Although greater security can be brought about by higher quality security procedures, e.g., through multiple authentication factors or high-quality liveness detection, this can also serve to deliver friction, delay or confusion to users. Conversely, simplified forms of authentication can provide a better experience but can leave systems at a higher risk of attack. To give an example, high tires of login using multiple steps can be strenuous to users and decrease the usage of the application and by contrast, using biometrics as the only mode of verification can isolate users with certain accessibility challenges. To achieve effective authentication, one therefore must balance a range between sound protection over threats and not jeopardizing ease of use and accessibility by the users. To do that, it will be necessary to have adaptive authentication mechanisms, user-centered design, and continuous assessment of security point risks as well as user behavior.178,179
4.4.4 Regulatory and ethical compliance
The regulatory environment is also a significant factor that influences the adoption of biometric authentication in mobile banking in various markets. Banking and payment environments are not entirely homogenous and regulatory frameworks like the updated Payment Services Directive (PSD2) and Strong Customer Authentication (SCA) requirements in the European context affect the way institutions structure and implement authentication processes. Specifically, the presence of requirements regarding multi-factor authentication, transaction approval, and dynamic linking in certain jurisdictions can influence the degree to which biometrics are utilized as a standalone or a combination with OTP, device recognition, or app-based confirmation systems. Thus, the real-world application of biometric authentication in banking must be perceived as a technical design decision, as well as one that is influenced by legal, regulatory, and market-specific factors.
To understand the concrete implications of these regulatory requirements for biometric system design, it is necessary to examine the SCA technical standards in more detail. Under PSD2 and its accompanying Regulatory Technical Standards (RTS) on SCA, financial institutions operating in the European Union are required to apply SCA for a wide range of electronic payment transactions. SCA mandates the use of at least two independent factors from the categories of knowledge (something the user knows), possession (something the user has), and inherence (something the user is — i.e., biometrics). Biometrics may therefore satisfy the inherence element of SCA, but they cannot constitute the sole authentication mechanism for transactions that fall within the directive’s scope.
A particularly important and technically demanding requirement of the PSD2/SCA framework is the dynamic linking property. Dynamic linking requires that authentication codes generated for a transaction must be specifically bound to both the transaction amount and the payee account at the time of authorization. This means that an OTP or authentication token cannot be reused across different transactions or intercepted and applied to a modified transaction — if either the amount or the payee changes, the authentication code becomes invalid. In addition, the code must have a defined expiration time so that captured or delayed code cannot be replayed. This requirement has direct consequences for how biometric authentication may be integrated into payment workflows: a biometric verification step alone cannot satisfy dynamic linking, because it confirms user identity but does not cryptographically bind that verification to the specific transaction parameters. In practice, dynamic linking is most commonly implemented through OTP mechanisms combined with transaction data display, with biometrics used as the knowledge or possession-replacement factor within the same session. Banks that offer biometric-only login for account viewing may still be required to invoke a separate dynamic-linking-compliant authentication step before authorizing a payment, even if the user’s biometric has already been verified.
These regulatory constraints shape authentication architecture decisions in several concrete ways. First, banks in SCA-regulated markets cannot rely on biometric authentication alone as a complete transaction authorization mechanism; biometrics must be embedded within a broader MFA framework that includes a possession or knowledge factor. Second, the design of mobile banking applications in these markets must ensure that authentication sessions are tied to specific transaction contexts rather than providing a long-lived session that authorizes multiple actions. Third, the exemptions permitted under PSD2 — such as low-value transactions below €30, whitelisted payees, or low-risk transaction analysis — allow institutions to calibrate the intensity of authentication based on risk, which in practice has driven the adoption of step-up authentication architectures where biometrics handle routine access while higher-assurance mechanisms are invoked for sensitive operations. The banking practices reviewed in Table 8 broadly reflect this pattern: most major institutions combine biometric login with OTP, app-based approval, or device recognition rather than relying on a single mechanism, a design that is consistent with SCA requirements even in markets outside the EU where similar principles have been adopted voluntarily or through local regulation.
