A Systematic Literature Review on Biometric Authentication in Mobile Banking
preprint
OA: closed
Full text
298,984 characters
· extracted from
preprint-html
· click to expand
A Systematic Literature Review on Biometric... | F1000Research "use strict";function _typeof(t){return(_typeof="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(t){return typeof t}:function(t){return t&&"function"==typeof Symbol&&t.constructor===Symbol&&t!==Symbol.prototype?"symbol":typeof t})(t)}!function(){var t=function(){var t,e,o=[],n=window,r=n;for(;r;){try{if(r.frames.__tcfapiLocator){t=r;break}}catch(t){}if(r===n.top)break;r=r.parent}t||(!function t(){var e=n.document,o=!!n.frames.__tcfapiLocator;if(!o)if(e.body){var r=e.createElement("iframe");r.style.cssText="display:none",r.name="__tcfapiLocator",e.body.appendChild(r)}else setTimeout(t,5);return!o}(),n.__tcfapi=function(){for(var t=arguments.length,n=new Array(t),r=0;r 3&&2===parseInt(n[1],10)&&"boolean"==typeof n[3]&&(e=n[3],"function"==typeof n[2]&&n[2]("set",!0)):"ping"===n[0]?"function"==typeof n[2]&&n[2]({gdprApplies:e,cmpLoaded:!1,cmpStatus:"stub"}):o.push(n)},n.addEventListener("message",(function(t){var e="string"==typeof t.data,o={};if(e)try{o=JSON.parse(t.data)}catch(t){}else o=t.data;var n="object"===_typeof(o)&&null!==o?o.__tcfapiCall:null;n&&window.__tcfapi(n.command,n.version,(function(o,r){var a={__tcfapiReturn:{returnValue:o,success:r,callId:n.callId}};t&&t.source&&t.source.postMessage&&t.source.postMessage(e?JSON.stringify(a):a,"*")}),n.parameter)}),!1))};"undefined"!=typeof module?module.exports=t:t()}(); dataLayer = dataLayer || []; // Standard GTM initialization - Google Consent Mode handles consent automatically (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl+ '>m_auth=hzk0Vc3qFsQYhCrIoHz68A>m_preview=env-1>m_cookies_win=x';f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-MWFK8L5J'); ;window.NREUM||(NREUM={});NREUM.init={distributed_tracing:{enabled:true},privacy:{cookies_enabled:true},ajax:{deny_list:["bam.nr-data.net"]}}; ;NREUM.loader_config={accountID:"438030",trustKey:"438030",agentID:"772317073",licenseKey:"97f8f67f26",applicationID:"772317073"} ;NREUM.info={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net",licenseKey:"97f8f67f26",applicationID:"772317073",sa:1} ;/*! For license information please see nr-loader-spa-1.236.0.min.js.LICENSE.txt */ (()=>{"use strict";var e,t,r={5763:(e,t,r)=>{r.d(t,{P_:()=>l,Mt:()=>g,C5:()=>s,DL:()=>v,OP:()=>T,lF:()=>D,Yu:()=>y,Dg:()=>h,CX:()=>c,GE:()=>b,sU:()=>_});var n=r(8632),i=r(9567);const o={beacon:n.ce.beacon,errorBeacon:n.ce.errorBeacon,licenseKey:void 0,applicationID:void 0,sa:void 0,queueTime:void 0,applicationTime:void 0,ttGuid:void 0,user:void 0,account:void 0,product:void 0,extra:void 0,jsAttributes:{},userAttributes:void 0,atts:void 0,transactionName:void 0,tNamePlain:void 0},a={};function s(e){if(!e)throw new Error("All info objects require an agent identifier!");if(!a[e])throw new Error("Info for ".concat(e," was never set"));return a[e]}function c(e,t){if(!e)throw new Error("All info objects require an agent identifier!");a[e]=(0,i.D)(t,o),(0,n.Qy)(e,a[e],"info")}var u=r(7056);const d=()=>{const e={blockSelector:"[data-nr-block]",maskInputOptions:{password:!0}};return{allow_bfcache:!0,privacy:{cookies_enabled:!0},ajax:{deny_list:void 0,enabled:!0,harvestTimeSeconds:10},distributed_tracing:{enabled:void 0,exclude_newrelic_header:void 0,cors_use_newrelic_header:void 0,cors_use_tracecontext_headers:void 0,allowed_origins:void 0},session:{domain:void 0,expiresMs:u.oD,inactiveMs:u.Hb},ssl:void 0,obfuscate:void 0,jserrors:{enabled:!0,harvestTimeSeconds:10},metrics:{enabled:!0},page_action:{enabled:!0,harvestTimeSeconds:30},page_view_event:{enabled:!0},page_view_timing:{enabled:!0,harvestTimeSeconds:30,long_task:!1},session_trace:{enabled:!0,harvestTimeSeconds:10},harvest:{tooManyRequestsDelay:60},session_replay:{enabled:!1,harvestTimeSeconds:60,sampleRate:.1,errorSampleRate:.1,maskTextSelector:"*",maskAllInputs:!0,get blockClass(){return"nr-block"},get ignoreClass(){return"nr-ignore"},get maskTextClass(){return"nr-mask"},get blockSelector(){return e.blockSelector},set blockSelector(t){e.blockSelector+=",".concat(t)},get maskInputOptions(){return e.maskInputOptions},set maskInputOptions(t){e.maskInputOptions={...t,password:!0}}},spa:{enabled:!0,harvestTimeSeconds:10}}},f={};function l(e){if(!e)throw new Error("All configuration objects require an agent identifier!");if(!f[e])throw new Error("Configuration for ".concat(e," was never set"));return f[e]}function h(e,t){if(!e)throw new Error("All configuration objects require an agent identifier!");f[e]=(0,i.D)(t,d()),(0,n.Qy)(e,f[e],"config")}function g(e,t){if(!e)throw new Error("All configuration objects require an agent identifier!");var r=l(e);if(r){for(var n=t.split("."),i=0;i {r.d(t,{D:()=>i});var n=r(50);function i(e,t){try{if(!e||"object"!=typeof e)return(0,n.Z)("Setting a Configurable requires an object as input");if(!t||"object"!=typeof t)return(0,n.Z)("Setting a Configurable requires a model to set its initial properties");const r=Object.create(Object.getPrototypeOf(t),Object.getOwnPropertyDescriptors(t)),o=0===Object.keys(r).length?e:r;for(let a in o)if(void 0!==e[a])try{"object"==typeof e[a]&&"object"==typeof t[a]?r[a]=i(e[a],t[a]):r[a]=e[a]}catch(e){(0,n.Z)("An error occurred while setting a property of a Configurable",e)}return r}catch(e){(0,n.Z)("An error occured while setting a Configurable",e)}}},6818:(e,t,r)=>{r.d(t,{Re:()=>i,gF:()=>o,q4:()=>n});const n="1.236.0",i="PROD",o="CDN"},385:(e,t,r)=>{r.d(t,{FN:()=>a,IF:()=>u,Nk:()=>f,Tt:()=>s,_A:()=>o,il:()=>n,pL:()=>c,v6:()=>i,w1:()=>d});const n="undefined"!=typeof window&&!!window.document,i="undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self.navigator instanceof WorkerNavigator||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis.navigator instanceof WorkerNavigator),o=n?window:"undefined"!=typeof WorkerGlobalScope&&("undefined"!=typeof self&&self instanceof WorkerGlobalScope&&self||"undefined"!=typeof globalThis&&globalThis instanceof WorkerGlobalScope&&globalThis),a=""+o?.location,s=/iPad|iPhone|iPod/.test(navigator.userAgent),c=s&&"undefined"==typeof SharedWorker,u=(()=>{const e=navigator.userAgent.match(/Firefox[/\s](\d+\.\d+)/);return Array.isArray(e)&&e.length>=2?+e[1]:0})(),d=Boolean(n&&window.document.documentMode),f=!!navigator.sendBeacon},1117:(e,t,r)=>{r.d(t,{w:()=>o});var n=r(50);const i={agentIdentifier:"",ee:void 0};class o{constructor(e){try{if("object"!=typeof e)return(0,n.Z)("shared context requires an object as input");this.sharedContext={},Object.assign(this.sharedContext,i),Object.entries(e).forEach((e=>{let[t,r]=e;Object.keys(i).includes(t)&&(this.sharedContext[t]=r)}))}catch(e){(0,n.Z)("An error occured while setting SharedContext",e)}}}},8e3:(e,t,r)=>{r.d(t,{L:()=>d,R:()=>c});var n=r(2177),i=r(1284),o=r(4322),a=r(3325);const s={};function c(e,t){const r={staged:!1,priority:a.p[t]||0};u(e),s[e].get(t)||s[e].set(t,r)}function u(e){e&&(s[e]||(s[e]=new Map))}function d(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:"",t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:"feature";if(u(e),!e||!s[e].get(t))return a(t);s[e].get(t).staged=!0;const r=[...s[e]];function a(t){const r=e?n.ee.get(e):n.ee,a=o.X.handlers;if(r.backlog&&a){var s=r.backlog[t],c=a[t];if(c){for(var u=0;s&&u {let[t,r]=e;return r.staged}))&&(r.sort(((e,t)=>e[1].priority-t[1].priority)),r.forEach((e=>{let[t]=e;a(t)})))}function f(e,t){var r=e[1];(0,i.D)(t[r],(function(t,r){var n=e[0];if(r[0]===n){var i=r[1],o=e[3],a=e[2];i.apply(o,a)}}))}},2177:(e,t,r)=>{r.d(t,{c:()=>f,ee:()=>u});var n=r(8632),i=r(2210),o=r(1284),a=r(5763),s="nr@context";let c=(0,n.fP)();var u;function d(){}function f(e){return(0,i.X)(e,s,l)}function l(){return new d}function h(){u.aborted=!0,u.backlog={}}c.ee?u=c.ee:(u=function e(t,r){var n={},c={},f={},g=!1;try{g=16===r.length&&(0,a.OP)(r).isolatedBacklog}catch(e){}var p={on:b,addEventListener:b,removeEventListener:y,emit:v,get:x,listeners:w,context:m,buffer:A,abort:h,aborted:!1,isBuffering:E,debugId:r,backlog:g?{}:t&&"object"==typeof t.backlog?t.backlog:{}};return p;function m(e){return e&&e instanceof d?e:e?(0,i.X)(e,s,l):l()}function v(e,r,n,i,o){if(!1!==o&&(o=!0),!u.aborted||i){t&&o&&t.emit(e,r,n);for(var a=m(n),s=w(e),d=s.length,f=0;fn,p:()=>i});var n=r(2177).ee.get("handle");function i(e,t,r,i,o){o?(o.buffer([e],i),o.emit(e,t,r)):(n.buffer([e],i),n.emit(e,t,r))}},4322:(e,t,r)=>{r.d(t,{X:()=>o});var n=r(5546);o.on=a;var i=o.handlers={};function o(e,t,r,o){a(o||n.E,i,e,t,r)}function a(e,t,r,i,o){o||(o="feature"),e||(e=n.E);var a=t[o]=t[o]||{};(a[r]=a[r]||[]).push([e,i])}},3239:(e,t,r)=>{r.d(t,{bP:()=>s,iz:()=>c,m$:()=>a});var n=r(385);let i=!1,o=!1;try{const e={get passive(){return i=!0,!1},get signal(){return o=!0,!1}};n._A.addEventListener("test",null,e),n._A.removeEventListener("test",null,e)}catch(e){}function a(e,t){return i||o?{capture:!!e,passive:i,signal:t}:!!e}function s(e,t){let r=arguments.length>2&&void 0!==arguments[2]&&arguments[2],n=arguments.length>3?arguments[3]:void 0;window.addEventListener(e,t,a(r,n))}function c(e,t){let r=arguments.length>2&&void 0!==arguments[2]&&arguments[2],n=arguments.length>3?arguments[3]:void 0;document.addEventListener(e,t,a(r,n))}},4402:(e,t,r)=>{r.d(t,{Ht:()=>u,M:()=>c,Rl:()=>a,ky:()=>s});var n=r(385);const i="xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx";function o(e,t){return e?15&e[t]:16*Math.random()|0}function a(){const e=n._A?.crypto||n._A?.msCrypto;let t,r=0;return e&&e.getRandomValues&&(t=e.getRandomValues(new Uint8Array(31))),i.split("").map((e=>"x"===e?o(t,++r).toString(16):"y"===e?(3&o()|8).toString(16):e)).join("")}function s(e){const t=n._A?.crypto||n._A?.msCrypto;let r,i=0;t&&t.getRandomValues&&(r=t.getRandomValues(new Uint8Array(31)));const a=[];for(var s=0;s {r.d(t,{Bq:()=>n,Hb:()=>o,oD:()=>i});const n="NRBA",i=144e5,o=18e5},7894:(e,t,r)=>{function n(){return Math.round(performance.now())}r.d(t,{z:()=>n})},7243:(e,t,r)=>{r.d(t,{e:()=>o});var n=r(385),i={};function o(e){if(e in i)return i[e];if(0===(e||"").indexOf("data:"))return{protocol:"data"};let t;var r=n._A?.location,o={};if(n.il)t=document.createElement("a"),t.href=e;else try{t=new URL(e,r.href)}catch(e){return o}o.port=t.port;var a=t.href.split("://");!o.port&&a[1]&&(o.port=a[1].split("/")[0].split("@").pop().split(":")[1]),o.port&&"0"!==o.port||(o.port="https"===a[0]?"443":"80"),o.hostname=t.hostname||r.hostname,o.pathname=t.pathname,o.protocol=a[0],"/"!==o.pathname.charAt(0)&&(o.pathname="/"+o.pathname);var s=!t.protocol||":"===t.protocol||t.protocol===r.protocol,c=t.hostname===r.hostname&&t.port===r.port;return o.sameOrigin=s&&(!t.hostname||c),"/"===o.pathname&&(i[e]=o),o}},50:(e,t,r)=>{function n(e,t){"function"==typeof console.warn&&(console.warn("New Relic: ".concat(e)),t&&console.warn(t))}r.d(t,{Z:()=>n})},2587:(e,t,r)=>{r.d(t,{N:()=>c,T:()=>u});var n=r(2177),i=r(5546),o=r(8e3),a=r(3325);const s={stn:[a.D.sessionTrace],err:[a.D.jserrors,a.D.metrics],ins:[a.D.pageAction],spa:[a.D.spa],sr:[a.D.sessionReplay,a.D.sessionTrace]};function c(e,t){const r=n.ee.get(t);e&&"object"==typeof e&&(Object.entries(e).forEach((e=>{let[t,n]=e;void 0===u[t]&&(s[t]?s[t].forEach((e=>{n?(0,i.p)("feat-"+t,[],void 0,e,r):(0,i.p)("block-"+t,[],void 0,e,r),(0,i.p)("rumresp-"+t,[Boolean(n)],void 0,e,r)})):n&&(0,i.p)("feat-"+t,[],void 0,void 0,r),u[t]=Boolean(n))})),Object.keys(s).forEach((e=>{void 0===u[e]&&(s[e]?.forEach((t=>(0,i.p)("rumresp-"+e,[!1],void 0,t,r))),u[e]=!1)})),(0,o.L)(t,a.D.pageViewEvent))}const u={}},2210:(e,t,r)=>{r.d(t,{X:()=>i});var n=Object.prototype.hasOwnProperty;function i(e,t,r){if(n.call(e,t))return e[t];var i=r();if(Object.defineProperty&&Object.keys)try{return Object.defineProperty(e,t,{value:i,writable:!0,enumerable:!1}),i}catch(e){}return e[t]=i,i}},1284:(e,t,r)=>{r.d(t,{D:()=>n});const n=(e,t)=>Object.entries(e||{}).map((e=>{let[r,n]=e;return t(r,n)}))},4351:(e,t,r)=>{r.d(t,{P:()=>o});var n=r(2177);const i=()=>{const e=new WeakSet;return(t,r)=>{if("object"==typeof r&&null!==r){if(e.has(r))return;e.add(r)}return r}};function o(e){try{return JSON.stringify(e,i())}catch(e){try{n.ee.emit("internal-error",[e])}catch(e){}}}},3960:(e,t,r)=>{r.d(t,{K:()=>a,b:()=>o});var n=r(3239);function i(){return"undefined"==typeof document||"complete"===document.readyState}function o(e,t){if(i())return e();(0,n.bP)("load",e,t)}function a(e){if(i())return e();(0,n.iz)("DOMContentLoaded",e)}},8632:(e,t,r)=>{r.d(t,{EZ:()=>u,Qy:()=>c,ce:()=>o,fP:()=>a,gG:()=>d,mF:()=>s});var n=r(7894),i=r(385);const o={beacon:"bam.nr-data.net",errorBeacon:"bam.nr-data.net"};function a(){return i._A.NREUM||(i._A.NREUM={}),void 0===i._A.newrelic&&(i._A.newrelic=i._A.NREUM),i._A.NREUM}function s(){let e=a();return e.o||(e.o={ST:i._A.setTimeout,SI:i._A.setImmediate,CT:i._A.clearTimeout,XHR:i._A.XMLHttpRequest,REQ:i._A.Request,EV:i._A.Event,PR:i._A.Promise,MO:i._A.MutationObserver,FETCH:i._A.fetch}),e}function c(e,t,r){let i=a();const o=i.initializedAgents||{},s=o[e]||{};return Object.keys(s).length||(s.initializedAt={ms:(0,n.z)(),date:new Date}),i.initializedAgents={...o,[e]:{...s,[r]:t}},i}function u(e,t){a()[e]=t}function d(){return function(){let e=a();const t=e.info||{};e.info={beacon:o.beacon,errorBeacon:o.errorBeacon,...t}}(),function(){let e=a();const t=e.init||{};e.init={...t}}(),s(),function(){let e=a();const t=e.loader_config||{};e.loader_config={...t}}(),a()}},7956:(e,t,r)=>{r.d(t,{N:()=>i});var n=r(3239);function i(e){let t=arguments.length>1&&void 0!==arguments[1]&&arguments[1],r=arguments.length>2?arguments[2]:void 0,i=arguments.length>3?arguments[3]:void 0;return void(0,n.iz)("visibilitychange",(function(){if(t)return void("hidden"==document.visibilityState&&e());e(document.visibilityState)}),r,i)}},1214:(e,t,r)=>{r.d(t,{em:()=>v,u5:()=>N,QU:()=>S,_L:()=>I,Gm:()=>L,Lg:()=>M,gy:()=>U,BV:()=>Q,Kf:()=>ee});var n=r(2177);const i="nr@original";var o=Object.prototype.hasOwnProperty,a=!1;function s(e,t){return e||(e=n.ee),r.inPlace=function(e,t,n,i,o){n||(n="");var a,s,c,u="-"===n.charAt(0);for(c=0;c 2?n-2:0),o=2;o {r(A[T],e,w),r(E[T],e,w)})),r(l._A,"fetch",y),t.on(y+"end",(function(e,r){var n=this;if(r){var i=r.headers.get("content-length");null!==i&&(n.rxSize=i),t.emit(y+"done",[null,r],n)}else t.emit(y+"done",[e],n)})),t}const O={},j=["pushState","replaceState"];function S(e){const t=function(e){return(e||n.ee).get("history")}(e);return!l.il||O[t.debugId]++||(O[t.debugId]=1,s(t).inPlace(window.history,j,"-")),t}var P=r(3239);const C={},R=["appendChild","insertBefore","replaceChild"];function I(e){const t=function(e){return(e||n.ee).get("jsonp")}(e);if(!l.il||C[t.debugId])return t;C[t.debugId]=!0;var r=s(t),i=/[?&](?:callback|cb)=([^&#]+)/,o=/(.*)\.([^.]+)/,a=/^(\w+)(\.|$)(.*)$/;function c(e,t){var r=e.match(a),n=r[1],i=r[3];return i?c(i,t[n]):t[n]}return r.inPlace(Node.prototype,R,"dom-"),t.on("dom-start",(function(e){!function(e){if(!e||"string"!=typeof e.nodeName||"script"!==e.nodeName.toLowerCase())return;if("function"!=typeof e.addEventListener)return;var n=(a=e.src,s=a.match(i),s?s[1]:null);var a,s;if(!n)return;var u=function(e){var t=e.match(o);if(t&&t.length>=3)return{key:t[2],parent:c(t[1],window)};return{key:e,parent:window}}(n);if("function"!=typeof u.parent[u.key])return;var d={};function f(){t.emit("jsonp-end",[],d),e.removeEventListener("load",f,(0,P.m$)(!1)),e.removeEventListener("error",l,(0,P.m$)(!1))}function l(){t.emit("jsonp-error",[],d),t.emit("jsonp-end",[],d),e.removeEventListener("load",f,(0,P.m$)(!1)),e.removeEventListener("error",l,(0,P.m$)(!1))}r.inPlace(u.parent,[u.key],"cb-",d),e.addEventListener("load",f,(0,P.m$)(!1)),e.addEventListener("error",l,(0,P.m$)(!1)),t.emit("new-jsonp",[e.src],d)}(e[0])})),t}var k=r(5763);const H={};function L(e){const t=function(e){return(e||n.ee).get("mutation")}(e);if(!l.il||H[t.debugId])return t;H[t.debugId]=!0;var r=s(t),i=k.Yu.MO;return i&&(window.MutationObserver=function(e){return this instanceof i?new i(r(e,"fn-")):i.apply(this,arguments)},MutationObserver.prototype=i.prototype),t}const z={};function M(e){const t=function(e){return(e||n.ee).get("promise")}(e);if(z[t.debugId])return t;z[t.debugId]=!0;var r=n.c,o=s(t),a=k.Yu.PR;return a&&function(){function e(r){var n=t.context(),i=o(r,"executor-",n,null,!1);const s=Reflect.construct(a,[i],e);return t.context(s).getCtx=function(){return n},s}l._A.Promise=e,Object.defineProperty(e,"name",{value:"Promise"}),e.toString=function(){return a.toString()},Object.setPrototypeOf(e,a),["all","race"].forEach((function(r){const n=a[r];e[r]=function(e){let i=!1;[...e||[]].forEach((e=>{this.resolve(e).then(a("all"===r),a(!1))}));const o=n.apply(this,arguments);return o;function a(e){return function(){t.emit("propagate",[null,!i],o,!1,!1),i=i||!e}}}})),["resolve","reject"].forEach((function(r){const n=a[r];e[r]=function(e){const r=n.apply(this,arguments);return e!==r&&t.emit("propagate",[e,!0],r,!1,!1),r}})),e.prototype=a.prototype;const n=a.prototype.then;a.prototype.then=function(){var e=this,i=r(e);i.promise=e;for(var a=arguments.length,s=new Array(a),c=0;c e())),t};function m(e,t){i.inPlace(t,["onreadystatechange"],"fn-",E)}function b(){var e=this,t=r.context(e);e.readyState>3&&!t.resolved&&(t.resolved=!0,r.emit("xhr-resolved",[],e)),i.inPlace(e,f,"fn-",E)}if(function(e,t){for(var r in e)t[r]=e[r]}(o,p),p.prototype=o.prototype,i.inPlace(p.prototype,J,"-xhr-",E),r.on("send-xhr-start",(function(e,t){m(e,t),function(e){h.push(e),a&&(y?y.then(A):u?u(A):(w=-w,x.data=w))}(t)})),r.on("open-xhr-start",m),a){var y=c&&c.resolve();if(!u&&!c){var w=1,x=document.createTextNode(w);new a(A).observe(x,{characterData:!0})}}else t.on("fn-end",(function(e){e[0]&&e[0].type===d||A()}));function A(){for(var e=0;e {r.d(t,{t:()=>n});const n=r(3325).D.ajax},6660:(e,t,r)=>{r.d(t,{A:()=>i,t:()=>n});const n=r(3325).D.jserrors,i="nr@seenError"},3081:(e,t,r)=>{r.d(t,{gF:()=>o,mY:()=>i,t9:()=>n,vz:()=>s,xS:()=>a});const n=r(3325).D.metrics,i="sm",o="cm",a="storeSupportabilityMetrics",s="storeEventMetrics"},4649:(e,t,r)=>{r.d(t,{t:()=>n});const n=r(3325).D.pageAction},7633:(e,t,r)=>{r.d(t,{Dz:()=>i,OJ:()=>a,qw:()=>o,t9:()=>n});const n=r(3325).D.pageViewEvent,i="firstbyte",o="domcontent",a="windowload"},9251:(e,t,r)=>{r.d(t,{t:()=>n});const n=r(3325).D.pageViewTiming},3614:(e,t,r)=>{r.d(t,{BST_RESOURCE:()=>i,END:()=>s,FEATURE_NAME:()=>n,FN_END:()=>u,FN_START:()=>c,PUSH_STATE:()=>d,RESOURCE:()=>o,START:()=>a});const n=r(3325).D.sessionTrace,i="bstResource",o="resource",a="-start",s="-end",c="fn"+a,u="fn"+s,d="pushState"},7836:(e,t,r)=>{r.d(t,{BODY:()=>A,CB_END:()=>E,CB_START:()=>u,END:()=>x,FEATURE_NAME:()=>i,FETCH:()=>_,FETCH_BODY:()=>v,FETCH_DONE:()=>m,FETCH_START:()=>p,FN_END:()=>c,FN_START:()=>s,INTERACTION:()=>l,INTERACTION_API:()=>d,INTERACTION_EVENTS:()=>o,JSONP_END:()=>b,JSONP_NODE:()=>g,JS_TIME:()=>T,MAX_TIMER_BUDGET:()=>a,REMAINING:()=>f,SPA_NODE:()=>h,START:()=>w,originalSetTimeout:()=>y});var n=r(5763);const i=r(3325).D.spa,o=["click","submit","keypress","keydown","keyup","change"],a=999,s="fn-start",c="fn-end",u="cb-start",d="api-ixn-",f="remaining",l="interaction",h="spaNode",g="jsonpNode",p="fetch-start",m="fetch-done",v="fetch-body-",b="jsonp-end",y=n.Yu.ST,w="-start",x="-end",A="-body",E="cb"+x,T="jsTime",_="fetch"},5938:(e,t,r)=>{r.d(t,{W:()=>o});var n=r(5763),i=r(2177);class o{constructor(e,t,r){this.agentIdentifier=e,this.aggregator=t,this.ee=i.ee.get(e,(0,n.OP)(this.agentIdentifier).isolatedBacklog),this.featureName=r,this.blocked=!1}}},9144:(e,t,r)=>{r.d(t,{j:()=>m});var n=r(3325),i=r(5763),o=r(5546),a=r(2177),s=r(7894),c=r(8e3),u=r(3960),d=r(385),f=r(50),l=r(3081),h=r(8632);function g(){const e=(0,h.gG)();["setErrorHandler","finished","addToTrace","inlineHit","addRelease","addPageAction","setCurrentRouteName","setPageViewName","setCustomAttribute","interaction","noticeError","setUserId"].forEach((t=>{e[t]=function(){for(var r=arguments.length,n=new Array(r),i=0;i 1?r-1:0),i=1;i {e.exposed&&e.api[t]&&o.push(e.api[t](...n))})),o.length>1?o:o[0]}(t,...n)}}))}var p=r(2587);function m(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{},m=arguments.length>2?arguments[2]:void 0,v=arguments.length>3?arguments[3]:void 0,{init:b,info:y,loader_config:w,runtime:x={loaderType:m},exposed:A=!0}=t;const E=(0,h.gG)();y||(b=E.init,y=E.info,w=E.loader_config),(0,i.Dg)(e,b||{}),(0,i.GE)(e,w||{}),(0,i.sU)(e,x),y.jsAttributes??={},d.v6&&(y.jsAttributes.isWorker=!0),(0,i.CX)(e,y),g();const T=function(e,t){t||(0,c.R)(e,"api");const h={};var g=a.ee.get(e),p=g.get("tracer"),m="api-",v=m+"ixn-";function b(t,r,n,o){const a=(0,i.C5)(e);return null===r?delete a.jsAttributes[t]:(0,i.CX)(e,{...a,jsAttributes:{...a.jsAttributes,[t]:r}}),x(m,n,!0,o||null===r?"session":void 0)(t,r)}function y(){}["setErrorHandler","finished","addToTrace","inlineHit","addRelease"].forEach((e=>h[e]=x(m,e,!0,"api"))),h.addPageAction=x(m,"addPageAction",!0,n.D.pageAction),h.setCurrentRouteName=x(m,"routeName",!0,n.D.spa),h.setPageViewName=function(t,r){if("string"==typeof t)return"/"!==t.charAt(0)&&(t="/"+t),(0,i.OP)(e).customTransaction=(r||"http://custom.transaction")+t,x(m,"setPageViewName",!0)()},h.setCustomAttribute=function(e,t){let r=arguments.length>2&&void 0!==arguments[2]&&arguments[2];if("string"==typeof e){if(["string","number"].includes(typeof t)||null===t)return b(e,t,"setCustomAttribute",r);(0,f.Z)("Failed to execute setCustomAttribute.\nNon-null value must be a string or number type, but a type of was provided."))}else(0,f.Z)("Failed to execute setCustomAttribute.\nName must be a string type, but a type of was provided."))},h.setUserId=function(e){if("string"==typeof e||null===e)return b("enduser.id",e,"setUserId",!0);(0,f.Z)("Failed to execute setUserId.\nNon-null value must be a string type, but a type of was provided."))