In addition to these market-specific differences, regulatory and ethical compliance remains a central consideration when implementing biometric authentication in mobile banking. The legal environment is very complicated, and financial institutions have to comply with international data protection regulations including the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the council on data protection and privacy and the California Consumer Privacy Act of 2018 (CCPA), enacted by the California Legislature to enhance consumer data privacy protections in the United States.161 These laws obligate organizations to obtain informed consent from users, reduce the amount of data collected, store information in a safe manner and make the processing of the biometrics open. Banks also have an ethical obligation to stop misuses or discrimination through systems that provide poor results according to a demographic group. A failure to fulfill these responsibilities may lead to legal action and damage to reputation, an economic impact and loss of the trust of the users. To adhere to it, organizations are required to incorporate privacy-by-design, conduct regular system audit to determine its fairness and non-discriminatory nature, and ensure that it grants users full control over their personal biometric information.147
4.4.5 User privacy challenge
Online banking authentication through the BBA, including fingerprint authentication, presents the highest security level because attempts to forge or steal biometric data prove very difficult. The application of BBA includes privacy-related problems. A biometric database breach of a bank will give hackers the ability to obtain all the authenticity data of its banking clients. Customers have reservations about banking establishments and other organizations storing their biometric information. Banks that utilize BBA require proper protection of biometric data that belongs to their clients. Banks must secure data against unlawful handling through preventative measures. A privacy policy needs to exist that explains to clients how their biometric information will be handled.126
4.4.6 System compatibility challenge
Financial institutions must transform their current technology platforms and authorize procedures to welcome different authentication approaches, such as biometrics along with tokens and MFA, for online banking access. Additionally, merchants should approve of their payment vendors, who assist in online authentication.179
4.4.7 System usability challenge
The user authentication sector faces a conventional challenge because securing systems becomes riskier when making authentication methods easier to use. The implementation of layering represents a security improvement approach for user authentication systems.98 MFA requires multiple security checks that combine multiple factors such as biometric authentication, passwords/PIN, OTP and/or other factors.73 Layering is founded on the fact that if one safeguard is breached, other levels of security will still protect the system from the undesired users. The number of layers determines better system protection but creates a declining usability experience. The authentication procedure becomes more challenging with each additional layer, which ultimately leads to user frustration.178 Our system enhances security when we use multiple authentication layers, although usability decreases at the same time. Security and usability must be balanced when choosing authentication methods according to the required security measures.
5. Limitation
This systematic review has several limitations. First, a formal risk-of-bias or certainty assessment was not conducted because the included studies are highly heterogeneous in terms of datasets, evaluation protocols, biometric devices and performance metrics. Such variations make the use of standardized tools (e.g., RoB, GRADE) unsuitable for technical and engineering research. Second, a meta-analysis was not possible because of the lack of comparable quantitative data across studies, because the reporting formats and evaluation measures (e.g., EER, FAR, FRR) differ significantly. Third, only studies published in English and available through selected digital libraries were included, which may introduce publication or language bias. Despite these limitations, the current biometric-based authentication research is comprehensively synthesized in this review, and a structured analysis is presented to guide future directions in mobile banking security.
6. Conclusion and future directions
This systematic literature review synthesized 97 studies on biometric authentication in mobile banking published between 2020 and 2025. Rather than simply summarizing what was found, this conclusion draws together the cross-cutting insights that emerge only when the evidence is viewed as a whole.
Taken together, the reviewed evidence shows that biometric authentication in mobile banking is evolving away from isolated biometric login toward layered and context-sensitive MFA architectures. Three overarching findings merit emphasis. First, the field has moved decisively away from single-factor biometric authentication toward layered, adaptive MFA architectures in which biometrics serve as one component among several — a shift confirmed both in the academic literature and in the practices of the 13 major banks surveyed in Section 4.3. Second, fingerprint and facial recognition are not dominant since they are always the best, but rather, they provide the most viable balance of sensor availability, familiarity with the user, cost of implementation, and integration with smartphone ecosystems. Third, the threat landscape has evolved faster than the reviewed literature acknowledges, with AI-assisted presentation attacks and digital injection attacks representing gaps that future research must address more systematically.
The review further demonstrates that reported performance remains difficult to compare across studies due to discrepancies in datasets, devices, testing conditions, and inconsistent reporting of FAR, FRR, EER, and spoofing resistance. Nearly half of the reviewed studies did not report FAR and FRR comparably, and most evaluations were conducted under controlled conditions that do not reflect the variability of real-world mobile deployment. Therefore, the field does not yet possess an adequately standardized evidence base to facilitate sound cross-study comparison and deployment-focused benchmarking.
This paper has also demonstrated that mobile banking security is becoming increasingly layered and adaptive rather than relying on a single factor. The review synthesis confirms that the most deployable biometrics in current banking practice are fingerprint and facial recognition, as they provide the most viable trade-off between accuracy, device support, and user acceptance. An overview of major banks further shows that most organizations manage the security-usability trade-off by applying biometrics within MFA frameworks — using biometric convenience for routine access while enforcing more stringent secondary checks for high-risk transactions.
To answer RQ5, the review identifies several significant limitations in current research on biometric authentication in mobile banking: minimal application of robust multimodal fusion in real-world deployments, absence of testing in unconstrained real-world settings, incomplete and uneven reporting of operational measures, and a high degree of heterogeneity in datasets, devices, attack models, and experimental protocols. This heterogeneity complicates direct comparison between studies and undermines the power of cross-study quantitative synthesis. Future research should therefore focus on the following critical directions:
1- Adaptive and Context-Aware Authentication: Future research should develop authentication systems that dynamically adjust the required level of assurance according to transaction sensitivity, device status, behavioral signals, and environmental context. Such designs are especially relevant for mobile banking because they can preserve usability during low-risk routine access while increasing protection in suspicious or high-value scenarios.
2- Privacy-Preserving Biometric Systems: Future work should prioritize stronger protection of biometric data during collection, storage, transmission, and matching. This includes exploring privacy-preserving computation, template protection, secure on-device processing, and transparent consent mechanisms so that stronger authentication does not come at the expense of user trust or regulatory compliance.
3- Threat Modeling in Evolving Environments: Future studies should evaluate biometric authentication against emerging attack surfaces, including AI-generated presentation attacks, adversarial manipulation, device compromise, and risks introduced by embedded finance ecosystems. Greater attention should also be paid to realistic liveness evaluation and attack simulation under mobile deployment conditions.
4- Future Use of Multimodal Fusion: Further investigation is needed into highly integrated fusion techniques capable of combining multiple biometric modalities — such as fingerprint and face — with contextual signals in a way that maximizes both security and usability. AI-driven decision models that adaptively weight modalities according to their real-time reliability are likely to enable more robust and user-friendly authentication in high-risk environments such as mobile banking and e-government services.
The findings of this review are relevant to a broad audience including financial institutions, regulatory bodies, and the academic research community. Collectively, the evidence reviewed here points toward a future in which biometric authentication is not a standalone mechanism but an intelligent, privacy-respecting, and context-aware layer within a multi-factor security architecture — one capable of meeting both the evolving threat landscape and the usability expectations of a diverse global user base.
Download
Export To
metrics
| Views | Downloads | |
|---|---|---|
| F1000Research | - | - |
|
PubMed Central
Data from PMC are received and updated monthly.
|
- | - |
Citations
CITE
how to cite this article
Naji Ali H and SALIM MAHMOOD AL-Dabbagh S. A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.12688/f1000research.173855.2)
NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.
track
receive updates on this article
Track an article to receive email alerts on any updates to this article.
Open Peer Review
Current Reviewer Status:
Key to Reviewer Statuses
VIEW
HIDE
ApprovedThe paper is scientifically sound in its current form and only minor, if any, improvements are suggested
Approved with reservations
A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
Not approvedFundamental flaws in the paper seriously undermine the findings and conclusions
Version 2
VERSION 2
PUBLISHED 07 May 2026
Revised
Views
10
How to cite this report:
Wodo W. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.5256/f1000research.199045.r482373)
The direct URL for this report is:
https://f1000research.com/articles/15-5/v2#referee-response-482373
https://f1000research.com/articles/15-5/v2#referee-response-482373
NOTE: it is important to ensure the information in square brackets after the title is included in this citation.
Reviewer Report 04 Jun 2026
Approved
VIEWS 10
My previous review indicated that the manuscript required substantial improvement. The authors have introduced minor revisions, which address my comments only partially. Their responses suggest a disagreement with some aspects of my critique, leading them to refrain from implementing corresponding
... Continue reading
CITE
HOW TO CITE THIS REPORT
Wodo W. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.5256/f1000research.199045.r482373)
The direct URL for this report is:
https://f1000research.com/articles/15-5/v2#referee-response-482373
https://f1000research.com/articles/15-5/v2#referee-response-482373
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
-
Author Response 08 Jun 2026Hasan Naji, Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq08 Jun 2026Author ResponseDear Dr. Wodo,
Thank you for your time and constructive engagement with our manuscript throughout both review rounds. We sincerely appreciate your careful evaluation and your decision to approve ... Continue reading
COMMENTS ON THIS REPORT
-
Author Response 08 Jun 2026Hasan Naji, Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq08 Jun 2026Author ResponseDear Dr. Wodo,
Thank you for your time and constructive engagement with our manuscript throughout both review rounds. We sincerely appreciate your careful evaluation and your decision to approve ... Continue reading
Views
13
How to cite this report:
Nadella GS. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.5256/f1000research.199045.r482374)
The direct URL for this report is:
https://f1000research.com/articles/15-5/v2#referee-response-482374
https://f1000research.com/articles/15-5/v2#referee-response-482374
NOTE: it is important to ensure the information in square brackets after the title is included in this citation.