},h.interaction=function(){return(new y).get()};var w=y.prototype={createTracer:function(e,t){var r={},i=this,a="function"==typeof t;return(0,o.p)(v+"tracer",[(0,s.z)(),e,r],i,n.D.spa,g),function(){if(p.emit((a?"":"no-")+"fn-start",[(0,s.z)(),i,a],r),a)try{return t.apply(this,arguments)}catch(e){throw p.emit("fn-err",[arguments,this,"string"==typeof e?new Error(e):e],r),e}finally{p.emit("fn-end",[(0,s.z)()],r)}}}};function x(e,t,r,i){return function(){return(0,o.p)(l.xS,["API/"+t+"/called"],void 0,n.D.metrics,g),i&&(0,o.p)(e+t,[(0,s.z)(),...arguments],r?null:this,i,g),r?void 0:this}}function A(){r.e(439).then(r.bind(r,7438)).then((t=>{let{setAPI:r}=t;r(e),(0,c.L)(e,"api")})).catch((()=>(0,f.Z)("Downloading runtime APIs failed...")))}return["actionText","setName","setAttribute","save","ignore","onEnd","getContext","end","get"].forEach((e=>{w[e]=x(v,e,void 0,n.D.spa)})),h.noticeError=function(e,t){"string"==typeof e&&(e=new Error(e)),(0,o.p)(l.xS,["API/noticeError/called"],void 0,n.D.metrics,g),(0,o.p)("err",[e,(0,s.z)(),!1,t],void 0,n.D.jserrors,g)},d.il?(0,u.b)((()=>A()),!0):A(),h}(e,v);return(0,h.Qy)(e,T,"api"),(0,h.Qy)(e,A,"exposed"),(0,h.EZ)("activatedFeatures",p.T),T}},3325:(e,t,r)=>{r.d(t,{D:()=>n,p:()=>i});const n={ajax:"ajax",jserrors:"jserrors",metrics:"metrics",pageAction:"page_action",pageViewEvent:"page_view_event",pageViewTiming:"page_view_timing",sessionReplay:"session_replay",sessionTrace:"session_trace",spa:"spa"},i={[n.pageViewEvent]:1,[n.pageViewTiming]:2,[n.metrics]:3,[n.jserrors]:4,[n.ajax]:5,[n.sessionTrace]:6,[n.pageAction]:7,[n.spa]:8,[n.sessionReplay]:9}}},n={};function i(e){var t=n[e];if(void 0!==t)return t.exports;var o=n[e]={exports:{}};return r[e](o,o.exports,i),o.exports}i.m=r,i.d=(e,t)=>{for(var r in t)i.o(t,r)&&!i.o(e,r)&&Object.defineProperty(e,r,{enumerable:!0,get:t[r]})},i.f={},i.e=e=>Promise.all(Object.keys(i.f).reduce(((t,r)=>(i.f[r](e,t),t)),[])),i.u=e=>(({78:"page_action-aggregate",147:"metrics-aggregate",242:"session-manager",317:"jserrors-aggregate",348:"page_view_timing-aggregate",412:"lazy-feature-loader",439:"async-api",538:"recorder",590:"session_replay-aggregate",675:"compressor",733:"session_trace-aggregate",786:"page_view_event-aggregate",873:"spa-aggregate",898:"ajax-aggregate"}[e]||e)+"."+{78:"ac76d497",147:"3dc53903",148:"1a20d5fe",242:"2a64278a",317:"49e41428",348:"bd6de33a",412:"2f55ce66",439:"30bd804e",538:"1b18459f",590:"cf0efb30",675:"ae9f91a8",733:"83105561",786:"06482edd",860:"03a8b7a5",873:"e6b09d52",898:"998ef92b"}[e]+"-1.236.0.min.js"),i.o=(e,t)=>Object.prototype.hasOwnProperty.call(e,t),e={},t="NRBA:",i.l=(r,n,o,a)=>{if(e[r])e[r].push(n);else{var s,c;if(void 0!==o)for(var u=document.getElementsByTagName("script"),d=0;d {s.onerror=s.onload=null,clearTimeout(h);var i=e[r];if(delete e[r],s.parentNode&&s.parentNode.removeChild(s),i&&i.forEach((e=>e(n))),t)return t(n)},h=setTimeout(l.bind(null,void 0,{type:"timeout",target:s}),12e4);s.onerror=l.bind(null,s.onerror),s.onload=l.bind(null,s.onload),c&&document.head.appendChild(s)}},i.r=e=>{"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},i.j=364,i.p="https://js-agent.newrelic.com/",(()=>{var e={364:0,953:0};i.f.j=(t,r)=>{var n=i.o(e,t)?e[t]:void 0;if(0!==n)if(n)r.push(n[2]);else{var o=new Promise(((r,i)=>n=e[t]=[r,i]));r.push(n[2]=o);var a=i.p+i.u(t),s=new Error;i.l(a,(r=>{if(i.o(e,t)&&(0!==(n=e[t])&&(e[t]=void 0),n)){var o=r&&("load"===r.type?"missing":r.type),a=r&&r.target&&r.target.src;s.message="Loading chunk "+t+" failed.\n("+o+": "+a+")",s.name="ChunkLoadError",s.type=o,s.request=a,n[1](s)}}),"chunk-"+t,t)}};var t=(t,r)=>{var n,o,[a,s,c]=r,u=0;if(a.some((t=>0!==e[t]))){for(n in s)i.o(s,n)&&(i.m[n]=s[n]);if(c)c(i)}for(t&&t(r);u {i.r(o);var e=i(3325),t=i(5763);const r=Object.values(e.D);function n(e){const n={};return r.forEach((r=>{n[r]=function(e,r){return!1!==(0,t.Mt)(r,"".concat(e,".enabled"))}(r,e)})),n}var a=i(9144);var s=i(5546),c=i(385),u=i(8e3),d=i(5938),f=i(3960),l=i(50);class h extends d.W{constructor(e,t,r){let n=!(arguments.length>3&&void 0!==arguments[3])||arguments[3];super(e,t,r),this.auto=n,this.abortHandler,this.featAggregate,this.onAggregateImported,n&&(0,u.R)(e,r)}importAggregator(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};if(this.featAggregate||!this.auto)return;const r=c.il&&!0===(0,t.Mt)(this.agentIdentifier,"privacy.cookies_enabled");let n;this.onAggregateImported=new Promise((e=>{n=e}));const o=async()=>{let t;try{if(r){const{setupAgentSession:e}=await Promise.all([i.e(860),i.e(242)]).then(i.bind(i,3228));t=e(this.agentIdentifier)}}catch(e){(0,l.Z)("A problem occurred when starting up session manager. This page will not start or extend any session.",e)}try{if(!this.shouldImportAgg(this.featureName,t))return void(0,u.L)(this.agentIdentifier,this.featureName);const{lazyFeatureLoader:r}=await i.e(412).then(i.bind(i,8582)),{Aggregate:o}=await r(this.featureName,"aggregate");this.featAggregate=new o(this.agentIdentifier,this.aggregator,e),n(!0)}catch(e){(0,l.Z)("Downloading and initializing ".concat(this.featureName," failed..."),e),this.abortHandler?.(),n(!1)}};c.il?(0,f.b)((()=>o()),!0):o()}shouldImportAgg(r,n){return r!==e.D.sessionReplay||!1!==(0,t.Mt)(this.agentIdentifier,"session_trace.enabled")&&(!!n?.isNew||!!n?.state.sessionReplay)}}var g=i(7633),p=i(7894);class m extends h{static featureName=g.t9;constructor(r,n){let i=!(arguments.length>2&&void 0!==arguments[2])||arguments[2];if(super(r,n,g.t9,i),("undefined"==typeof PerformanceNavigationTiming||c.Tt)&&"undefined"!=typeof PerformanceTiming){const n=(0,t.OP)(r);n[g.Dz]=Math.max(Date.now()-n.offset,0),(0,f.K)((()=>n[g.qw]=Math.max((0,p.z)()-n[g.Dz],0))),(0,f.b)((()=>{const t=(0,p.z)();n[g.OJ]=Math.max(t-n[g.Dz],0),(0,s.p)("timing",["load",t],void 0,e.D.pageViewTiming,this.ee)}))}this.importAggregator()}}var v=i(1117),b=i(1284);class y extends v.w{constructor(e){super(e),this.aggregatedData={}}store(e,t,r,n,i){var o=this.getBucket(e,t,r,i);return o.metrics=function(e,t){t||(t={count:0});return t.count+=1,(0,b.D)(e,(function(e,r){t[e]=w(r,t[e])})),t}(n,o.metrics),o}merge(e,t,r,n,i){var o=this.getBucket(e,t,n,i);if(o.metrics){var a=o.metrics;a.count+=r.count,(0,b.D)(r,(function(e,t){if("count"!==e){var n=a[e],i=r[e];i&&!i.c?a[e]=w(i.t,n):a[e]=function(e,t){if(!t)return e;t.c||(t=x(t.t));return t.min=Math.min(e.min,t.min),t.max=Math.max(e.max,t.max),t.t+=e.t,t.sos+=e.sos,t.c+=e.c,t}(i,a[e])}}))}else o.metrics=r}storeMetric(e,t,r,n){var i=this.getBucket(e,t,r);return i.stats=w(n,i.stats),i}getBucket(e,t,r,n){this.aggregatedData[e]||(this.aggregatedData[e]={});var i=this.aggregatedData[e][t];return i||(i=this.aggregatedData[e][t]={params:r||{}},n&&(i.custom=n)),i}get(e,t){return t?this.aggregatedData[e]&&this.aggregatedData[e][t]:this.aggregatedData[e]}take(e){for(var t={},r="",n=!1,i=0;i t.max&&(t.max=e),e 2&&void 0!==arguments[2])||arguments[2];super(e,r,j.t,n),c.il&&((0,t.OP)(e).initHidden=Boolean("hidden"===document.visibilityState),(0,N.N)((()=>(0,s.p)("docHidden",[(0,p.z)()],void 0,j.t,this.ee)),!0),(0,O.bP)("pagehide",(()=>(0,s.p)("winPagehide",[(0,p.z)()],void 0,j.t,this.ee))),this.importAggregator())}}var P=i(3081);class C extends h{static featureName=P.t9;constructor(e,t){let r=!(arguments.length>2&&void 0!==arguments[2])||arguments[2];super(e,t,P.t9,r),this.importAggregator()}}var R,I=i(2210),k=i(1214),H=i(2177),L={};try{R=localStorage.getItem("__nr_flags").split(","),console&&"function"==typeof console.log&&(L.console=!0,-1!==R.indexOf("dev")&&(L.dev=!0),-1!==R.indexOf("nr_dev")&&(L.nrDev=!0))}catch(e){}function z(e){try{L.console&&z(e)}catch(e){}}L.nrDev&&H.ee.on("internal-error",(function(e){z(e.stack)})),L.dev&&H.ee.on("fn-err",(function(e,t,r){z(r.stack)})),L.dev&&(z("NR AGENT IN DEVELOPMENT MODE"),z("flags: "+(0,b.D)(L,(function(e,t){return e})).join(", ")));var M=i(6660);class B extends h{static featureName=M.t;constructor(r,n){let i=!(arguments.length>2&&void 0!==arguments[2])||arguments[2];super(r,n,M.t,i),this.skipNext=0;try{this.removeOnAbort=new AbortController}catch(e){}const o=this;o.ee.on("fn-start",(function(e,t,r){o.abortHandler&&(o.skipNext+=1)})),o.ee.on("fn-err",(function(t,r,n){o.abortHandler&&!n[M.A]&&((0,I.X)(n,M.A,(function(){return!0})),this.thrown=!0,(0,s.p)("err",[n,(0,p.z)()],void 0,e.D.jserrors,o.ee))})),o.ee.on("fn-end",(function(){o.abortHandler&&!this.thrown&&o.skipNext>0&&(o.skipNext-=1)})),o.ee.on("internal-error",(function(t){(0,s.p)("ierr",[t,(0,p.z)(),!0],void 0,e.D.jserrors,o.ee)})),this.origOnerror=c._A.onerror,c._A.onerror=this.onerrorHandler.bind(this),c._A.addEventListener("unhandledrejection",(t=>{const r=function(e){let t="Unhandled Promise Rejection: ";if(e instanceof Error)try{return e.message=t+e.message,e}catch(t){return e}if(void 0===e)return new Error(t);try{return new Error(t+(0,D.P)(e))}catch(e){return new Error(t)}}(t.reason);(0,s.p)("err",[r,(0,p.z)(),!1,{unhandledPromiseRejection:1}],void 0,e.D.jserrors,this.ee)}),(0,O.m$)(!1,this.removeOnAbort?.signal)),(0,k.gy)(this.ee),(0,k.BV)(this.ee),(0,k.em)(this.ee),(0,t.OP)(r).xhrWrappable&&(0,k.Kf)(this.ee),this.abortHandler=this.#e,this.importAggregator()}#e(){this.removeOnAbort?.abort(),this.abortHandler=void 0}onerrorHandler(t,r,n,i,o){"function"==typeof this.origOnerror&&this.origOnerror(...arguments);try{this.skipNext?this.skipNext-=1:(0,s.p)("err",[o||new F(t,r,n),(0,p.z)()],void 0,e.D.jserrors,this.ee)}catch(t){try{(0,s.p)("ierr",[t,(0,p.z)(),!0],void 0,e.D.jserrors,this.ee)}catch(e){}}return!1}}function F(e,t,r){this.message=e||"Uncaught error with no additional information",this.sourceURL=t,this.line=r}let U=1;const q="nr@id";function G(e){const t=typeof e;return!e||"object"!==t&&"function"!==t?-1:e===c._A?0:(0,I.X)(e,q,(function(){return U++}))}function V(e){if("string"==typeof e&&e.length)return e.length;if("object"==typeof e){if("undefined"!=typeof ArrayBuffer&&e instanceof ArrayBuffer&&e.byteLength)return e.byteLength;if("undefined"!=typeof Blob&&e instanceof Blob&&e.size)return e.size;if(!("undefined"!=typeof FormData&&e instanceof FormData))try{return(0,D.P)(e).length}catch(e){return}}}var X=i(7243);class W{constructor(e){this.agentIdentifier=e,this.generateTracePayload=this.generateTracePayload.bind(this),this.shouldGenerateTrace=this.shouldGenerateTrace.bind(this)}generateTracePayload(e){if(!this.shouldGenerateTrace(e))return null;var r=(0,t.DL)(this.agentIdentifier);if(!r)return null;var n=(r.accountID||"").toString()||null,i=(r.agentID||"").toString()||null,o=(r.trustKey||"").toString()||null;if(!n||!i)return null;var a=(0,_.M)(),s=(0,_.Ht)(),c=Date.now(),u={spanId:a,traceId:s,timestamp:c};return(e.sameOrigin||this.isAllowedOrigin(e)&&this.useTraceContextHeadersForCors())&&(u.traceContextParentHeader=this.generateTraceContextParentHeader(a,s),u.traceContextStateHeader=this.generateTraceContextStateHeader(a,c,n,i,o)),(e.sameOrigin&&!this.excludeNewrelicHeader()||!e.sameOrigin&&this.isAllowedOrigin(e)&&this.useNewrelicHeaderForCors())&&(u.newrelicHeader=this.generateTraceHeader(a,s,c,n,i,o)),u}generateTraceContextParentHeader(e,t){return"00-"+t+"-"+e+"-01"}generateTraceContextStateHeader(e,t,r,n,i){return i+"@nr=0-1-"+r+"-"+n+"-"+e+"----"+t}generateTraceHeader(e,t,r,n,i,o){if(!("function"==typeof c._A?.btoa))return null;var a={v:[0,1],d:{ty:"Browser",ac:n,ap:i,id:e,tr:t,ti:r}};return o&&n!==o&&(a.d.tk=o),btoa((0,D.P)(a))}shouldGenerateTrace(e){return this.isDtEnabled()&&this.isAllowedOrigin(e)}isAllowedOrigin(e){var r=!1,n={};if((0,t.Mt)(this.agentIdentifier,"distributed_tracing")&&(n=(0,t.P_)(this.agentIdentifier).distributed_tracing),e.sameOrigin)r=!0;else if(n.allowed_origins instanceof Array)for(var i=0;i 2&&void 0!==arguments[2])||arguments[2];super(r,n,Z.t,i),(0,t.OP)(r).xhrWrappable&&(this.dt=new W(r),this.handler=(e,t,r,n)=>(0,s.p)(e,t,r,n,this.ee),(0,k.u5)(this.ee),(0,k.Kf)(this.ee),function(r,n,i,o){function a(e){var t=this;t.totalCbs=0,t.called=0,t.cbTime=0,t.end=E,t.ended=!1,t.xhrGuids={},t.lastSize=null,t.loadCaptureCalled=!1,t.params=this.params||{},t.metrics=this.metrics||{},e.addEventListener("load",(function(r){_(t,e)}),(0,O.m$)(!1)),c.IF||e.addEventListener("progress",(function(e){t.lastSize=e.loaded}),(0,O.m$)(!1))}function s(e){this.params={method:e[0]},T(this,e[1]),this.metrics={}}function u(e,n){var i=(0,t.DL)(r);i.xpid&&this.sameOrigin&&n.setRequestHeader("X-NewRelic-ID",i.xpid);var a=o.generateTracePayload(this.parsedOrigin);if(a){var s=!1;a.newrelicHeader&&(n.setRequestHeader("newrelic",a.newrelicHeader),s=!0),a.traceContextParentHeader&&(n.setRequestHeader("traceparent",a.traceContextParentHeader),a.traceContextStateHeader&&n.setRequestHeader("tracestate",a.traceContextStateHeader),s=!0),s&&(this.dt=a)}}function d(e,t){var r=this.metrics,i=e[0],o=this;if(r&&i){var a=V(i);a&&(r.txSize=a)}this.startTime=(0,p.z)(),this.listener=function(e){try{"abort"!==e.type||o.loadCaptureCalled||(o.params.aborted=!0),("load"!==e.type||o.called===o.totalCbs&&(o.onloadCalled||"function"!=typeof t.onload)&&"function"==typeof o.end)&&o.end(t)}catch(e){try{n.emit("internal-error",[e])}catch(e){}}};for(var s=0;s 1?e[1]=i:e.push(i)}else e[0]&&e[0].headers&&s(e[0].headers,n)&&(this.dt=n);function s(e,t){var r=!1;return t.newrelicHeader&&(e.set("newrelic",t.newrelicHeader),r=!0),t.traceContextParentHeader&&(e.set("traceparent",t.traceContextParentHeader),t.traceContextStateHeader&&e.set("tracestate",t.traceContextStateHeader),r=!0),r}}function x(e,t){this.params={},this.metrics={},this.startTime=(0,p.z)(),this.dt=t,e.length>=1&&(this.target=e[0]),e.length>=2&&(this.opts=e[1]);var r,n=this.opts||{},i=this.target;"string"==typeof i?r=i:"object"==typeof i&&i instanceof Y?r=i.url:c._A?.URL&&"object"==typeof i&&i instanceof URL&&(r=i.href),T(this,r);var o=(""+(i&&i instanceof Y&&i.method||n.method||"GET")).toUpperCase();this.params.method=o,this.txSize=V(n.body)||0}function A(t,r){var n;this.endTime=(0,p.z)(),this.params||(this.params={}),this.params.status=r?r.status:0,"string"==typeof this.rxSize&&this.rxSize.length>0&&(n=+this.rxSize);var o={txSize:this.txSize,rxSize:n,duration:(0,p.z)()-this.startTime};i("xhr",[this.params,o,this.startTime,this.endTime,"fetch"],this,e.D.ajax)}function E(t){var r=this.params,n=this.metrics;if(!this.ended){this.ended=!0;for(var o=0;o 2&&void 0!==arguments[2])||arguments[2];super(e,t,we.t,r),this.importAggregator()}}new class{constructor(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:(0,_.ky)(16);c._A?(this.agentIdentifier=t,this.sharedAggregator=new y({agentIdentifier:this.agentIdentifier}),this.features={},this.desiredFeatures=new Set(e.features||[]),this.desiredFeatures.add(m),Object.assign(this,(0,a.j)(this.agentIdentifier,e,e.loaderType||"agent")),this.start()):(0,l.Z)("Failed to initial the agent. Could not determine the runtime environment.")}get config(){return{info:(0,t.C5)(this.agentIdentifier),init:(0,t.P_)(this.agentIdentifier),loader_config:(0,t.DL)(this.agentIdentifier),runtime:(0,t.OP)(this.agentIdentifier)}}start(){const t="features";try{const r=n(this.agentIdentifier),i=[...this.desiredFeatures];i.sort(((t,r)=>e.p[t.featureName]-e.p[r.featureName])),i.forEach((t=>{if(r[t.featureName]||t.featureName===e.D.pageViewEvent){const n=function(t){switch(t){case e.D.ajax:return[e.D.jserrors];case e.D.sessionTrace:return[e.D.ajax,e.D.pageViewEvent];case e.D.sessionReplay:return[e.D.sessionTrace];case e.D.pageViewTiming:return[e.D.pageViewEvent];default:return[]}}(t.featureName);n.every((e=>r[e]))||(0,l.Z)("".concat(t.featureName," is enabled but one or more dependent features has been disabled (").concat((0,D.P)(n),"). This may cause unintended consequences or missing data...")),this.features[t.featureName]=new t(this.agentIdentifier,this.sharedAggregator)}})),(0,T.Qy)(this.agentIdentifier,this.features,t)}catch(e){(0,l.Z)("Failed to initialize all enabled instrument classes (agent aborted) -",e);for(const e in this.features)this.features[e].abortHandler?.();const r=(0,T.fP)();return delete r.initializedAgents[this.agentIdentifier]?.api,delete r.initializedAgents[this.agentIdentifier]?.[t],delete this.sharedAggregator,r.ee?.abort(),delete r.ee?.get(this.agentIdentifier),!1}}}({features:[J,m,S,class extends h{static featureName=oe;constructor(t,r){if(super(t,r,oe,!(arguments.length>2&&void 0!==arguments[2])||arguments[2]),!c.il)return;const n=this.ee;let i;(0,k.QU)(n),this.eventsEE=(0,k.em)(n),this.eventsEE.on(se,(function(e,t){this.bstStart=(0,p.z)()})),this.eventsEE.on(ae,(function(t,r){(0,s.p)("bst",[t[0],r,this.bstStart,(0,p.z)()],void 0,e.D.sessionTrace,n)})),n.on(ce+ne,(function(e){this.time=(0,p.z)(),this.startPath=location.pathname+location.hash})),n.on(ce+ie,(function(t){(0,s.p)("bstHist",[location.pathname+location.hash,this.startPath,this.time],void 0,e.D.sessionTrace,n)}));try{i=new PerformanceObserver((t=>{const r=t.getEntries();(0,s.p)(te,[r],void 0,e.D.sessionTrace,n)})),i.observe({type:re,buffered:!0})}catch(e){}this.importAggregator({resourceObserver:i})}},C,xe,B,class extends h{static featureName=de;constructor(e,r){if(super(e,r,de,!(arguments.length>2&&void 0!==arguments[2])||arguments[2]),!c.il)return;if(!(0,t.OP)(e).xhrWrappable)return;try{this.removeOnAbort=new AbortController}catch(e){}let n,i=0;const o=this.ee.get("tracer"),a=(0,k._L)(this.ee),s=(0,k.Lg)(this.ee),u=(0,k.BV)(this.ee),d=(0,k.Kf)(this.ee),f=this.ee.get("events"),l=(0,k.u5)(this.ee),h=(0,k.QU)(this.ee),g=(0,k.Gm)(this.ee);function m(e,t){h.emit("newURL",[""+window.location,t])}function v(){i++,n=window.location.hash,this[ve]=(0,p.z)()}function b(){i--,window.location.hash!==n&&m(0,!0);var e=(0,p.z)();this[pe]=~~this[pe]+e-this[ve],this[ye]=e}function y(e,t){e.on(t,(function(){this[t]=(0,p.z)()}))}this.ee.on(ve,v),s.on(be,v),a.on(be,v),this.ee.on(ye,b),s.on(ge,b),a.on(ge,b),this.ee.buffer([ve,ye,"xhr-resolved"],this.featureName),f.buffer([ve],this.featureName),u.buffer(["setTimeout"+le,"clearTimeout"+fe,ve],this.featureName),d.buffer([ve,"new-xhr","send-xhr"+fe],this.featureName),l.buffer([me+fe,me+"-done",me+he+fe,me+he+le],this.featureName),h.buffer(["newURL"],this.featureName),g.buffer([ve],this.featureName),s.buffer(["propagate",be,ge,"executor-err","resolve"+fe],this.featureName),o.buffer([ve,"no-"+ve],this.featureName),a.buffer(["new-jsonp","cb-start","jsonp-error","jsonp-end"],this.featureName),y(l,me+fe),y(l,me+"-done"),y(a,"new-jsonp"),y(a,"jsonp-end"),y(a,"cb-start"),h.on("pushState-end",m),h.on("replaceState-end",m),window.addEventListener("hashchange",m,(0,O.m$)(!0,this.removeOnAbort?.signal)),window.addEventListener("load",m,(0,O.m$)(!0,this.removeOnAbort?.signal)),window.addEventListener("popstate",(function(){m(0,i>1)}),(0,O.m$)(!0,this.removeOnAbort?.signal)),this.abortHandler=this.#e,this.importAggregator()}#e(){this.removeOnAbort?.abort(),this.abortHandler=void 0}}],loaderType:"spa"})})(),window.NRBA=o})(); window.jQuery || document.write(' ') CKEDITOR_BASEPATH='https://f1000research.com/js/vendor/ckeditor/' window.reactTheme = 'research'; window.MathJax = { CommonHTML: { linebreaks: { automatic: true } }, 'HTML-CSS': { linebreaks: { automatic: true } }, SVG: { linebreaks: { automatic: true } }, AuthorInit: function() { MathJax.Hub.Register.MessageHook('End Process', function () { let timeout = false; // holder for timeout id const delay = 250; // delay after event is "complete" to run callback const reflowMath = function() { const dispFormulas = document.querySelectorAll('.disp-formula.panel'); if (!dispFormulas) { return; } for (const dispFormula of dispFormulas) { const child = dispFormula.querySelector('.MathJax_Preview').nextSibling.firstChild; const isMultiline = MathJax.Hub.getAllJax(dispFormula)[0].root.isMultiline; if (dispFormula.offsetWidth < child.offsetWidth || isMultiline) { MathJax.Hub.Queue(['Rerender', MathJax.Hub, dispFormula]); } } }; window.addEventListener('resize', function() { clearTimeout(timeout); // clear the timeout timeout = setTimeout(reflowMath, delay); // start timing for event "completion" }); }); }, }; if (window.location.hash == '#_=_'){ window.location = window.location.href.split('#')[0] } !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function() {n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)} ;if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '1641728616063202'); fbq('track', "PixelInitialized", {}); (function(h,o,t,j,a,r){ h.hj=h.hj||function(){(h.hj.q=h.hj.q||[]).push(arguments)}; h._hjSettings={hjid:2318163,hjsv:6}; a=o.getElementsByTagName('head')[0]; r=o.createElement('script');r.async=1; r.src=t+h._hjSettings.hjid+j+h._hjSettings.hjsv; a.appendChild(r); })(window,document,'https://static.hotjar.com/c/hotjar-','.js?sv='); search file_upload Submit your research search menu close search Browse Gateways & Collections How to Publish Submit your Research My Submissions Article Guidelines Article Guidelines (New Versions) Open Data, Software and Code Guidelines Open Data and Accessible Source Materials Guidelines (HSS) Open Data, Software and Code Guidelines (PSE) Prepublication Checks Production Process Posters and Slides Guidelines Document Guidelines Article Processing Charges Peer Review Finding Article Reviewers About How it Works For Reviewers Our Advisors Policies Glossary FAQs For Developers Newsroom Contact My Research Submissions Content and Tracking Alerts My Details Sign In file_upload Submit your research { "@context": "https://schema.org", "@type": "ScholarlyArticle", "mainEntityOfPage": { "@type": "WebPage", "@id": "https://f1000research.com/articles/15-5" }, "headline": "A Systematic Literature Review on Biometric Authentication in Mobile Banking", "datePublished": "2026-01-06T05:29:32", "dateModified": "2026-05-07T07:30:02", "author": [ { "@type": "Person", "name": "Hasan Naji Ali" }, { "@type": "Person", "name": "SUFYAN SALIM MAHMOOD AL-Dabbagh" } ], "publisher": { "@type": "Organization", "name": "F1000Research", "logo": { "@type": "ImageObject", "url": "https://f1000research.com/img/AMP/F1000Research_image.png", "height": 480, "width": 60 } }, "image": { "@type": "ImageObject", "url": "https://f1000research.com/img/AMP/F1000Research_image.png", "height": 1200, "width": 150 }, "description": "As mobile banking continues to grow at an exponential rate, the financial industry is faced with a critical challenge: How to keep user credentials secure without compromising on efficiency. Password-based authentication is still dominant but has major limitations which compromise both security and user experience. These systems are susceptible to the most common attack vectors such as phishing, malware and man-in-the-middle attacks, especially if users are using weak passwords or sharing passwords. Additionally, mobile devices have limited input interfaces that are frequently sources of frustration and error. As a result, there is increasing interest in other more secure and convenient alternatives such as biometric and multi-factor authentication (MFA) to mitigate the inherent weaknesses of password-based systems. This systematic literature review, which covers studies from 2020 to 2025, provides a critical review of biometric authentication methods used in mobile banking. It analyses existing approaches, security risks and implementation practices adopted by major banks across the world. While biometric systems are more secure and user friendly than traditional systems, they also introduce new challenges in terms of privacy, spoofing and regulatory compliance. The review gives a detailed overview of the current advances, key issues, and emerging research directions, which will give valuable insight to the development of secure and easy-to-use authentication systems in mobile banking." } { "@context": "http://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": "1", "item": { "@id": "https://f1000research.com/", "name": "Home" } }, { "@type": "ListItem", "position": "2", "item": { "@id": "https://f1000research.com/browse/articles", "name": "Browse" } }, { "@type": "ListItem", "position": "3", "item": { "@id": "https://f1000research.com/articles/15-5/v1", "name": "A Systematic Literature Review on Biometric Authentication in Mobile..." } } ] } Home Browse A Systematic Literature Review on Biometric Authentication in Mobile... ALL Metrics - Views Downloads Get PDF Get XML Cite How to cite this article Naji Ali H and SALIM MAHMOOD AL-Dabbagh S. A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 1; peer review: 1 approved with reservations, 1 not approved] . F1000Research 2026, 15 :5 ( https://doi.org/10.12688/f1000research.173855.1 ) NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article. Close Copy Citation Details Export Export Citation Sciwheel EndNote Ref. Manager Bibtex ProCite Sente EXPORT Select a format first Track Share ▬ ✚ Systematic Review A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 1; peer review: 1 approved with reservations, 1 not approved] Hasan Naji Ali https://orcid.org/0009-0007-6880-0038 1,2 , SUFYAN SALIM MAHMOOD AL-Dabbagh 3 Hasan Naji Ali https://orcid.org/0009-0007-6880-0038 1,2 , SUFYAN SALIM MAHMOOD AL-Dabbagh 3 PUBLISHED 06 Jan 2026 Author details Author details 1 Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Nineveh Governorate, Iraq 2 Computer Science, Tikrit University College of Computer Science and Mathematics, Tikrit, Saladin Governorate, Iraq 3 Cybersecurity, University of Mosul College of Computer Sciences and Mathematics, Mosul, Nineveh Governorate, Iraq Hasan Naji Ali Roles: Formal Analysis, Funding Acquisition, Methodology, Resources, Visualization, Writing – Original Draft Preparation SUFYAN SALIM MAHMOOD AL-Dabbagh Roles: Validation, Writing – Review & Editing OPEN PEER REVIEW DETAILS REVIEWER STATUS This article is included in the Fallujah Multidisciplinary Science and Innovation gateway. Abstract As mobile banking continues to grow at an exponential rate, the financial industry is faced with a critical challenge: How to keep user credentials secure without compromising on efficiency. Password-based authentication is still dominant but has major limitations which compromise both security and user experience. These systems are susceptible to the most common attack vectors such as phishing, malware and man-in-the-middle attacks, especially if users are using weak passwords or sharing passwords. Additionally, mobile devices have limited input interfaces that are frequently sources of frustration and error. As a result, there is increasing interest in other more secure and convenient alternatives such as biometric and multi-factor authentication (MFA) to mitigate the inherent weaknesses of password-based systems. This systematic literature review, which covers studies from 2020 to 2025, provides a critical review of biometric authentication methods used in mobile banking. It analyses existing approaches, security risks and implementation practices adopted by major banks across the world. While biometric systems are more secure and user friendly than traditional systems, they also introduce new challenges in terms of privacy, spoofing and regulatory compliance. The review gives a detailed overview of the current advances, key issues, and emerging research directions, which will give valuable insight to the development of secure and easy-to-use authentication systems in mobile banking. READ ALL READ LESS Keywords mobile banking, biometric authentication, user authentication, usability and privacy, multi-factor authentication, cybersecurity threats Corresponding Author(s) Hasan Naji Ali ( [email protected] ) Close Corresponding author: Hasan Naji Ali Competing interests: No competing interests were disclosed. Grant information: The author(s) declared that no grants were involved in supporting this work. Copyright: © 2026 Naji Ali H and SALIM MAHMOOD AL-Dabbagh S. This is an open access article distributed under the terms of the Creative Commons Attribution License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. How to cite: Naji Ali H and SALIM MAHMOOD AL-Dabbagh S. A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 1; peer review: 1 approved with reservations, 1 not approved] . F1000Research 2026, 15 :5 ( https://doi.org/10.12688/f1000research.173855.1 ) First published: 06 Jan 2026, 15 :5 ( https://doi.org/10.12688/f1000research.173855.1 ) Latest published: 07 May 2026, 15 :5 ( https://doi.org/10.12688/f1000research.173855.2 ) There is a newer version of this article available. Suppress this message for one day. 1. Introduction Modern financial systems rely heavily on mobile banking because smartphones have become the standard, and digital dependence has grown worldwide. Mobile banking has other names, such as e-banking, online payments, online banking and internet banking. The electronic payments system provides bank clients and financial institution users with the ability to conduct transactions through the internet. Digital transformation through mobile technology simultaneously produces substantial security threats because cyber attackers now focus on stealing sensitive financial data and monitoring financial activities. A combination of passwords with personal identification numbers (PINs) and security questions proves inadequate as authentication methods because they remain susceptible to various attacks, such as brute force attacks alongside phishing and social engineering attacks and credential stuffing. 1 , 2 The growing need for safer and easier-to-use authentication systems results directly from these system vulnerabilities. Biometric authentication has arisen as a disruptive solution that uses individual physical or behavioral characteristics such as fingerprints, facial recognition, voice, irises, signatures, etc. to authenticate users with enhanced safety and precision. Online banking entry methods through which users prove their identity for platform access are known as user authentication. The authentication approaches of mobile banking systems protect both financial service access and users from fraudulent activities. where user authentication verifies the actual identity of a declared person or application or procedure handling user requests. System access control relies on authentication technology, which verifies that user credentials exist in authorized user databases or data authentication servers. Organizations protect their networks through authentication because this procedure allows only verified users (or automated processes) to reach secure assets, including systems, networks, databases, websites and remote applications. There are three principal authentication system types 3 as illustrated in Figure 1 . 1. Something you know: Refer to knowledge-based authentication (KBA) User authentication methods depend exclusively on information that only users possess. At present, passwords together with PINs function as standard authentication methods, although they face dangers from phishing schemes, brute-force attacks and password exposure incidents. 4 User security questions function as a backup authentication process yet become vulnerable when attackers acquire access. 5 2. Something you have : Also refer to possession-based authentication (PBA), users must possess hardware or equipment to use these authentication methods. One time password (OTP) 6 , 7 : Sent via short message send (SMS) messages, emails, or authenticator apps. Devices used for extra security face potential vulnerabilities when attackers conduct SIM swap attacks against them. 8 Users can use hardware tokens together with smart cards to achieve maximum security; however, they require the physical possession of additional hardware devices. 3. Something you are : Also referring to biometric-based authentication (BBA), is a security method based on an individual’s unique biometric and/or biometric trait that can be used to verify the identity of the individual. For example, fingerprints, facials, iris patterns, and hand and voice recognition are common biometric identifiers. These traits are distinctive and extremely difficult to reproduce; thus, the BBA is much more secure than typical authentication methods such as passwords or PINs. 9 The convenience of BBA is that the users do not need to remember a password much less often to bring physical tokens. 10 – 12 The AI-driven verification system identifies people by their faces, although it delivers insufficient results under poor lighting conditions and when users wear masks. 13 Another challenge, however, regarding the implementation of the BBA is that of privacy as well as protection of biometric data. Since biometric traits that are compromised cannot be switched for new passwords, long-term security becomes an issue. However, despite these concerns, such as the ability of adversaries to learn the distribution of nonbits, BBA technology has been widely adopted in many fields, including mobile devices, financial services and national security, because of its strong ability to enhance the process of authentication. 14 4. Multi-factor authentication (MFA): This method combines two or more authentication methods for enhanced security. Users must authenticate through KBA password entry on a mobile banking application and receive receipt of an OTP. 15 , 16 Security increases when the system maintains multiple authentication methods because compromised individual factors do not authorize unauthorized access. Additional extra security layers are appended when using biometric authentication, such as fingerprints, facial recognition, irises, voice, hands/palms, 17 etc. Continuous authentication delivers two forms of protection by evaluating keyboard typing patterns and device motion along with swipe gestures. AI-based risk assessment conducts continuous assessments of user engagements to discover doubtful activities in real time. 18 , 19 Table 1 present analysis of user authentication approaches includes descriptions, strengths, weaknesses, and typical use cases. Figure 1. Classification of general user authentication methods categorized as knowledge-based, possession-based, and biometric-based factors. Table 1. Comparative analysis of major types of authentications based on their description, advantages, disadvantages and major applications. Authentication method Description Strengths Weaknesses Common use cases Ref. KBA Users establish personal secret characters. Simple, cost-effective, widely supported. Vulnerable to brute force, phishing, and weak passwords. Logins for websites, apps, and systems. 20 , 21 PBA Uses physical or digital tokens (e.g., OTPs, smart cards). Adds an extra layer of security, time-sensitive codes. Tokens can be lost or stolen, requires users to carry a device. Online banking, corporate networks, VPNs. 22 BBA Uses unique physical traits (e.g., fingerprints, facial recognition). Difficult to replicate, convenient, and secure. Privacy concerns, potential for false positives/negatives, high implementation cost. Smartphones, high-security facilities, banking. 23 , 24 MFA Combines two or more authentication factors (e.g., PIN + OTP or biometric). Highly secure, reduces risk of unauthorized access. It can be inconvenient if factors are not readily available. Banking, email, and enterprise systems. 25 1.1 Motivation The rapid increase in mobile banking has exposed financial facilities to well advanced cyber risks, and at the same time, it made the processes rather convenient. Password-based techniques of authentication are exposed to several attacks such as phishing attacks, brute-force attacks, and face issues in areas of memorability and limits of mobile operating environment. Therefore, an incentive to approach biometric solutions that will provide higher security levels and user experience is present in the sphere of mobile banking. By searching previous studies for the period (2020-2025), we did not find a systematic literature review that focused specifically on the uses of BBA in mobile banking. There are some studies that focused on multi-factor authentication, while others focus on the use of all authentication methods in general and their uses in online banking. Therefore, in this research, we focused on studies that examined the use of biometric authentication in mobile banking. So, the main contributions of this study are summarized as follows: • Comprehensive systematic literature review (SLR): This study provides a detailed of systematic literature review based-on the PRISMA methodology and summarizes recent studies (2020–2025) on biometric authentication, especially focusing on mobile banking systems. • Design a taxonomy that includes all the biometric authentication methods used in previous studies, making it easier for the researcher to gain knowledge about these methods that are used in mobile banking. • Analysis of Security Threats: Among the security threats that are identified and discussed in the context of both biometric authentication methods, the study lists such critical ones as biometric spoofing, malware, phishing, social engineering, a man-in-the-middle attack, etc. Besides, feasible measures against mitigation are also offered to make the institutions have an insight into how to persevere with the given threats. • Survey of biometric authentication methods that are used in global banking practices: This study evaluates the authentication systems used by the major banks across the world, which refers to state-of-the-art biometric solutions in the real-life financial situation, filling the gap between academic evidence and industrial practice. • Insight into usability and user perception: This paper discusses some of the usability and user perception issues in the application of biometrics to mobile banking, such as sensor reliability, privacy of stored biometric data, device and hardware constraints, and the security vs. convenience trade-off. It provides guidance for financial institutions and policy makers in creating authentication systems that are secure as well as convenient to use. • Future Research Directions: Lastly, this study identifies key gaps in current practices and recommends future work on adaptive and context-aware authentication, privacy-preserving biometric security, emerging threat models, and AI-driven protection. It serves as a valuable guide for advancing secure and user-friendly mobile banking authentication in both academia and industry. 1.2 Intended audience The present manuscript is aimed at a wide audience of both academic researchers and industry practitioners. To the academic community, the research can help in offering a synthesis of the state of the art biometric authentication methods in mobile banking to serve as a reference point when carrying out further studies in the research subject. The review highlights to financial institutions, banking professionals, and policymakers some practical challenges, new security threats, and usability challenges that must be addressed to ensure that mobile banking can become more secure. The paper can also be of practical use to developers and system designers interested in deploying serviceable and easy-to-use authentication systems in financial applications. The rest of this paper proceeds as follows: Section 2 presents an overview of mobile banking, biometric authentication, role of biometrics in mobile banking and overall rating, Section 3 presents the research methodology, detailing criteria and process we applied in choosing and assessing the academic papers that are collected. Section 4 provides a comprehensive analysis of the academic papers that are gathered, discussing methods used in mobile banking, threat facing mobile banking and biometric authentication methods in leading banks and challenges. Section 5 present the limitation of our study, finally Section 6 present conclusion and future directions. 2. Overview 2.1 Mobile banking Mobile banking applications changed financial management by providing users with speed and security together with convenience. Users employ these applications to view their account balances and fund transfers and bill payments while also requesting loans through their mobile devices. 26 Owing to technological progress, banking services have become more accessible for individuals located in distant areas, thus eliminating their need to visit bank branches. The security features of banks are enhanced through developments such as biometric authentication and encryption to protect against user risk exposure. 2 2.2 Biometric authentication Biometric authentication has also augmented digital security in that it is stronger and more convenient compared to the use of passwords or PIN-code-based access control systems. As compared to traditional systems, biometric authentication systems also validate identity using individual physiological and behavioral attributes i.e. fingerprints, facial characteristics, the pattern of the iris, voice recognitions, and the dynamics of keystroke 27 which are naturally very hard to imitate or steal. 28 , 29 Biometric authentication continues to gain momentum because mobile banking needs cryptographic protection, as do healthcare services, 30 border security systems and enterprise network access systems. Biometric solutions have gained prominence among organizations and financial institutions to build improved security systems because these institutions face escalating cyber risks and data breaches. 31 The benefits of the enhanced security and convenience that biometrics provide systems include serious privacy and ethical risks, data safety and security challenges, and system weakness problems. Figure 2 shows the two types of biometric authentication and presents the common methods used. Figure 2. Classification of common biometric authentication. The security model of user authentication via biometrics has several powerful attributes that establish it as a modern choice to protect digital systems. The main advantage of biometric user authentication lies in its security because individual traits such as fingerprints, facial features and iris patterns are unique and difficult to steal or duplicate from traditional passwords. 32 , 33 Biometric systems increase user convenience because users do not need to memorize complicated passwords or transport physical security measures. 34 The system of biometric authentication contains important weaknesses that need to be addressed. System inaccuracies can produce either unauthorized access or user dissatisfaction due to false positive or false negative results. 35 Biometric data cannot be altered after a breach occurs in the way that passwords can be changed, thus resulting in severe privacy and security issues when databases are compromised. 36 User consent and data protection statutes generate serious ethical and legal issues that emerge when managing biometric data collection and storage processes. User access, which relies on biometric authentication, should be deployed with appropriate precautions while receiving supplemental security safeguards for data protection. 37 Biometrics have their strengths and weaknesses, 38 as well as the areas in which they are commonly used. For example, fingerprint and facial recognition work well with mobile phones because the phone already has scanning devices. 39 Therefore, they are widely used in various digital systems, such as banking systems, healthcare systems, and other mobile applications. Table 2 provides a brief overview of their primary characteristics such as strong and weak points as well as the common uses in digital environments. Table 2. Analysis of some biometric authentication approaches including descriptions, strengths, weaknesses, and typical use cases. Biometric method Description Strengths Weaknesses Common use cases Ref. Fingerprint Recognition Scans and matches unique patterns in a user's fingerprint. Highly accurate, fast, and widely adopted. It can be affected by dirt or injuries; it requires physical contact. Smartphones, laptops, access control systems. 