Reviewer Report 25 May 2026
Approved
VIEWS 13
Thank you for the opportunity to review the revised version of your manuscript. Having carefully examined your response to my previous comments and the corresponding changes made to the manuscript, I am pleased to confirm that you have addressed all
... Continue reading
CITE
HOW TO CITE THIS REPORT
Nadella GS. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.5256/f1000research.199045.r482374)
The direct URL for this report is:
https://f1000research.com/articles/15-5/v2#referee-response-482374
https://f1000research.com/articles/15-5/v2#referee-response-482374
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
-
Author Response 08 Jun 2026Hasan Naji, Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq08 Jun 2026Author ResponseDear Dr. Nadella,
Thank you very much for your careful review of the revised version of our manuscript and for your encouraging and constructive comments.
We sincerely appreciate ... Continue reading
COMMENTS ON THIS REPORT
-
Author Response 08 Jun 2026Hasan Naji, Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq08 Jun 2026Author ResponseDear Dr. Nadella,
Thank you very much for your careful review of the revised version of our manuscript and for your encouraging and constructive comments.
We sincerely appreciate ... Continue reading
Version 1
VERSION 1
PUBLISHED 06 Jan 2026
Views
27
How to cite this report:
Wodo W. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.5256/f1000research.191708.r450385)
The direct URL for this report is:
https://f1000research.com/articles/15-5/v1#referee-response-450385
https://f1000research.com/articles/15-5/v1#referee-response-450385
NOTE: it is important to ensure the information in square brackets after the title is included in this citation.
Reviewer Report 14 Feb 2026
Not Approved
VIEWS 27
In my opinion, preparing the review paper is quite a challenging task, usually much more demanding than a regular research article, as it requires an extensive knowledge of the domain, a deep understanding of details, nuances, and a broad perspective
... Continue reading
CITE
HOW TO CITE THIS REPORT
Wodo W. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.5256/f1000research.191708.r450385)
The direct URL for this report is:
https://f1000research.com/articles/15-5/v1#referee-response-450385
https://f1000research.com/articles/15-5/v1#referee-response-450385
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
-
Author Response 07 May 2026Hasan Naji, Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq07 May 2026Author ResponseResponse to Reviewer
We sincerely thank the reviewer for the careful reading of our manuscript and for the detailed, thoughtful, and constructive comments. We also apologize for the delay in ... Continue reading
COMMENTS ON THIS REPORT
-
Author Response 07 May 2026Hasan Naji, Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq07 May 2026Author ResponseResponse to Reviewer
We sincerely thank the reviewer for the careful reading of our manuscript and for the detailed, thoughtful, and constructive comments. We also apologize for the delay in ... Continue reading
Views
34
How to cite this report:
Nadella GS. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.5256/f1000research.191708.r450383)
The direct URL for this report is:
https://f1000research.com/articles/15-5/v1#referee-response-450383
https://f1000research.com/articles/15-5/v1#referee-response-450383
NOTE: it is important to ensure the information in square brackets after the title is included in this citation.
Reviewer Report 29 Jan 2026
Approved with Reservations
VIEWS 34
The review is well-structured, methodologically sound, and clearly reports its rationale, methods, and conclusions. It does not involve statistical analysis beyond reporting existing metrics, and it is not a living review. This systematic literature review provides a valuable and timely synthesis
... Continue reading
CITE
HOW TO CITE THIS REPORT
Nadella GS. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 2; peer review: 2 approved]. F1000Research 2026, 15:5 (https://doi.org/10.5256/f1000research.191708.r450383)
The direct URL for this report is:
https://f1000research.com/articles/15-5/v1#referee-response-450383
https://f1000research.com/articles/15-5/v1#referee-response-450383
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
-
Author Response 07 May 2026Hasan Naji, Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq07 May 2026Author ResponseWe sincerely thank the reviewer for the careful reading of our manuscript and for the constructive and insightful comments. We also apologize for the delay in submitting our revised response, ... Continue reading
COMMENTS ON THIS REPORT
-
Author Response 07 May 2026Hasan Naji, Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq07 May 2026Author ResponseWe sincerely thank the reviewer for the careful reading of our manuscript and for the constructive and insightful comments. We also apologize for the delay in submitting our revised response, ... Continue reading
Comments on this article Comments (0)