40 , 41 Facial Recognition Analyzes facial features to verify identity. Contactless, convenient, and fast. Can be fooled by photos or videos; lighting and angle variations may affect accuracy. Smartphones, airports, security checkpoints. 42 – 44 Iris Recognition Scans the unique patterns in the colored ring of the eye. Extremely accurate and difficult to forge. Requires specialized hardware; can be intrusive. High-security facilities, government systems. 45 Voice Recognition Analyzes vocal characteristics to verify identity. Convenient and noninvasive. It can be affected by background noise or voice changes due to illness. Call centers, banking, smart home devices. 46 Retina Scanning Scans the unique blood vessel patterns in the retina. Extremely secure and accurate. Invasive, requires proximity, and expensive hardware. Military, high-security environments. 47 Hand Geometry Measures the shape and size of the hand. Reliable and easy to use. Less unique compared to other biometrics, requires physical contact. Time and attendance systems, access control. 34 2.3 Role of biometrics in mobile banking The adoption of mobile banking biometric authentication for purely secure account access has become widespread because of the widespread implementation of modern financial services digital transformation, with improved efficiency and user experience of verification processes. User account passwords combined with PIN-based authentication face growing risks from cyber intruders, who exploit phishing attacks, steal credentials and gain unauthorized system access. 31 , 48 Online banking security evolves through biometric authentication, which is used physical and behavioral features to provide safe access and protection from fraud. 28 Mobile banking security, along with fraud prevention, is one of the fundamental purposes of biometric authentication systems. The security of mobile banking in physical biometrics, such as fingerprint scans, facial verification, hand, iris and vein methods, is important for authenticating authorized users. 32 , 49 Biometrics offer very high resistance against replication and remain difficult to counterfeit, which protects users from unauthorized transactions as well as identity theft. 50 Continuous authentication from behavioral biometrics becomes essential since it analyzes touch interaction patterns and keystroke dynamics along with voice patterns and typing speed, making network breaches more difficult for cybercriminals. 51 Biometrics serves as a key instrument for delivering improved accessibility while providing excellent user experience. The user experience becomes more convenient through biometric authentication since users obtain immediate and effortless access to mobile banking applications without needing passwords to remember. Security levels are enhanced through this system because users do not need to manage passwords. Financial inclusion grows stronger through biometric authentication because it enables users who lack literacy skills or disabilities to protect banking services by using their fingerprint or other traits instead of standard user authentication, such as passwords/PINs. 46 Biometric authentication users of mobile banking benefit from its advantages while dealing with privacy risks and security vulnerabilities, which include data protection and system protection issues. 52 Any unauthorized access to stored biometric information poses substantial risks to users because each person has permanent and distinctive data. To protect biometric data security banks, encryption advances in combination with blockchain-based storage systems and multiple authentication factors have been employed. 53 By integrating AI and ML, mobile banking authentication systems can gain the ability to detect more fraudulent transactions alongside the delivery of personalized banking service options to customers. 54 The future of mobile banking security is moving toward a safer and more efficient digital financial environment because biometric authentication maintains a balance between security and convenience and privacy. 55 2.4 Overall rating The concept of mutual compensation enables authentication security by properly utilizing each authentication variable to eliminate their individual weaknesses ( Table 1 ). A secure authentication system emerges when users provide PBA, KBA and BBA that protects against multiple types of security attacks. People trust the knowledge authentication type for its familiar design, yet this element remains exposed to password intrusion attacks. 56 When ownership requirements for physical tokens or devices are applied together with passwords, the system provides enhanced security even when a password becomes exposed. 57 The cost and risk exposure for the ownership element arises from losses connected to token or device disappearance or theft. Security measures benefit from the biometric element because it brings both security through uniqueness and convenience while belonging to the user. Strong protection of biometric data is essential to minimize password-related attacks while physical tokens remain necessary, yet the implementation leads to either positive or negative false negative outcomes. 58 Although the three authentication categories (KBA, PBA, and BBA) 16 each offer specific advantages, they leave gaps when used alone that can be exploited. KBA is simple but has the lowest security level in terms of phishing and brute-force attacks; PBA is a strong security mechanism based on use of one-time codes or tokens, but it is prone to device-loss attacks; BBA is a strong identity binding mechanism but raises privacy and hardware-cost issues. Thus, our analysis supports a hybrid multi-factor approach whereby complementary factors compensate for the weakness of each other. In environments that require high security, like mobile banking, a three-factor setup (password + token + biometric) offers the best balance of protecting against the theft and spoofing of credentials. 13 However, in lower risk or resource constrained environments a two-factor scheme (i.e. PIN + OTP) may provide sufficient security with better usability. This aligns with recent banking practices summarized in Table 7 , where most institutions adopt mixed MFA frameworks combining knowledge, possession, and inherence factors. 3. Methodology The Preferred Items for Reporting Systematic Reviews and Meta-Analyses (PRISMA) guidelines were first released more than a decade ago. 59 The PRISMA method assists researchers by providing standards for accurate reporting of systematic reviews and meta-analyses. Systematic reviews are considered by decision-makers in areas such as the IoT, computer security, smart homes, supply chains, industries, and other domains as important sources of information that are collected in a systematic and transparent manner. 60 Some of the PRISMA items have provided a comprehensive and systematic study of the applications of biometric authentication in the mobile banking sector. 3 The literature review in Figure 3 includes the most recent studies related to biometric authentication technology, which are used in mobile banking to increase security. The activities listed below have had a significant effect on the results of systematic surveys. Out of the total 180 references, 97 papers met the inclusion criteria and are analyzed as part of the evidence set. The remaining references are cited to provide general background, definitions, or contextual support but were not included in the systematic synthesis. Figure 3. Distribution of the 97 reviewed research papers by publication year (2020-2025), illustrating the growth trend in biometric research for mobile banking. 3.1 Research questions This research aims to evaluate the biometric authentication methods currently adopted for online mobile banking user access. Also, this research examines the effects of cyber threats on online banking user authentication and presents examples of biometric authentication systems used by major banks worldwide, also examines the advantages, disadvantages, aims and challenges through the following research questions: 1. Which biometric authentication methods are currently used in mobile banking systems? 2. What are the main security threats and vulnerabilities affecting biometric authentication in mobile banking? 3. How do major banks worldwide implement and integrate biometric authentication into their mobile banking applications? 4. What is the key usability, privacy, and user acceptance challenges related to biometric authentication in mobile banking? 5. What are the limitations and future research directions in improving biometric-based authentication for secure and convenient mobile banking? 3.2 Search strategy A collection of academic papers focused on biometric authentication served as the basis for our review. The selected time span begins on January 1, 2020, and ends on July 1, 2025. This stage involved focused examination of scientific digital libraries and databases alongside searches of keywords and reference management tools and search processes. The next sections delineate the processes described. 3.3 Scientific digital libraries The analysis took place through major English-language scientific digital libraries and databases. Science Direct, Scopus, IEEE and Google Scholar formed the database scope for this SLR. 3.4 Search for keywords The research questions of the SLR served as the foundation for creating the search keywords. The included figure presents alternative search terms. We have also added synonyms and alternatives. The synonym keywords are extracted from the corpus of online banking security related subjects in literature. The search query keywords appear in ( Figure 4 ) as they were applied to the digital libraries mentioned. To provide comprehensive coverage, the literature search was performed in four major databases: ScienceDirect, Scopus, IEEE, and Google Scholar. Figure 4. PRISMA flow diagram of the process of selecting and screening studies that were included in this systematic literature review. 3.5 Reference management The research utilized “Mendeley Reference Manager” v2.132.0 61 to serve as the reference management system for collecting and handling retrieved scientific papers. Using Mendeley Reference Manager v2.132.0 allowed researchers to perform quick document management features on their internal database. 3.6 Selection of the study We examined the research papers that led to the selection of suitable content for our final evaluation using specified inclusion and exclusion criteria. We examined each paper to check its application toward the study’s goals. The review used predefined inclusion criteria to identify and analyze suitable study materials, which led to reliable and valid research outcomes. All the results of this research stem from the number of papers that fulfilled the established criteria permitting their entry into our research. 3.6.1 Exclusion criteria All studies that were not published in the English language were excluded. Additionally, book chapters, reviews, periodical articles, theses and duplicate papers are excluded. 3.6.2 Inclusion criteria The inclusion criterion was that the studies were published in English. Only journal publications and conferences that publish studies were included. The biometric authentication in mobile banking research studies covers the methods used in mobile banking, threats, strengths and weaknesses, as well as the methods used in major international banks and user usability challenges and limitations. 3.6.3 Results The research process resulted in 97 articles through the elimination of duplicate and unrelated studies. The preferred items for reporting systematic reviews and meta-analyses. Two complementary search queries were applied to ensure coverage of biometric authentication keywords ( Figure 4 ). The screening process based on PRISMA is illustrated in Figure 4 . A total of 913 records were identified in the four databases (Science Direct = 394, Scopus = 152, IEEE = 174, Google Scholar = 193). After elimination of 187 duplicates, 726 unique papers were screened. Following title and abstract screening, 523 papers were excluded, and 203 full-text articles were eligible for further screening. Based on the inclusion and exclusion criteria, 106 papers were deemed ineligible, and 97 studies were finally included in this systematic review. 4. Analysis and Discussion This section presents various data samples drawn from relevant studies and provides an evaluation and interpretation of the SLR findings. 4.1 Biometric authentication methods used in mobile banking This section provides an answer to research RQ1 : “Which biometric authentication methods are currently used in mobile banking systems?”. The gathered literature appears in Table 3 for 41 studies that are analyzed in three parts: description, year and reference. The taxonomy in Figure 5 illustrates different online payment biometric approaches, which are classified as BBA and MFA. The taxonomy structure enables a complete comprehension of the different authentication approaches, which demonstrate that all current methods operating in online banking use biometrics. Table 3. Summary of sample data of the chosen studies (2020-2025) to 41 study, outlining each of the biometric authentication methods, its aims, and originated sources. Year Ref. Description 2020 52 A MFA for the Smart Online Banking System (SOBS) uses face recognition authentication (FRA) or biometric fingerprint authentication (BFA) with digital signatures are proposed to enable bank customers to complete transactions. 62 This paper proposed a novel approach based on deep neural network to extract facial features. 46 This research aims to enhance security authentication based on voice recognition, can be utilized for speaker identification, regardless of the language being spoken. 50 This research introduces a secure biometric online banking system which uses three-factor authentication to evaluate service requests through banking portals. These factors are (Password, random the system shows images to users who need to select three familiar images within the interface images and fingerprints). 17 The authors propose an authentication model for securing mobile banking applications based on hand-based biometric authentication. 64 Online banking authentication gets a supervised Machine Learning-based framework from the authors who developed it for continuous behavioral biometric user identification. This framework represents an improved variation of the “Biotouch” technology for touch dynamics identification. 68 The paper introduces a biometric authentication system that uses two methods combining Biometric technology with proximity sensors to provide secure robust and flexible authentication. Biometric fingerprint identification security techniques unite with shuffling keypad methods to boost the security strength in Automated Teller Machines (ATM) operations. 63 A new authentication system uses contactless vascular biometrics to recognize wrist veins as part of the modality system. 2021 69 This paper proposed an application for online banking for overcoming the vulnerabilities present in current online banking applications. This application based on facial recognition and proxy detection including “tripleDES” encryption to enhance the security of the work. 28 This paper presents framework based on mobile screen swipes and touch data as a possible verification method for user authentication in mobile banking. 70 The authors presented an authentication model using Fingerprint scanning biometric to provide access to ATM machine. 71 This paper introduces a novel approach to anti-spoofing third-factor authentication method for (ATMs) which uses behavioral-based biometrics Keypad Typing Rhythm Identifier (KTRID). 72 In this paper, the authors present two-level combined authentication method (2 L-IAM). At the first level, the end user login to their online Banking port using either PIN or Fingerprint Matching (FPM). At the second level, end users are authenticated by face recognition (FR) should they initiate a transaction classified as sensitive. 73 This study incorporates user biometrics based on either fingerprint or facial recognition obtain and verify data from the Internet of Things (IoT) device through bank-registered authentication methods which include IP address tracking and digital certificates. 25 This research develops a framework using Elliptical Curve Cryptography (ECC) within Virtual Private Network (VPN) security for performing safe financial operations through MFA using password and voice recognition based on both authentication codes and biometric identification systems. 74 The DAKOTA framework proposes mobile banking security improvement through behavioral biometrics authentication methods based on sensor and touch screen-based continuous authentication. Touch screen data and motion sensor data serve distinct roles to increase application security. 2022 11 This paper proposes a new authentication framework for detecting FingerVein (FV) is formed by the work for safe authorization utilizing Enhanced Sigmoid Reweighted based Convolutional Neural Network (ES- “RwCNN”). 51 This paper proposed continuous authentication on mobile devices incorporate touchscreen–swipe interactions without limit as well as keyboard input timing patterns. 75 A novel approach to face anti-spoofing introduces a modified combination of differences of Gaussian (DOG) and angle-difference-ternary correlation-pattern (ADTCP) descriptors. 32 This paper demonstrates an authentication framework which employs novel pupil segmentation through a combination of multiscale gray-level co-occurrence matrix (MSGLCM) with multirange circle Hough transform (MRRCHT). The pupil texture extraction proceeds accurately when using this segmentation method followed by Hough transform application to the outer Iris region. 76 The authors proposed a multimodal Self-ONN based on Raw Electroencephalogram (EEG) and keystroke data. 77 The research proposed an unavoidable authentication approach through mobile device fingerprinting-based identifier and authenticator for mobile banking applications (MDFIA). MDFIA functions as the name for this authentication system. 78 This paper proposed a complete solution to enhancement atm security and privacy by using facial authentication technique. 79 In this paper, the authors developed an application for online system authentication like mobile banking based on face recognition and text extraction. 80 The paper proposes a concept of using a person's vein pattern and OTP/PIN as a method of contactless authentication. It is an extremely safe verification procedure because no two people in the world, not even identical twins, can have the same palm vein structure or pattern. Additionally, it is more secure because it is nearly impossible to replicate the palm vein pattern. 49 The authors proposed a web-based application authentication system for bank employees using passwords, fingerprints and OTP. 81 The article presented a new real-time contactless palm vein recognition system MPSNet specifically developed for smartphones with red, green and blue image functionality. A standard back camera with an LED flashlight installed in smartphones enables the system to both detect and identify palm images. 82 This paper introduces an authentication method with passwordless which includes smartphone-based face recognition and Bluetooth-Near Field Communication technology. The system functions through real-time face biometric authentication and secure NFC token transfer as well as Bluetooth detection of device connection for robust anti-phishing and anti-spoofing security that does not need passwords. 2023 83 The article establishes a user authentication methodology which utilizes sensor measurements from smartphone devices along with multiple behavioral patterns along with machine learning strategies to address the identified issues. The proposed approach uses device touchscreen combined with motion sensors to obtain behavioral biometric data. 84 This paper proposes a new framework for continuous authentication for smartphones based on behavioral-based biometric by utilizing for user interaction on touchscreen. 30 The proposed method in this paper develops a secure virtual smart card through digital encryption techniques with biometric verification (using Fingerprint) and a QR code and passwordless capabilities enabling safe access to healthcare systems and e-banking. 85 The study established a multilayer 5FA system that selected Password/PIN together with OTP and Fingerprint along with Media Access Control (MAC) Address and Time-Based location to create a stable security solution for online banking. 86 Authors propose a framework based on dynamic signatures for authentication which called: a “Cloud-based mobile biometric authentication framework (BAMCloud)”. 2024 13 This paper proposed a MFA for securing mobile banking system that combines passwords, Face recognition and OTP to verify users. 87 This paper proposed a new framework of mobile payment for user verification depending on face ID recognition based on deep learning. 88 This paper presents an android mobile banking application development. The application implements facial recognition technology together with PIN based templates through the Grassmann algorithm approach. The system becomes accessible for users to perform banking operations only after completing two authentication steps. 2025 89 The authors developed an authentication system based on processing ECG (electrocardiogram) signals on mobile devices to achieve high levels of accuracy. The process uses distinct qualities of ECG signals to deliver safe mobile device authentication which demonstrates that biometric authentication can boost security protocols. 90 A new deep learning framework described in this paper connects three different biometric modes through electrocardiogram (ECG) with fingerprint features and finger knuckle print (FKP). The combined application of these methods enables an authentication system that reaches high levels of security and efficiency for banking and healthcare applications and higher-security applications. 91 In this project a machine learning authentication system will be developed to protect online voting using facial and fingerprint recognition as security measures for better system protection. The system consists of two fundamental elements which include both the machine learning authentication mechanism and web-based voting platform. 92 This study proposes a new framework based on MFA which combines three types of fusion technique (feature-level, score-level, and decision level) integrated into three types of biometrics modalities (fingerprint, facial recognition, and iris). 93 This paper presents a hybrid face biometric authentication that integrates the strength of deep learning specifically CNN and (ResNet) with Local Binary Pattern (LBP) method. Figure 5. Biometric authentication taxonomy in internet banking, methods based on knowledge, possession and biometrics factors. 4.1.1 Biometric authentication methods The BBA category uses two types of biometrics, including physical traits, which consist of fingerprints, facial IDs, irises, hands and veins, 11 , 17 , 32 , 62 , 63 alongside behavioral traits, which include voice patterns, 46 “biotuch” (dynamic/continuous touch authentication), 28 , 64 and tapping behavior. The other behavioral biometric trait was implemented by, 65 who proposed a new activity recognition model for smartphone applications based on physical activities that are detected by collecting data from different sources, such as biometric sensors or body-worn sensors. The authentication system uses unique biological traits from users to create a high level of security protection. The authentication approach of behavioral biometrics shows great reliability in authorization but creates problems involving data protection and storage security requirements. Organizations use biometric information in addition to developing preventative solutions to combat unapproved system access and illegal information handling. 66 Various users sometimes encounter difficulties when organizations attempt to establish biometric authentication systems. Online banking system implementations of biometric technology require thorough consideration of hardware needs together with quality standards and acceptance levels from users. 67 Table 3 provides a description and year for each study. 4.1.2 Integration of biometrics within MFA Any authentication system built with a single authentication factor remains vulnerable to security threats regardless of the use of fingerprint scans, facial recognition, palm recognition, passwords or PIN. Authentication system developers develop their systems via integrated MFA. 94 The integration of BBA methods, including fingerprints, faces, irises, hands, veins and behavioral biometrics, serves as the main authentication component for the MFA and 2FA systems. 95 PBA authentication methods consist of OTPs combined with tokens and NFC 96 and operate when enhanced with other supporting factors. Various security elements, such as proxies, QR codes, geolocation, IP address MAC addresses and “CAPTCHA,” have joined the MFA and 2FA approaches to increase security measures. Multiple authentication methods used together by banks create enhanced system security, which implements multiple defense barriers for attackers to break. The security system becomes protected by multiple layers if attackers gain access to one part because the remaining layers shield the system from further attacks. 97 , 98 Users must first type their password before submitting their fingerprint for authorization purposes during system access. This authentication logic increases the security level by making it difficult for attackers to compromise the system despite knowing the user password. 99 Online banking can establish a secure and all-encompassing authentication system through 2FA and MFA, which reduces the threats caused by depending on a single authentication mechanism. The analysis of previously discussed online banking authentication approaches that can be combined with biometric factors yields the results in Table 5 , which presents their strengths together with weaknesses. Based on 41 studies, this research examines the use of biometric authentication methods in online mobile banking, including their role within MFA. These methods are presented in Table 4 and Figure 5 . Table 4 provides a comprehensive list of these authentication strategies, complete with their corresponding references. Table 4. Overview of biometric integrated within the MFA techniques used in the studies reviewed with modalities used and references provided. Authentication Method Password PIN OTP Fingerprint Face Iris Palm/Hand Vein Voice Continuous Authentication Signature MAC Location Captcha Proxy QR EEG ECG Keystroke Keypad IP Address FKP NFC Ref. 52 O O 62 O 46 O 64 O 11 O 13 O O O 86 O 28 O 70 O 72 O O O 25 O O 73 O O O O O 51 O O 74 O 17 O 87 O 85 O O O O O O 50 O O O 69 O O 30 O O 71 O 84 O 75 O 32 O 76 O O 83 O 77 O O 78 O 79 O O 80 O O O 49 O O O O 88 O O 89 O 90 O O O 91 O O 92 O O O 93 O 81 O 68 O O O 63 O 82 O O Figure 5 presents a detailed taxonomy scheme of authentication methods that were specifically developed to protect online banking systems. The taxonomy system groups authentication methods into four basic categories, including the PBA, BBA and KBA approaches and MFA methods. The BBA is divided into two parts: physical biometrics, including fingerprints, faces, irises, hands/pales and veins, and behavioral traits, including voices, touch screens, EEGs, keypads, signatures and ECGs. The KBA consists of a password PIN. The PBA includes OTP and NFC. Other types of authentications include MAC address, IP address, CAPTCHA, QR, proxy and location. The MFA introduced a good security solution by combining the 2FA or MFA from the previously mentioned methods, which illustrates the wide range of security methods used for user verification. This research focuses heavily on biometric authentication by providing detailed information about fingerprints, facial recognition, irises, palm, voice recognition methods, touchscreens, and keystroke dynamics as behavioral verification indicators. This taxonomy explains MFA, which requires users to combine different authentication components such as passwords together with OTP or fingerprints in combination with the MAC address to increase security. The taxonomy establishes itself as a beneficial reference for recognizing the complex authentication methods that modern digital finance systems implement. Among all the biometric authentication methods face, fingerprint, password, PIN and continuous touch screen authentication methods are the most used since they appear 15, 13, 7, 6 and 6 times, respectively, in total. OTPs and veins appeared 4 times each, and voice was used only 2 times throughout the given data and iris. The authentication system uses several types of verification, including CAPATCHA and keypads, which appear in 3 cases each. One mention exists for each of these authentication methods: palm, keystroke, time-based location, MAC address, IP address, proxy, QR, signature, EEG, ECG, FKP and NFC. MFA security becomes more effective because face and fingerprint detection are used multiple times with additional KBA, such as password/PIN and OTP. Multiple security layers protect sensitive online banking data since MFA operates together with 2FA by employing several authentication techniques. Figure 6 presents the frequency of authentication methods in biometric authentication methods contexts that are implemented in the banking sector. Figure 6. Frequency distribution of authentication techniques used in biometric systems among studied mobile banking studies. This study presents a comprehensive and well-structured systematic literature review on biometric in online mobile banking systems, which offers valuable taxonomy, security threat analysis, and insights into global banking practices. Its key achievement is to synthesize the recent research (2020-2025) and provide a clear classification of authentication methods and challenges. So, the absence of quantitative performance and empirical validation comparisons limits its practical depth. Overall, the study provides a strong theoretical foundation and serves as a reliable reference for both academia and industry. 4.1.3 Evaluation of the methods of mobile banking Table 5 analyzes different authentication methods from our study based on their strengths and weaknesses and corresponding research sources. Simple security systems based on passwords and PINs continue to be popular because they are quick to set up while attackers take advantage of vulnerabilities that result in brute-force attacks and phishing schemes as well as shoulder surfing. User authentication through PIN combined with facial recognition delivers better usability while providing touchless access at the cost of reduced security effectiveness. The implementation of passwords, fingerprints, faces, OTP and locations coupled with MAC address recognition increases security, whereas the use of external communications remains a weak point, and spoofing presents a persistent threat. Biometric authentication through fingerprint scans mixed with facial identification combined with iris analysis creates secure user authentication solutions despite their limitations in terms of external conditions and the need for specific hardware systems. Emerging techniques such as EEG and touchscreen behavior offer unique behavioral or physiological markers but face limitations in practicality and consistency. MFA represents a powerful security method that achieves adequate protection from MFA, while users experience decreased convenience and dependence on devices during authentication processes. Different digital systems require customized authentication strategies that depend on their unique operational needs according to this analysis. Table 5. Comparison of the authentication strategies employed in mobile banking (2020-2025), with their key strengths and weaknesses. Method Strengths Weaknesses Reference Password Simple to implement and widely used Susceptible to brute-force, phishing, reuse attacks 60 , 100 , 101 PIN Quick, minimal memory load Easy to observe (shoulder surfing); often reused 101 Graphical Password More memorable; harder to guess Usability issues; vulnerable to observation 102 , 103 QR Code Fast, contactless authentication Can be used for phishing; requires camera 104 OTP Temporary and time-bound; improves security Phish able; reliant on delivery medium (SMS/email) 101 , 105 MAC Address Device specific; useful in background authentication Spoof able; not user-unique 3 , 106 CAPTCHA Prevents bots; low cost Poor usability; accessibility issues 107 Proxy Detection Identifies IP masking attempts Can yield false positives; circumventable 108 Geolocation Provides context-aware authentication Spoof able; raises privacy concerns 109 Signature Verification Familiar; good for legal systems Inconsistent; easy to forge 110 NFC Fast, contactless, widely used in mobile payments Limited range; vulnerable to relay attacks 111 2FA/MFA High security combines multiple factors Less convenient; requires multiple devices or tokens 3 Fingerprint Convenient; widely supported in devices Not reliable when wet/damaged; spoof able 49 Face ID Touchless; user-friendly Can be spoofed by photos or masks; lighting affects accuracy 12 Iris Scan Highly accurate and unique Expensive hardware; less user-friendly 112 Palm Recognition High accuracy; touchless Requires specialized scanners 17 Voice Recognition No touch input; good for phone auth Affected by background noise and illness 46 Vein Pattern Internal biometric; hard to replicate Requires IR scanners; costly 80 EEG (Brainwave) Highly secure and unique Impractical; requires specialized equipment 76 Keystroke No additional hardware needed Inconsistent due to emotional state or fatigue 2 Touchscreen (swipe, tap, scroll) Continuous passive auth; behavioral uniqueness Variability in usage, mood, and devices 64 The results summarized in Table 5 emphasize that each category of authentication provides different benefits and weaknesses and confirms the fact that there is no one method which provides total protection against the wide range of cyber threats in the mobile banking environment. Instead, a combined optimization of security strength, usability and implementation cost is required to achieve practical and scalable protection. KBA methods, including passwords and PINs, are the most common because they are so simple and easy to implement. However, they are also the weakest layer of defense, because they are highly vulnerable against brute-force, phishing, and credentials-reuse attacks. 3 , 100 , 101 Moreover, users often use predictable passwords or reuse the same passwords for different platforms, which makes compromise much easier. PINs are faster to enter, and they have very little cognitive load, but they are short and vulnerable to observation (shoulder surfing) which limits their effectiveness on their own. PBA methods such as OTP, NFC-based tokens provide stronger protection with an introduction of time factor or hardware-binding factor. OTPs greatly decrease the chances of the credential replay but rely on the reliability of the communication and can be decrypted on their way or stolen via a SIM-swap attack. NFC cards and hardware tokens provide a physical guarantee although they involve the user carrying or maintaining an external tool, increasing usability and logistical costs. 111 BBA methods with reference to the fingerprint and facial recognition processes provide an ideal compromise between security and convenience, that is why they quickly become standard in any large mobile banking application. 12 , 49 Fingerprint recognition is more accurate and faster to verify, and facial recognition can be used contactless and more conveniently. However, they are vulnerable to the quality of sensors, lighting, and spoofing as well as cause serious privacy issues because biometric identifiers are not reversible once compromised. More expensive modalities, like iris, vein or palm recognition, are very resistant to anti-spoofing and very accurate, but expensive specialized sensors preclude their mass-market use. For example, routine account access may rely upon simple 2FA such as PIN + OTP and high value or cross-border transactions may require full MFA including a biometric check. This strategy offers both convenience and high level of security. Moreover, incorporating AI-based behavioral monitoring into the MFA pipelines will enable a continuous risk evaluation process and allow making real-time adjustments without undermining the usability. Generally, the comparative synthesis implies that the most resilient way of authentication of mobile banking is hybrid, context-aware and adaptive MFA architectures. By combining the desirable attributes of the various factors such as password familiarity, token possession and biometric factors, but at the same time balancing the weaknesses of these factors, it will be possible to ensure high assurance and acceptance by the user for banks. The findings of this comparative evaluation reflect contemporary trends in international banking practice, in which the most important institutions are increasingly using biometric and MFA in tandem to enhance resilience against changing cyber threats. 113 , 114 Although the heterogeneity of the reviewed studies made it impossible to conduct a complete quantitative meta-analysis, a systematic summary of the reported performance ranges was built to support the quantitative patterns and trends of biometric modalities deployed on mobile devices. The summarized values of false acceptance rate (FAR), false rejection rate (FRR), and equal error rate (EER) - and indication whether liveness detection and spoofing resistance mechanisms were used - are shown in Table 6 , which is for studies published between 2020 and 2025. Table 6. Summary of reported biometric and multimodal authentication systems in recent literature, highlighting their typical datasets or devices, reported EER/FAR/FRR rates, accuracy, presence of liveness detection, and spoofing resistance levels. Typical dataset/Device EER / FAR/FRR (%) Accuracy % Liveness detection Spoofing resistance Ref. Prototype survey (170 users, Brunei) — / — / — N/A N/A Medium 52 CAS-PEAL DB (99k images, 1040 users) — / — / — 98.52 N/A N/A 62 Custom dataset (23 users), SecuGen scanner — / — / — N/A N/A N/A 50 HKPU 3D/2D Hand DB (570 samples) — / — / — 94.7–100 N/A Moderate 17 Custom app (51 users, Android sensors) 1.88–9.85/ — / — 82.5–98.2 N/A Moderate–High 64 MFS100 Sensor, Simulated ATM — / — / — 100 Yes (Basic) High 68 UC3M-CV2 (Smartphone NIR camera) 6.82–18.7/ — / — N/A N/A Partial (No PAD) 63 Custom Dataset (20 img/user, smartphone) — / — / — 97 Yes (Proxy detection) High 69 Prototype Web Portal + Survey (n = 170) — / — / — N/A N/A Moderate 72 IoT Prototype (Design Science) — / — / — N/A N/A High 73 Simulated Cloud Banking Prototype (VPN) — / — / — N/A Partial (Inherent) Strong 25 Custom dataset (45 users, Samsung/Xiaomi) 3.5/ — / — ~99 N/A High 74 N/A — / —/2.35 97.05 Yes (Inherent) High 11 13 user datasets (Nexus 7 tablets) ~0.1/ — / — Up to 100 Yes (Implicit) High 51 NUAA, MSU-MFSD, Replay-Attack DBs 1.57/ — / — 99.03 Yes (Texture-based) High 75 CASIA v4, MMU V2 0.44/ — / — 87.7–94.5 Yes (Implicit) High 32 Custom ATM dataset (Raspberry Pi) — / — / — ≈82–85 Yes (Real-time) Low–Moderate 78 Real user documents (Web portal) — / — / — N/A Partial (Live capture) Moderate–High 79 NIR Scanner Prototype (Raspberry Pi) — / — / — High (≥98) Yes (Contactless) High 80 Custom Android app (15 users) — / — / — ≈90 N/A Moderate 49 Smartphone RGB cameras (NTUST, XJTU DBs) 0.49/ — / — ≈99 Yes (Live capture) Very High 81 Android (BLE/NFC); MobileFaceNet (MS-Celeb DB) — / — / — N/A Yes (Real-time) High 82 HMOG dataset (100 users, Galaxy S4) 3.35/—/ — 98.75% (F1) Yes (Implicit) High 83 Serwadda et al. dataset (Smartphones) 0.179/ — /— 89 N/A Moderate–High 84 Custom mobile app (IoT/Healthcare) — / — /— N/A Yes (Mutual auth.) High 30 Custom mobile/web prototype (Firebase) — / — / — N/A Yes (Context-aware) High 85 Custom dataset (Smartphones/Tablets) 0.24/ — / — 96.23% Yes (Dynamic) High 86 Prototype app (Android + Firebase) — / — / — N/A Yes (Context-aware) High 13 AR, MUCT DBs + mobile frames — / — / — 99.85 Yes (Real-time) High 87 Custom Android app (Razorpay API) — / — /0.28 ≈97–98 Yes (Real-time) Moderate–High 88 ECG-ID, Heartprint, Custom BMD101 DBs 5.61/ — / — 94.39 Yes (Inherent) Very High 89 Synthetic DBs (PhysioNet, SOCOFing, IIT) 0.20 / 0.20/0.21 99.80 Yes (ECG validation) Very High 90 Custom Kaggle dataset (Web platform) — / — / — 98.0 N/A Moderate 91 LFW, FVC2004, CASIA, UBIRIS DBs 0.085/ 0.02/0.15 99.47 Yes (DL-based PAD) Very High 92 Custom dataset (not stated) — / — / — >98 N/A Moderate 93 As shown in Table 6 , most of the reported biometric authentication systems after 2020 have an accuracy rate of greater than 95% and a number of multimodal and deep learning-based approaches have achieved EER values below 1%. However, almost half of the discussed studies failed to report FAR/FRR metrics and only a limited set of studies explicitly used liveness detection or anti-spoofing mechanisms. This suggests that while accuracy has improved significantly from mobile-based biometric systems, issues of presentation attack resistance and real-world scenarios of spoofing remain a major research gap. 4.2 Threat-facing mobile banking Internet banking provides users with efficient convenience but remains at risk from multiple cybersecurity threats, which endanger both financial service integrity and confidentiality as well as system availability. 115 , 116 The financial sector poses three prominent security threats against banking consumers, which include phishing scams that trick customers to disclose sensitive data as well as malware intrusions stealing control of devices for login interception 117 and man-in-the-middle (MiTM) attacks that break communication between customers and banking institutions. Ransomware attacks, 118 along with brute force methods and credential stuffing, exploit password weaknesses by targeting ordinary users who repeat their passwords across different accounts. Moreover, social engineering methods 119 allow users to surrender their confidential information. Security threats affect both personal users and cause substantial damage to financial institution reputation and operational stability. We provide answers to RQ2 in this section: “What are the main security threats and vulnerabilities affecting biometric authentication in mobile banking?”. These studies include: 4.2.1 Malware attacks Mobile banking malware attacks have become increasingly dangerous because smartphone users continually increase their banking activities on mobile devices. The mobile-specific malware category includes banking Trojans and fake banking applications, which lead to theft of login data while also intercepting SMS authentication codes through screen overlay tactics. 120 The threats take advantage of users downloading harmful applications together with deceitful links that imitate genuine banking platforms. The protection of mobile banking needs strong security measures and app store monitoring while offering user education programs since mobile users demonstrate limited security awareness and malware persists in adapting. 100 , 121 4.2.2 Man-in-the-Middle (MiTM) attacks The (MiTM) attack allows cybercriminals to intercept communications between two parties while they cannot detect the security threat. Internet senders become vulnerable to cybercriminals through MiTM attacks, as attackers intercept their sent sensitive information, including login credentials and transaction details, during transmission. Online attackers take advantage of unsecured networks particularly well to launch attacks against public Wi-Fi networks because these networks present communication opportunities. The combination of SSL/TLS encryption protocols with safe programming practices and user training about risk networks makes sensitive banking information secure during online financial activities. 56 , 122 , 123 4.2.3 Replay attack An attacker generates fraud by intercepting authentic transmission data to fool an intended recipient into taking actions that might include transaction authorization. The fraudulent method of playing replays allows attackers to pose as victims and redirect transaction details to a bank for resulting payments or account transfers. 124 Attackers exploit old communication protocols without session state validation and timestamping, which they leverage for their attacks. All submitted transactions must pass through time-based authentication protocols, whereas financial institutions need to use nonce-secured requests with session tokens for attack prevention. 56 , 125 , 126 4.2.4 Phishing attacks Criminal online attackers conduct phishing operations for social engineering by pretending to be trusted parties to steal sensitive data that includes usernames with passwords and credit card details. Criminals execute phishing attacks in online banking through fake websites or emails, which are intended to be actual banking sites because they trick users to provide login details and sensitive financial information. Phishing attacks succeed by targeting human mistakes combined with trust to obtain sensitive information, which requires users to develop heightened awareness to stop them. 121 , 127 4.2.5 Social engineering Attackers use social engineering as a method to force users to reveal sensitive data or perform actions that endanger their banking account security through online interfaces. Attackers use deception techniques such as urgency fabrication along with impersonation and trust-building tactics to trick users. 57 , 128 , 129 4.2.6 SQL injection The attackers conduct SQL injection attacks by adding harmful code to the data strings before they reach the SQL database for processing. SQL injection allows hackers to obtain user credentials, including usernames and passwords. The stolen credentials serve as keys to unauthorized access of user accounts. 14 , 130 , 131 4.2.7 Keylogger A keylogger functions as malicious software that tracks computer keystrokes. A keylogger logs every keystroke typed on a system that has been compromised and captures sensitive data, including passwords, usernames, etc. Your computer can acquire keyloggers through a few methods, including opening tainted attachments and clicking on harmful links together with downloading files from unverified sources. A keylogger that uses the system to record keystrokes becomes operational after installation on a computer. 29 4.2.8 Weak password Weak passwords pose security threats to online banking since they provide easy opportunities for attackers to guess them. The entry of unauthorized actors becomes easier when passwords are weak because they gain instant access to sensitive data and user accounts and execute fraudulent schemes. 123 , 132 4.2.9 Denial-of-Service (DoS) attacks DoS attacks block access for genuine users in online banking operations through a combination of abusive network traffic that saturates system resources. Service interruptions alongside customer dissatisfaction result from this situation, which leads to financial losses for the bank. Some attacks that initiate denial-of-service conditions serve as shields for other more dangerous threats, including data theft. 98 , 101 4.2.10 Session hijacking Unauthorized session access, which enables an attacker to exploit user identity for online bank account access, is known as “session hijacking.” Network connection interceptions, along with exploiting system vulnerabilities, enable attackers to conduct unlawful activities while acquiring private information. 133 The attacks mentioned earlier show vulnerability to the supply chain and third-party or endpoint access of online banking systems, which results in supply chain attacks that involve attackers using external third-party software or vendors to access systems. The security vulnerabilities in banking systems enable hackers to break online banking security, which might result in unauthorized access and data breaches. Attackers execute endpoint attacks by focusing on both the user’s devices and end points. The attackers want to infiltrate the user’s device to access confidential banking data, which results in both financial fraud and unauthorized transactions. 126 Financial institutions need to use the security measures presented in Table 7 to build protective online banking systems that secure user financial details. Financial institutions establish better online banking security through a complete strategy that integrates technical solutions such as firewalls and antiviruses, educates users about risks and develops essential policies plus continuous observations of systems. Table 7 summarizes these threats while presenting countermeasures that could serve to prevent them. Table 7. Online banking user authentication threats with potential controls. Attacks Potential controls Reference Malware Attacks • Antivirus & anti-malware software. • Regular system updates. • Application whitelisting. • User education & sandboxing. 31 , 124 , 134 Man-in-the-Middle (MitM) Attacks • End-to-end encryption (e.g., TLS/SSL). • Certificate pinning. • Secure key exchange (e.g., Diffie-Hellman). • Avoid public Wi-Fi or use VPN. 135 , 136 Replay Attacks • Timestamps & nonce-based protocols. • Secure tokens with expiration. • Mutual authentication. 125 , 132 Phishing Attacks • Email filtering (spam/phishing detection). • User awareness training. • Domain monitoring. • MFA to mitigate stolen credentials. 57 , 137 , 138 Social Engineering • Security awareness programs. • Simulated phishing tests. • Clear verification policies. • Insider threat monitoring. 137 , 139 , 140 SQL Injection • Input validation & sanitization. • Use of prepared statements (parameterized. queries). • Web application firewalls (WAF). 130 Keylogger • Anti-spyware detection tools. • Behavioral monitoring. • OS hardening & restricted privileges. • On-screen keyboards for sensitive input. 141 Weak Passwords • Enforce strong password policies. • Password managers. • MFA/2FA. • Rate limiting and lockout mechanisms. 142 , 143 DoS • Traffic filtering and rate limiting. • Use of CDNs. • Redundant systems and load balancing. • Anomaly detection (IDS/IPS). 144 Session Hijacking • Secure cookie attributes (e.g., Http Only, Secure, Same Site). • Session timeout policies. • Token-based session management. • HTTPS for all traffic. 133 4.3 Biometric used in international banks The investigation of RQ3 : “How do major banks worldwide implement and integrate biometric authentication into their mobile banking applications?” takes place in this section. The analysis of authentication practices utilized by international banks provides fundamental knowledge about contemporary changes in online banking safety measures. The selected banks outline their user authentication techniques in Table 8 demonstrates how various popular financial institutions authenticate their users. Table 8. Summary of biometric authentication methods implemented by major global banks, with emphasis put on their security settings and location of operations. Bank Country Authentication methods Ref. JPMorgan Chase USA Username/password, OTP via SMS/email, biometric (Face ID, Touch ID), device recognition 25 Bank of America USA Username/password, OTP via SMS/email, biometric login via app (Face/Touch ID), app-based MFA 3 HSBC UK/Global Secure Key (hardware/token), Mobile Security Key (in-app), biometric login, OTP 106 , 148 Barclays UK PIN sentry device, biometric login, app-based MFA, SMS/email OTP 149 Deutsche Bank Germany Username/password, mobile TAN (mTAN), photo TAN, biometric login, push notification approval 150 , 151 BNP Paribas France Password + OTP (SMS/email), biometric login, mobile token, app-based confirmation 152 Santander Spain/Global Password, OTP via SMS/email, Mobile Sign (in-app approval), biometric authentication 153 ING Netherlands PIN/password, fingerprint/Face ID via app, in-app transaction approval 114 , 154 Standard Chartered UK/Asia/Africa Username/password, OTP via SMS/email, app-based security token, biometric login 155 DBS Bank Singapore Biometric login, digibank Secure Device, app-based push approval, OTP 105 , 114 HSBC Hong Kong Hong Kong Mobile Security Key, Face ID/Touch ID, OTP via SMS, transaction signing 154 RBC (Royal Bank of Canada) Canada Username/password, OTP, biometric login, 2FA through Secure Cloud 155 NAB (National Australia Bank) Australia Password, SMS OTP, biometric login via mobile app, device recognition 25 The information in Table 8 reveals the user authentication strategies used by several well-known financial institutions, including JPMorgan Chase, Bank of America, HSBC, Barclays, Deutsche Bank, BNP Paribas, Santander, ING, Standard Chartered, DBS Bank, HSBC Hong Kong, RBC (Royal Bank of Canada), and NAB (National Australia Bank). Financial institutions utilize MFA systems because they prioritize the defense of customer online account security. Financial institutions mainly employ password authentication as their principal security procedure. Account holders need to build passwords for their financial institutions, which adhere to prescribed guidelines (such as the NIST password policy) that require eight characters or more in length with a mixture of upper and lowercase letters and numbers and symbols. The initial security measure that defends against unapproved system access is the use of passwords. OTP authentication serves as a security approach that numerous financial institutions within the banking sector currently use. New device users must provide a unique OTP password that arrives through SMS or email to finish their login process. Users must provide the received code before their login process can become fully secure. OTP serves only single login sessions and operates with limited validity, making it highly unlikely for attackers to obtain the password. The rising trend in banking shows that physiological biometric identification serves banks as a safer authentication option than passcodes do. Special physical attributes such as fingerprints and facial recognition serve as verification tools to identify customers during their process. 113 The authentication method poses challenges to falsify essential data, thus making it an optimal barrier against unauthorized access. Security functions at these banks are implemented via 2FA technology. Users need to enter two security factors along with their password during first-time logins from new devices by providing an OTP or biometric verification. Security protection from 2FA 145 creates a double authentication requirement that makes unauthorized access attempts practically impossible. Banks offer alternative authentication solutions for customers, which include USB security keys as well as security questions and challenge/response authentication and voiceprint authentication and device fingerprints. 146 Device fingerprints determine the devices used by users, whereas voiceprint authentication depends on a person’s voice specifics. 147 A challenge/response system requires the customer to enter authorization codes that originate from bank transmissions to their mobile device. Security keys connected to a USB port work as extended measures for online banking safety by enabling users to enhance transfer constraints through their computer’s USB connector. As customers complete the login process, the system asks them to answer security questions that have already been chosen by the platform, thus activating security authentication. Bank security measures receive ongoing assessment and updates from these banks to maintain timely protection of customer account safety against new security challenges. We highlighted the use of biometrics in leading banks, extracted from Table 8 , to determine the most used authentication methods. Table 9 illustrates the role of the biometric methods used by leading banks. Table 9. Biometric authentication methods implemented in leading banks. Bank Biometric technology used Application area JPMorgan Chase Facial recognition, palm vein scanning In-store payment authentication Bank of America Fingerprint, facial recognition Mobile banking app HSBC Fingerprint, facial recognition Mobile banking app Barclays Voice recognition Phone banking services Deutsche Bank Fingerprint, facial recognition DB Secure Authenticator app BNP Paribas Fingerprint Biometric payment cards Santander Fingerprint, facial recognition Mobile banking app ING Fingerprint Mobile banking app Standard Chartered Fingerprint, facial recognition Mobile banking app DBS Bank Fingerprint, facial recognition, voice recognition Mobile banking app; ATM transactions HSBC Hong Kong Fingerprint, facial recognition Mobile banking app RBC (Royal Bank of Canada) Fingerprint, facial recognition Mobile banking app NAB (National Australia Bank) Fingerprint, facial recognition Mobile banking app From Table 9 we note that: Fingerprint and Facial recognition are the two most used biometric mechanisms probably because most of the smartphones now support them and they are highly accepted by users. Voice recognition is rarer, and more often in mobile-based banking. Palm veins are quite unusual, but there is higher security and usage in physical (store for payments) authentication scenarios. Mobile banking for convenient and secure login is the most common area of biometric applications. Some banks (for example, DBS Bank) merge several biometric devices, for example: fingerprint, face and voice – suggestive of a multi-modal approach in security improvement. Figure 7 depicts visual representation of how often each of the biometric authentication methods are used by the banks. As you can observe, fingerprints and facial recognition outrun the competitors, while voice and palm vein scanning are far rarer. Figure 7. Distribution of biometric authentication technologies (e.g., fingerprint, facial, voice, palm) adopted by major banks in the world, reflecting adoption trends and popularity in mobile banking services. 4.4 Usability and user perception challenges and limitations The literature shows that there is a stark tradeoff between strength of security and usability. As biometrics increase protection, the ineffective user experience will decrease adoption and efficacy. The banks must focus on usability testing, offer alternative, safe options (i.e., token generated by the device), and increase transparency regarding the use of biometric data. The usability and how often it is perceived by the user are important issues that determine the significance and adoption of biometric authentication mobile banking techniques. As indicated in various other studies 156 , 157 one of the issues many users face when using biometric systems is irritation related to the unreliability of these systems, such as inability to recognize their fingerprint when their fingers are wet, in situations of skin damage, or due to technical purposes of sensors. In the same light, facial recognition has been observed to perform poorly in low-light situations or when the user is wearing glasses or face mask. Such technical shortcomings may undermine the trust in the system and make people turn off the security features or switch to the less safe options (e.g., back to the passwords or PINs). On top of technical problems, user perception plays an important part in the adoption of biometrics. A study conducted by 158 has revealed that a high percentage of users were worried about the personal safety and confidentiality of biometric data particularly when this data was stored on cloud-based platform instead of being secured on the gadget. The level of confidence in banks and their confidentiality of information was a deciding factor as to whether the user activated biometric authentication. Moreover, some studies like, 38 have pointed out the issue of the inaccessibility of MFA especially to ageing people and individuals with disabilities who might have a hard time using or comprehending some MFA techniques. Overall, literature points at the necessity to design authentication systems in a way that composes security and simplicity to use, availability, and visibility, so that security apparatus will not be an obstacle to user interaction. Online banking user authentication techniques and cyber threats maintain an uncertain outlook, but the resulting risks remain massive. 58 In this section we answered RQ4 which stated: “What is the key usability, privacy, and user acceptance challenges related to biometric authentication in mobile banking?”. These challenges represent the main difficulties that must be addressed when enhancing the security of online banking systems, in addition to user authentication procedures. We have classified the most important challenges as follows: 4.4.1 Artificial intelligence challenge The adoption of artificial intelligence through machine learning by cyberattacks presents a threat to online banking infrastructure, which includes network breaches and defeats detection systems. The implementation of ML involves several methods for breaching online banking authentication systems. 159 – 161 4.4.1.1 Bias in biometric systems Biometric systems powered by artificial intelligence produce irregular results when processing users from diverse population demographics, including ethnicities, as well as gender and age groups. A lack of diversity in training data can result in unfair FAR or FRR errors that produce trust and legal challenges among specific users. 162 4.4.1.2 Adversarial attacks Information security risks exist because AI authentication systems can be deceived through adversarial examples that adversaries specifically generate to trick them (such as manipulated fingerprints, deepfakes or altered patterns). Researchers aim to build authentication models with resistance to manipulation because this remains a critical research topic. 125 , 163 , 164 4.4.1.3 Deep fakes can be produced Artificial deep fakes demand ML techniques for their production. Artificial works labeled deep fakes combine someone else’s likeness by replacing it with extant images and footage. Any recorded online banking registration activity can be faked through deep fakes to steal user login credentials used in the fake video. 163 , 165 – 167 4.4.1.4 ML technology ML enables the automation of assaults against banking systems that operate through the internet. The automation of attacks targeting online banking systems becomes possible through the application of ML techniques for addressing guessing attacks as well as brute-force attacks and DoS attacks. 144 The attackers benefit from simpler ways to run successful assaults against online banking infrastructure. Phishing attacks can be launched with the assistance of ML. 168 Phishing attacks use deceptive methods to force users to reveal their critical account information, including bank card numbers and network access secrets. AI facilitates the development of convincing phishing emails along with corresponding websites that target users. 159 These attacks become more deceptive because they offer a higher probability of deceiving users. ML provides banks with tools to protect their systems from cyberattacks, enabling them to enhance the security and resilience of their systems. By utilizing ML, banks enhance both their risk management and compliance practices to detect and prevent fraud together with malware and phishing attacks. 169 The application approach of ML determines whether it offers either risk or an opportunity to use online banking systems. 170 4.4.1.5 High computational and energy demands The functionality of real-time authentication based on AI processing through onboard device resources is restricted to older and less expensive mobile devices. Cloud storage introduces new security risks during processing combined with greater processing delays. 171 4.4.1.6 Explainability and transparency The issue of explainability and transparency in mobile banking deserves attention because biometric authentication systems are often complicated. Since these systems heavily depend on complicated algorithms, the AI-based and machine learning algorithms to make authentication decisions, unsuspecting individuals and even the systems operators are often locked out of the process of how such decisions are made. Failure to find an obvious justification in denying access or scoring suspicious users may cause frustration, mistrust, and losses to user abandonment. In addition, regulatory and ethical aspects, audit, accountability, and determination of fairness are also critical regarding transparent systems, especially when it is biometric data of a sensitive nature. Improving explainability will enable developers to pinpoint and redress errors or bias and give users a more effective understanding of how their data are utilized, enhancing trust and confidence in the mobile banking authentication in general. 171 , 172 4.4.1.7 Spoofing and presentation attacks The presented attack and spoofing vulnerability are one of the greatest disadvantages of biometric authentication in mobile banking systems. These attacks consist of hoodwinking the system by fueling fake or imaginary biometrics, including silicon fingerprints, 132 photographs with a high resolution of the face, or even complex masks made of 3D printers. 173 As an example, can an attacker lift a fingerprint off a surface and re-mold it in gelatin or latex material or defeat facial recognition by having a video replay or a 3D mask. 174 Most bio-metric systems have attempted to counteract these threats by utilizing liveness except tools, which might include blinking or feel of the skin texture, although not universally and reliably as in the case with all devices. Spoofing attacks can succeed better in low end smartphones or applications with weak security. Also, the use of liveness detection may affect user experience in some cases, which makes developers turn it off or modify it in some way. 43 With ever evolving spoofing techniques such as usage of deep fakes and masks embedded with motion, the present-day biometric systems are struggling to provide secure authentication. This does not only endanger user accounts to unauthorized access but also jeopardizes the user faith; it raises legal and regulatory issues to financial institutions. Implementing multimodal biometric authentication, constant surveillance and AI-based spoof protection is essential in building solid mobile banking security. 175 4.4.1.8 Dependency and hardware limitations In mobile banking, the performance of biometrics depends highly on the hardware capacity of their devices. Premium smartphones are additionally obvious to have improved sensors, such as depth cameras or ultrasonic fingerprint readers, 176 which enable more authentication with high degrees of accuracy and safety. On the other hand, the cameras that come with the low-end or older devices are of basic 2D type or capacitive sensors, and these are more error prone and could be more easily spoofed. Such hardware mismatches may cause uneven authentication experiences, false acceptance rate/false rejection rate and exclusion of users with an outdated device. 177 Also, the scarcity of hardware support makes the process of developing apps harder and does not allow implementing higher levels of security, which, in turn, makes mobile banking platforms less secure and readily accessible. 4.4.2 False Acceptance/False Rejection Rates (FAR/FRR) FAR and FRR are some of the errors ( Figure 8 ), which make biometric authentication systems vulnerable. FAR is defined as access given to unauthorized users when it is not supposed to be which is wrong and FRR is defined as being denied by the unauthorized user when it is not supposed to be the case. Such errors may be caused, among others, with improper lighting, inclusions or damage of sensors, alterations of physical appearance of the user (age, injury, facial hair), or inconsistent behavior of the sensors among different devices. When FAR is high this compromises security whereas when FRR is high this affects usability and user satisfaction, two important functions in mobile bank applications. Designing a workable balance between these rates is a major difficulty in the design of biometric systems. 177 Figure 8. Illustration of the trade-off between FAR and FRR in biometric authentication. 4.4.3 Balancing security and usability This right balance between security and usability is one of the major issues of implementing biometric authentication methods giving in mobile banking. Although greater security can be brought about by higher quality security procedures, e.g., through multiple authentication factors or high-quality liveness detection, this can also serve to deliver friction, delay or confusion to users. Conversely, simplified forms of authentication can provide a better experience but can leave systems at a higher risk of attack. To give an example, high tires of login using multiple steps can be strenuous to users and decrease the usage of the application and by contrast, using biometrics as the only mode of verification can isolate users with certain accessibility challenges. To achieve effective authentication, one therefore must balance a range between sound protection over threats and not jeopardizing ease of use and accessibility by the users. To do that, it will be necessary to have adaptive authentication mechanisms, user-centered design, and continuous assessment of security point risks as well as user behavior. 178 , 179 4.4.4 Regulatory and ethical compliance Regulatory and ethical compliance plays an important role when implementing biometrics authentications in mobile banking. The legal environment is very complicated, and financial institutions have to comply with international data protection regulations including the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the council on data protection and privacy and the California Consumer Privacy Act of 2018 (CCPA), enacted by the California Legislature to enhance consumer data privacy protections in the United States. 161 These laws obligate organizations to obtain informed consent from users, reduce the amount of data collected, store information in a safe manner and make the processing of the biometrics open. Banks also have an ethical obligation to stop misuses or discrimination through systems that provide poor results according to a demographic group. A failure to fulfill these responsibilities may lead to legal action and damage to reputation, an economic impact and loss of the trust of the users. To adhere to it, organizations are required to incorporate privacy-by-design, conduct regular system audit to determine its fairness and non-discriminatory nature, and ensure that it grants users full control over their personal biometric information. 147 4.4.5 User privacy challenge Online banking authentication through the BBA, including fingerprint authentication, presents the highest security level because attempts to forge or steal biometric data prove very difficult. The application of BBA includes privacy-related problems. A biometric database breach of a bank will give hackers the ability to obtain all the authenticity data of its banking clients. Customers have reservations about banking establishments and other organizations storing their biometric information. Banks that utilize BBA require proper protection of biometric data that belongs to their clients. Banks must secure data against unlawful handling through preventative measures. A privacy policy needs to exist that explains to clients how their biometric information will be handled. 126 4.4.6 System compatibility challenge Financial institutions must transform their current technology platforms and authorize procedures to welcome different authentication approaches, such as biometrics along with tokens and MFA, for online banking access. Additionally, merchants should approve of their payment vendors, who assist in online authentication. 179 4.4.7 System usability challenge The user authentication sector faces a conventional challenge because securing systems becomes riskier when making authentication methods easier to use. The implementation of layering represents a security improvement approach for user authentication systems. 98 MFA requires multiple security checks that combine multiple factors such as biometric authentication, passwords/PIN, OTP and/or other factors. 73 Layering is founded on the fact that if one safeguard is breached, other levels of security will still protect the system from the undesired users. The number of layers determines better system protection but creates a declining usability experience. The authentication procedure becomes more challenging with each additional layer, which ultimately leads to user frustration. 178 Our system enhances security when we use multiple authentication layers, although usability decreases at the same time. Security and usability must be balanced when choosing authentication methods according to the required security measures. 5. Limitation This systematic review has several limitations. First, a formal risk-of-bias or certainty assessment was not conducted because the included studies are highly heterogeneous in terms of datasets, evaluation protocols, biometric devices and performance metrics. Such variations make the use of standardized tools (e.g., RoB, GRADE) unsuitable for technical and engineering research. Second, a meta-analysis was not possible because of the lack of comparable quantitative data across studies, because the reporting formats and evaluation measures (e.g., EER, FAR, FRR) differ significantly. Third, only studies published in English and available through selected digital libraries were included, which may introduce publication or language bias. Despite these limitations, the current biometric-based authentication research is comprehensively synthesized in this review, and a structured analysis is presented to guide future directions in mobile banking security. 6. Conclusion and future directions This study analyzes biometric authentication methods implemented in mobile banking from 2020–2025 via an SLR. The review examined five essential topics, including mobile banking authentication methods and security risks, the biometric authentication methods deployed by major banks worldwide, usability challenges and limitations, and future directions. The authentication methods for online mobile banking users can be categorized into four categories: BBA, KBA, PBA and MFA methods. Each part contains a variety of authentication methods with varying weaknesses, strengths, and implementation. KBA methods depend on user knowledge, such as PIN, passwords and security questions, to verify their identity. The verification process under KBA authentication methods depends on the information that the user has, which includes passwords, PINs and security questions. BBA methods identify users through specific measurements of biological markers known as physiological traits, which include fingerprints, facial identification, iris scanning, hand geometry, vein and behavioral biometrics, including voice recognition, keystroke, EEG, signatures, hand movement patterns and continuous authentication, such as touch screens. Users access their accounts through PBA methods by relying on authentication tokens that include OTP authentication, which sends exclusive temporary codes to users through SMS, e-mail or other applications and covers security keys/USB and wearable devices. The authentication methods employ different procedures that do not belong to either the KBA or the BBA or PBA categories. Among these authentication examples are MAC addresses, IP addresses, proxies, QR codes, geolocation data and CAPTCHAs. MFA frameworks enhance security by implementing multiple authentication approaches that belong to different categories. When banks implement multiple authentication methods, they build up their system security while developing a multilayered protective system, which makes it difficult for attackers to break in. The multiple layers ensure system protection because each layer provides additional security if an attacker manages to breach one defense mechanism. This research analysis examined multiple types of cyber threats that target online banking systems while discussing methods to bypass authentication protection measures. Multiple online banking threats include malware attacks, social engineering techniques and phishing attacks, MitM attacks, DoS attacks, session hijacking, weak passwords, keyloggers, SQL injections and replay attacks. The research examined different authentication methods used by well-known banks to determine secure practices for protecting online banking accounts. By discussing the advantages and disadvantages of the user verification methods used in online payments, this research analyzes the biometrics authentication methods that are implemented in mobile banking; thus, the security of mobile banking has increased because biometrics verify users by checking their unique characteristics, including fingerprints and facial recognition. The use of biometric enhances mobile banking security with superior identity verification, which results in higher access speed in addition to better fraud protection. The security and user authentication process of online banking systems need improvement through the consideration of four key challenges: artificial intelligence, FAR/FRR, balancing security and usability, regulatory and ethical compliance, user privacy challenge, system compatibility challenge and system usability challenge. This research has several major limitations because it relies on literature reviews about online mobile bank account authentication. The following section answered RQ5 which stated: “What are the limitations and future research directions in improving biometric-based authentication for secure and convenient mobile banking?”. These limitations are doesn’t use fusion of biometrics in mobile banking, digital wallets, blockchain and wearable devices such as rings. Future research should include blockchain authentication, fusion techniques, e-wallets authentication and wearable devices, and other future directions related to security and privacy, such as the following: 1- Adaptive and Context-Aware Authentication: Research should evaluate methods for authentication systems to change security levels through real-time threat analysis and behavioral information and environmental signals (such as location status and device health status). 2- Privacy-Preserving Biometric Systems: Biometric data protection research must focus on security strategies that start from data collection through storage and transmission phases since privacy-protecting techniques such as homomorphic encryption and secure multiparty computation enter the market. 3- Threat Modeling in Evolving Environments: The ongoing analysis of threats should predict potential weaknesses that arise from new technology implementations such as embedded banking combined with AI fraud detection systems and wearable biometric scanning. 4- Future Use of Multimodal Fusion: Further studies of highly integrated fusion techniques capable of integrating various biometric identifiers (e.g., fingerprint and face) with the context in a way that maximizes security and usability must be investigated. An AI-driven decision model is likely to enable more reliable and user-friendly authentication in high-risk contexts such as mobile banking and e-government services in the future through the fusion of AI with various modalities whose weights are adaptively changed by their reliability in real-time. The research results will appeal to multiple groups, such as financial organizations and official government agencies, together with academic researchers. The resulting insights will enable researchers to create security systems as well as educational content that safeguards users from performing online banking activities. Data availability All data supporting the findings of this systematic review have been deposited in the Zenodo public repository and are openly accessible under the CC0 1.0 Universal license . The dataset includes: • The completed PRISMA 2020 checklist • The PRISMA flow diagram • The SLR dataset containing all 97 included studies with extracted variables Repository: Zenodo Title : PRISMA Checklist, Flow Diagram, and SLR Dataset for “A Systematic Literature Review on Biometric Authentication in Mobile Banking” DOI : https://doi.org/10.5281/zenodo.17744117 180 License: CC0 1.0 Universal These materials provide full transparency and allow complete reproducibility of the review process. References 1. Fedorenko OH, Velychko SV, Kaidan YV: Investigating vulnerabilities of personal data on financial websites. CEUR Workshop Proc. 2025; 3917 : 451–458. 2. Wang C, Wang Y, Chen Y, et al. : User authentication on mobile devices: Approaches, threats and trends. Comput. Netw. 2020; 170 : 107118. Publisher Full Text 3. Karim NA, Khashan OA, Kanaker H, et al. : Online Banking User Authentication Methods: A Systematic Literature Review. IEEE Access. 2024; 12 : 741–757. Publisher Full Text 4. Adeniran T, et al. : Vulnerability assessment studies of existing knowledge-based authentication systems: a systematic review. Sule Lamido Univ. J. Sci. Technol. 2024; 8 (1): 34–61. Publisher Full Text 5. Hajjisaaid A, Ahmed YA: Secure Electronic Banking Authentication - Survey. 2020 International Conference on Computing and Information Technology (ICCIT-1441). 2020; pp. 1–4. Publisher Full Text 6. Chong CL, Harun NZ: Secure File Sharing System with Strong Password and One Time Password Authentication.2025; 10 (1). Publisher Full Text 7. Karim NA, Kanaker H, Almasadeh S, et al. : A Robust User Authentication Technique in Online Examination. Int. J. Comput. Dent. 2021; 20 (4): 535–542. Publisher Full Text 8. Author A: Broken Access: On the Challenges of Screen Reader Assisted Two-Factor and Passwordless Authentication. Association for Computing Machinery; vol. 1 (1). 9. Aruna R, Narendran K, Nithya Shree V, et al. : IoT - Based ATM Pin Entry by Random Word Generator Using Design Thinking Framework. 2023 9th International Conference on Advanced Computing and Communication Systems (ICACCS). 2023; pp. 949–952. Publisher Full Text 10. De Luca A, Lindqvist J: Is secure and usable smartphone authentication asking too much? Computer (Long. Beach. Calif). 2015; 48 (5): 64–68. Publisher Full Text 11. Gautam AK, Kapoor R: A Novel ES-RwCNN Based Finger Vein Recognition System with Effective L12 DTP Descriptor and AWM-WOA Selection. Eng. Lett. 2022; 30 (2): 882–891. Reference Source 12. Zhang WK, Kang MJ: Factors Affecting the Use of Facial-Recognition Payment: An Example of Chinese Consumers. IEEE Access. 2019; 7 : 154360–154374. Publisher Full Text 13. Salman M, Mishra RK: AI-Enhanced Secure Mobile Banking System Utilizing Multi-Factor Authentication. Int. J. Exp. Res. Rev. 2024; 45 : 153–172. Publisher Full Text 14. Arora S, Bhatia MPS: Challenges and opportunities in biometric security: A survey. Inf. Secur. J. A Glob. Perspect. 2022; 31 (1): 28–48. Publisher Full Text 15. Bartłomiejczyk M, Imed EF, Kurkowski M: Multifactor Authentication Protocol in a Mobile Environment. IEEE Access. 2019; 7 : 157185–157199. Publisher Full Text 16. Tran-truong PT, Pham MQ, Son HX, et al. : A systematic review of multi-factor authentication in digital payment systems: NIST standards alignment and industry implementation analysis. J. Syst. Archit. 2025; 162 (March): 103402. Publisher Full Text 17. Prihodova K, Hub M: Hand-Based Biometric System Using Convolutional Neural Networks. Acta Inform. Pragensia. 2020; 9 (1): 48–57. Publisher Full Text 18. Alruban A: Prediction of Application Usage on Smartphones via Deep Learning. IEEE Access. 2022; 10 : 49198–49206. Publisher Full Text 19. Alawami MA, Abuhmed T, Abuhamad M, et al. : MotionID: Towards practical behavioral biometrics-based implicit user authentication on smartphones. Pervasive Mob. Comput. 2024; 101 : 101922. Publisher Full Text 20. Katsini C, Belk M, Fidas C, et al. : Security and usability in knowledge-based user authentication: A review. Proceedings of the 20th Pan-Hellenic conference on informatics. 2016; pp. 1–6. 21. Varshney I, Sagar S: Three Level Password Authentication System using Cryptography Approaches. 2023 2nd International Conference for Innovation in Technology (INOCON). 2023; pp. 1–7. Publisher Full Text 22. Zhao S, Hu W: Improvement on OTP authentication and a possession-based authentication framework. Int. J. Multimed. Intell. Secur. 2018; 3 (2): 187. Publisher Full Text 23. Vivekanandan M, Sastry VN, Reddy US: Biometric based User Authentication Protocol for Mobile Cloud Environment. 2019 IEEE 5th International Conference on Identity, Security, and Behavior Analysis (ISBA). 2019; pp. 1–6. Publisher Full Text 24. Rabie A, Handmann U: Biometrie for home environment challenges, modalities and applications. 2015 World Congress on Information Technology and Computer Applications (WCITCA). 2015; pp. 1–4. Publisher Full Text 25. Prabakaran D, Ramachandran S: Multi-factor authentication for secured financial transactions in cloud environment. Comput. Mater. Contin. 2021; 70 (1): 1781–1798. Publisher Full Text 26. Quality S, et al. : The Critical Review of Social Sciences Studies Unlocking Mobile Banking Adoption: The Interplay of Interface Design.2025; 3 : 251–274. 27. Benjapatanamongkol N, Bhattarakosol P: A Preliminary Study of Finger Area and Keystroke Dynamics Using Numeric Keypad With Random Numbers on Android Phones. 2019 23rd International Computer Science and Engineering Conference (ICSEC). 2019; pp. 30–34. Publisher Full Text 28. Sahdev SL, Singh S, Kaur N, et al. : Behavioral biometrics for adaptive authentication in digital banking - Guard against flawless privacy. Proceedings of International Conference on Innovative Practices in Technology and Management, ICIPTM 2021. 2021; 261–265. Publisher Full Text 29. Verma M, Sawhney R, Chalia R: Biometric based user authentication in smart phones. 2017 International Conference on Next Generation Computing and Information Systems (ICNGCIS). 2017; pp. 183–188. 30. Aldarwish AJY, Patel K, Yassin AA, et al. : Virtual SmartCards-based Authentication in Healthcare Systems and Applications. Int. J. Comput. Inf. Syst. Ind. Manag. Appl. 2023; 15 (2023): 522–530. Reference Source 31. Wazid M, Zeadally S, Das AK: Mobile Banking: Evolution and Threats: Malware Threats and Security Solutions. IEEE Consum. Electron. Mag. 2019; 8 (2): 56–60. Publisher Full Text 32. Nsaif AK, Ali SHM, Nseaf AK, et al. : Robust and Swift Iris Recognition at distance based on novel pupil segmentation. J. King Saud Univ. - Comput. Inf. Sci. 2022; 34 (10, Part B): 9184–9206. Publisher Full Text 33. Venkatesh G, Gopal SV, Meduri M, et al. : Application of session login and one time password in fund transfer system using RSA algorithm. 2017 International conference of Electronics, Communication and Aerospace Technology (ICECA). 2017; pp. 732–738. Publisher Full Text 34. Mohammed HH, Baker SA, Nori AS: Biometric identity Authentication System Using Hand Geometry Measurements. J. Phys. Conf. Ser. 1804; 1804 : 012144. Publisher Full Text 35. Mouliou DS, Gourgoulianis KI: False-positive and false-negative COVID-19 cases: respiratory prevention and management strategies, vaccination, and further perspectives. Expert Rev. Respir. Med. 2021; 15 (8): 993–1002. PubMed Abstract | Publisher Full Text | Free Full Text 36. Asghar MR, Backes M, Simeonovski M: PRIMA: Privacy-Preserving Identity and Access Management at Internet-Scale. 2018 IEEE International Conference on Communications (ICC). 2018; pp. 1–6. Publisher Full Text 37. Yang C, Chen J, Zeng B, et al. : Overview of Blockchain Privacy Protection. 2022 IEEE 8th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing, (HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS). 2022; pp. 212–217. Publisher Full Text 38. Jain AK, Deb D, Engelsma JJ: Biometrics: Trust, But Verify. IEEE Trans. Biometrics, Behav. Identity Sci. 2022; 4 (3): 303–323. Publisher Full Text 39. Kouser F, Nagaratna PVR, Sree B, Ravikiran: Highly Secure Multiple Account Bank Affinity Card-A Successor for ATM Card. 2018 International Conference on Design Innovations for 3Cs Compute Communicate Control (ICDI3C). 2018; pp. 115–119. Publisher Full Text 40. Lupu C, Găitan V-G, Lupu V: Fingerprints used for security enhancement of online banking authentication process. 2015 7th International Conference on Electronics, Computers and Artificial Intelligence (ECAI). 2015; pp. 217–220. Publisher Full Text 41. Muley A, Kute V: Prospective solution to bank card system using fingerprint. 2018 2nd International Conference on Inventive Systems and Control (ICISC). 2018; pp. 898–902. Publisher Full Text 42. Aziz MF, Taraka GS, Sidharta S: Face Recognition as Base Protocol in Online Transactions. Procedia Comput. Sci. 2024; 245 : 166–175. Publisher Full Text 43. Khairnar S, Gite S, Kotecha K, et al. : Face Liveness Detection Using Artificial Intelligence Techniques: A Systematic Literature Review and Future Directions. Big Data Cogn. Comput. 2023; 7 (1). Publisher Full Text 44. Aydin M, Taskiran M, Kahraman N, et al. : A Fusion-Based Deep Neural Networks Approach for Face Liveness Detection. 2023 International Conference on Innovations in Intelligent Systems and Applications (INISTA). 2023; pp. 1–6. Publisher Full Text 45. Soares J, Gaikwad AN: Fingerprint and iris biometric controlled smart banking machine embedded with GSM technology for OTP. 2016 International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT). 2016; pp. 409–414. Publisher Full Text 46. Kinkiri S, Keates S: Speaker Identification: Variations of a Human voice. Proceedings of the 2020 International Conference on Advances in Computing and Communication Engineering, ICACCE 2020. 2020. Publisher Full Text 47. Li X: Application of biometric identification technology for network security in the network and information era, which will greatly change the life-style of people. 2015 IEEE 12th International Conference on Networking, Sensing and Control. 2015; pp. 566–569. Publisher Full Text 48. Mallika, Deep V, Sharma P: Analysis and Impact of Cyber Security Threats in India using Mazarbot Case Study. 2018 International Conference on Computational Techniques, Electronics and Mechanical Systems (CTEMS). 2018; pp. 499–503. Publisher Full Text 49. Golatkar AN, Vinod Thawari A, Yadav AM, et al. : Design of Secured Multifactor Fingerprint Authentication System for Bank Employee. 2022 3rd International Conference on Electronics and Sustainable Communication Systems (ICESC). 2022; pp. 662–667. Publisher Full Text 50. Kiyani AT, Lasebae A, Ali K, et al. : Secure online banking with biometrics. 2019 International Conference on Advances in the Emerging Computing Technologies, AECT 2019. 2020. Publisher Full Text 51. Dee T, Richardson I, Tyagi A: Continuous Nonintrusive Mobile Device Soft Keyboard Biometric Authentication. Cryptography. 2022; 6 (2). Publisher Full Text 52. Dhoot A, Nazarov AN, Koupaei ANA: A Security Risk Model for Online Banking System. 2020 Systems of Signals Generating and Processing in the Field of on Board Communications. 2020. Publisher Full Text 53. Almadani MS, Alotaibi S, Alsobhi H, et al. : Blockchain-based multi-factor authentication: A systematic literature review. Internet of Things. 2023; 23 : 100844. Publisher Full Text 54. Nagabushanam M, Jeevanandham S, Ramalingam S, et al. : AI based E-ATM Security and Surveillance System using BLYNK-loT Server. 2022 3rd International Conference on Communication, Computing and Industry 4.0 (C2I4). 2022; pp. 1–5. Publisher Full Text 55. Lamoyero Z, Fajana O: Exposed: Critical Vulnerabilities in USSD Banking Authentication Protocols. 2023 IEEE International Conference on Cyber Security and Resilience (CSR). 2023; pp. 275–280. Publisher Full Text 56. Wang X, Yan Z, Zhang R, et al. : Attacks and defenses in user authentication systems: A survey. J. Netw. Comput. Appl. 2021; 188 : 103080. Publisher Full Text 57. Subairu S, Alhassan J, Abdulhamid S, et al. : A Review of Detection Methodologies for Quick Response code Phishing Attacks. 2020 2nd International Conference on Computer and Information Sciences (ICCIS). 2020; pp. 1–5. Publisher Full Text 58. Mihali S-I, Niță Ș-L: Cybersecurity of Online Financial Systems using Machine Learning Techniques. 2024 16th International Conference on Electronics, Computers and Artificial Intelligence (ECAI). 2024; pp. 1–6. Publisher Full Text 59. Sarkis-Onofre R, Catalá-López F, Aromataris E, et al. : How to properly use the PRISMA Statement. Syst. Rev. 2021; 10 (1): 115–117. PubMed Abstract | Publisher Full Text | Free Full Text 60. Yusop MIM, Kamarudin NH, Suhaimi NHS, et al. : Advancing Passwordless Authentication: A Systematic Review of Methods, Challenges, and Future Directions for Secure User Identity. IEEE Access. 2025; 13 (December 2024): 13919–13943. Publisher Full Text 61. Kusumaningsih D, Darmayanti R, Latipun L: How Mendeley Software Enhances Students. Scientific Writing through Mentorship and Training Opportunities. 2024; 2 (June): 45–56. Publisher Full Text 62. Zhao F, Li J, Zhang L, et al. : Multi-view face recognition using deep neural networks. Futur. Gener. Comput. Syst. 2020; 111 : 375–380. Publisher Full Text 63. Garcia-Martin R, Sanchez-Reillo R: Vein Biometric Recognition on a Smartphone. IEEE Access. 2020; 8 : 104801–104813. Publisher Full Text 64. Estrela PMAB, Albuquerque RO, Amaral DM, et al. : A framework for continuous authentication based on touch dynamics biometrics for mobile banking applications. Sensors. 2021; 21 (12). PubMed Abstract | Publisher Full Text | Free Full Text 65. Vinod PR, Anitha A: A Novel Human Activity Recognition Model for Smartphone Authentication. Wirel. Pers. Commun. 2023; 129 (4): 2791–2812. Publisher Full Text 66. Hublikar S, Pattanashetty VB, Mane V, et al. : Biometric-based authentication in online banking. Information and Communication Technology for Competitive Strategies (ICTCS 2021) ICT: Applications and Social Interfaces. Spring, 2022; pp. 249–259. 67. Jancok V, Ries M: Security Aspects of Behavioral Biometrics for Strong User Authentication. ACM Int. Conf. Proceeding Ser. 2022; 1 (1): 57–63. Publisher Full Text 68. Hassan A, George A, Varghese L, et al. : The Biometric Cardless Transaction with Shuffling Keypad Using Proximity Sensor. 2020 Second International Conference on Inventive Research in Computing Applications (ICIRCA). 2020; pp. 505–508. Publisher Full Text 69. Venkatesan R, et al. : Secure online payment through facial recognition and proxy detection with the help of TripleDES encryption. J. Discret. Math. Sci. Cryptogr. 2021; 24 (8): 2195–2205. Publisher Full Text 70. Navin Kumar M, Raghul S, Nirmal Prasad K, et al. : Biometrically Secured ATM Vigilance System. 2021 7th International Conference on Advanced Computing and Communication Systems (ICACCS). 2021; pp. 919–922. Publisher Full Text 71. Hussein O: A Proposed Approach to Secure Automated Teller Machine-Based Financial Transactions. 2021 Tenth International Conference on Intelligent Computing and Information Systems (ICICIS). 2021; pp. 236–242. Publisher Full Text 72. Bah CU, Seyal AH, Yahya U: Combining PIN and Biometric Identifications as Enhancement to User Authentication in Internet Banking.2021; 1–4. Reference Source 73. Moepi GL, Mathonsi TE: Multi-Factor Authentication Method for Online Banking Services in South Africa. 2021 International Conference on Electrical, Computer and Energy Technologies (ICECET). 2021; pp. 1–5. Publisher Full Text 74. Incel ÖD, et al. : DAKOTA: Sensor and touch screen based continuous authentication on a mobile banking application. IEEE Access. 2021; 9 (99): 38943–38960. Publisher Full Text 75. Raghavendra Jingade R, Sanjeev Kunte R: DOG-ADTCP: A new feature descriptor for protection of face identification system. Expert Syst. Appl. 2022; 201 : 117207. Publisher Full Text 76. Rahman A, et al. : Robust biometric system using session invariant multimodal EEG and keystroke dynamics by the ensemble of self-ONNs. Comput. Biol. Med. 2022; 142 : 105238. PubMed Abstract | Publisher Full Text 77. Hussein O: A Proposed Anti-Fraud Authentication Approach for Mobile Banking Apps. 2022 4th Novel Intelligent and Leading Emerging Sciences Conference (NILES). 2022; pp. 56–61. Publisher Full Text 78. Kalmani S; D. U: Application of Computer Vision for Multi-Layered Security to ATM Machine using Deep Learning Concept. 2022 International Conference on Applied Artificial Intelligence and Computing (ICAAIC). 2022; pp. 999–1004. Publisher Full Text 79. Chaubey S, Bhalerao S, Mangaonkar N: AutoKYC: Automation of Identity establishment and authentication in KYC process using Text extraction and face recognition. 2022 2nd Asian Conference on Innovation in Technology (ASIANCON). 2022; pp. 1–6. Publisher Full Text 80. Tilloo I, Bhingarkar S: Cardless Cash Withdrawal Using Palm Vein Technology. 2022 International Conference on Futuristic Technologies (INCOFT). 2022; pp. 1–5. Publisher Full Text 81. Horng S-J, Vu D-T, Nguyen T-V, et al. : Recognizing Palm Vein in Smartphones Using RGB Images. IEEE Trans. Ind. Informatics. 2022; 18 (9): 5992–6002. Publisher Full Text 82. Shukla S, Varshney G, Singh S, et al. : A Passwordless MFA Utlizing Biometrics, Proximity and Contactless Communication. 83. Rayani PK, Changder S: Sensor-based continuous user authentication on smartphone through machine learning. Microprocess. Microsyst. 2023; 96 : 104750. Publisher Full Text 84. Aaby P, Giuffrida MV, Buchanan WJ, et al. : An omnidirectional approach to touch-based continuous authentication. Comput. Secur. 2023; 128 : 103146. Publisher Full Text 85. Moepi GL, Mathonsi TE: Implementation of an Adaptive Five-Factor Authentication Scheme for Online Banking Services in South Africa. IEEE AFRICON Conference. 2023. Publisher Full Text 86. Shakil KA, Zareen FJ, Alam M, et al. : BAMCloud: a cloud based Mobile biometric authentication framework. Multimed. Tools Appl. 2023; 82 (25): 39571–39600. Publisher Full Text 87. Nosrati L, Bidgoli AM, Javadi HHS: Identifying People’s Faces in Smart Banking Systems Using Artificial Neural Networks. Int. J. Comput. Intell. Syst. 2024; 17 (1). Publisher Full Text 88. Anitha K, Vishal JS, Prabakar B, et al. : Enhancing Payment Security: Face Recognition Integration With Razorpay. 2024 2nd International Conference on Artificial Intelligence and Machine Learning Applications Theme: Healthcare and Internet of Things (AIMLA). 2024; pp. 1–6. Publisher Full Text 89. Saba Kockan F, Bolat B: ECG Biometrics on Mobile Devices: High-Accuracy Authentication Using i-Vectors and Cepstral Coefficients. IEEE Access. 2025; 13 (February): 52572–52591. Publisher Full Text 90. Sumalatha U, Prakasha K, Prabhu S, et al. : Multimodal biometric authentication: a novel deep learning framework integrating ECG, fingerprint, and finger knuckle print for high-security applications. Eng. Res. Express. 2025; 7 (1). Publisher Full Text 91. Omoze S, Omaji S, Edegbe GN: Machine Learning-Based Multimodal Biometric Authentication System (Facial and Fingerprint Recognition) for Online Voting Systems.2025; 8 (1): 122–128. 92. Mohamed A, Salama A, Shebka N, et al. : Enhancing Network Access Control using Multi-Modal Biometric Authentication Framework. Eng. Technol. Appl. Sci. Res. 2025; 15 (1): 20144–20150. Publisher Full Text 93. Achimba T, Okhuoya OJ, Akinyede RO, et al. : University of Ibadan A Robust Biometric Authentication Framework for Access Control.2025; 13 (1): 239–246. 94. Ogbanufe OM, Baham C: Using multi-factor authentication for online account security: Examining the influence of anticipated regret. Inf. Syst. Front. 2023; 25 (2): 897–916. Publisher Full Text 95. Krombholz K, Busse K, Pfeffer K, et al. : If HTTPS Were Secure, I Wouldn’t Need 2FA’ - End User and Administrator Mental Models of HTTPS. 2019 IEEE Symposium on Security and Privacy (SP). 2019; pp. 246–263. Publisher Full Text 96. Chabbi S, Araar C: RFID and NFC authentication protocol for securing a payment transaction. 2022 4th International Conference on Pattern Analysis and Intelligent Systems (PAIS). 2022; pp. 1–8. Publisher Full Text 97. Otta SP, Panda S, Gupta M, et al. : A Systematic Survey of Multi-Factor Authentication for Cloud Infrastructure. Futur. Internet. 2023; 15 (4): 1–20. Publisher Full Text 98. Karim NA, Shukur Z, Al-Banna AM: UIPA: User authentication method based on user interface preferences for account recovery process. J. Inf. Secur. Appl. 2020; 52 : 102466. Publisher Full Text 99. Venugopal H, Viswanath N: A robust and secure authentication mechanism in online banking. 2016 Online International Conference on Green Engineering and Technologies (IC-GET). 2016; pp. 1–3. Publisher Full Text 100. Ferrag MA, Maglaras L, Derhab A, et al. : Authentication schemes for smart mobile devices: threat models, countermeasures, and open research issues. Telecommun. Syst. 2020; 73 (2): 317–348. Publisher Full Text 101. Stanikzai AQ, Shah MA: Evaluation of Cyber Security Threats in Banking Systems. 2021 IEEE Symp. Ser. Comput. Intell. SSCI 2021 - Proc. 2021; (December 2021). Publisher Full Text 102. Shammee TI, Akter T, Mou M, et al. : A Systematic Literature Review of Graphical Password Schemes. J. Comput. Sci. Eng. 2020; 14 (4): 163–185. Publisher Full Text 103. Matta P, Pant B: TCpC: a graphical password scheme ensuring authentication for IoT resources. Int. J. Inf. Technol. 2020; 12 (3): 699–709. Publisher Full Text 104. Al-Ghaili AM, Kasim H, Othman M, et al. : QR code based authentication method for IoT applications using three security layers. Telkomnika Telecommunication Comput. Electron. Control. 2020; 18 (4): 2004–2011. Publisher Full Text 105. Khan RH, Miah J: Performance Evaluation of a new one-Time password (OTP) scheme using stochastic petri net (SPN). 2022 IEEE World AI IoT Congr. AIIoT 2022. 2022; (June): pp. 407–412. Publisher Full Text 106. Bairwa AK, Joshi S: Mutual authentication of nodes using session token with fingerprint and MAC address validation. Egypt. Informatics J. 2021; 22 (4): 479–491. Publisher Full Text 107. Dinh NT, Hoang VT: Recent advances of Captcha security analysis: A short literature review. Procedia Comput. Sci. 2022; 218 : 2550–2562. Publisher Full Text 108. Faruk O, Rashid MU: Comparative Analysis of Traditional and Modern Courtyards in Bengal. Bhumi, Plan. Res. J. 2024; 11 (1): 1–35. Publisher Full Text 109. Alabdulatif A, Samarasinghe R, Thilakarathne NN: A Novel Robust Geolocation-Based Multi-Factor Authentication Method for Securing ATM Payment Transactions. Appl. Sci. 2023; 13 (19). Publisher Full Text 110. Sudharshan DP, Vismaya RN: Handwritten Signature Verification System using Deep Learning. IEEE Int. Conf. Data Sci. Inf. Syst. ICDSIS 2022. 2022; 3 (12): 39–44. Publisher Full Text 111. El Gaabouri I, Senhadji M, Belkasmi M, et al. : A Systematic Literature Review on Authentication and Threat Challenges on RFID Based NFC Applications. Futur. Internet. 2023; 15 (11): 1–16. Publisher Full Text 112. Banerjee I, Mookherjee S, Saha S, et al. : Advanced ATM System Using Iris Scanner. 2019 International Conference on Opto-Electronics and Applied Optics (Optronix). 2019; pp. 1–3. Publisher Full Text 113. Wasnik P, Raghavendra R, Raja K, et al. : Subjective Logic Based Score Level Fusion: Combining Faces and Fingerprints. 2018 21st Int. Conf. Inf. Fusion, FUSION 2018. 2018; pp. 515–520. Publisher Full Text 114. Ishak M: A Comparative Study on Authentication Strategies of Various Online Banking Platforms Bachelor Thesis Author: Mostafa Hamdy.2021; (June). Publisher Full Text 115. Chai KY, Zolkipli MF: Review on Confidentiality, Integrity and Availability in Information Security. J. ICT Educ. 2021; 8 (2): 34–42. Publisher Full Text 116. Mitchell O, Osazuwa C: Confidentiality, Integrity, and Availability in Network Systems: A Review of Related Literature. Int. J. Innov. Sci. Res. Technol. 2023; 8 (12). Publisher Full Text 117. Huda S, et al. : A secure authentication for plant monitoring system sensor data access. 2024 IEEE International Conference on Consumer Electronics (ICCE). 2024; pp. 1–2. 118. Kshetri N, Rahman MM, Sayeed SA, et al. : cryptoRAN: A Review on Cryptojacking and Ransomware Attacks W.R.T. Banking Industry - Threats, Challenges, & Problems, Proc. - 2nd Int. Conf. Adv. Comput. Comput. Technol. InCACCT 2024. 2024; pp. 523–528. Publisher Full Text 119. Leonov PY, Vorobyev AV, Ezhova AA, et al. : The Main Social Engineering Techniques Aimed at Hacking Information Systems. 2021 Ural Symposium on Biomedical Engineering, Radioelectronics and Information Technology (USBEREIT). 2021; pp. 471–473. Publisher Full Text 120. Grammatikakis KP, Koufos I, Kolokotronis N, et al. : Understanding and mitigating banking trojans: From Zeus to emotet. Proc. 2021 IEEE Int. Conf. Cyber Secur. Resilience, CSR 2021. 2021; (no. July): pp. 121–128. Publisher Full Text 121. Sharma A, Singh SK, Kumar S, et al. : Security of android banking mobile apps: Challenges and opportunities. International conference on cyber security, privacy and networking. 2021; pp. 406–416. 122. Mohammed RM: Payment System Transaction Using Polymorphic.2023; 14 (3): 102–112. 123. Kaushik K, Singh V, Manikandan VP: A novel approach for an automated advanced MITM attack on IoT networks. International Conference on Advancements in Interdisciplinary Research. 2022; pp. 60–71. 124. Ohm M, Plate H, Sykosch A, et al. : Backstabber’ s Knife Collection: A Review Chain Attacks. Springer International Publishing; 2020; vol. 1 . . Publisher Full Text 125. Al-Shareeda MA, Manickam S, Laghari SA, et al. : Replay-Attack Detection and Prevention Mechanism in Industry 4.0 Landscape for Secure SECS/GEM Communications. Sustain. 2022; 14 (23). Publisher Full Text 126. Wu Y, et al. : Attacks and countermeasures on privacy-preserving biometric authentication schemes. IEEE Trans. Dependable Secur. Comput. 2022; 20 (2): 1744–1755. 127. Shrestha P, Saxena N: Hacksaw: Biometric-free non-stop web authentication in an emerging world of wearables. WiSec 2020 - Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 2020; pp. 13–24. Publisher Full Text 128. Salahdine F, Kaabouch N: Social engineering attacks: A survey. Futur. Internet. 2019; 11 (4). Publisher Full Text 129. Jullian O, Otero B, Rodriguez E, et al. : Deep-Learning Based Detection for Cyber-Attacks in IoT Networks: A Distributed Attack Detection Framework. J. Netw. Syst. Manag. 2023; 31 (2): 1–24. Publisher Full Text 130. Alghawazi M, Alghazzawi D, Alarifi S: Detection of SQL Injection Attack Using Machine Learning Techniques: A Systematic Literature Review. J. Cybersecurity Priv. 2022; 2 (4): 764–777. Publisher Full Text 131. AI Dabagh N, Mahmood MS: Multilevel Database Security for Android Using Fast Encryption Methods. AL-Rafidain J. Comput. Sci. Math. 2022; 16 (1): 87–96. Publisher Full Text 132. Bodepudi A, Reddy M: Spoofing Attacks and Mitigation Strategies in Biometrics-as-a-Service Systems. Eig. Rev. Sci. Technol. 2020; 4 (1): 1–14. Reference Source 133. Hwang WS, Shon JG, Park JS: Web Session Hijacking Defense Technique Using User Information. Human-centric Comput. Inf. Sci. 2022; 12 . Publisher Full Text 134. Gazzan M, Sheldon FT: Opportunities for Early Detection and Prediction of Ransomware Attacks against Industrial Control Systems. Futur. Internet. 2023; 15 (4): 1–18. Publisher Full Text 135. Mallik A, Ahsan A, Shahadat MMZ, et al. : Man-in-the-middle-attack: Understanding in simple words. Int. J. Data Netw. Sci. 2019; 3 (2): 77–92. Publisher Full Text 136. Fereidouni H: IoT and Man-in-the-Middle Attacks.2025. Publisher Full Text 137. Sharma P, Dash B, Ansari MF: Anti-Phishing Techniques – A Review of Cyber Defense Mechanisms. IJARCCE. 2022; 11 (7): 153–160. Publisher Full Text 138. Snober MA, Droos A, Al-Haija QA: Prevention of phishing website attacks in online banking systems using visual cryptography. 6th Smart Cities Symposium (SCS 2022). 2022; pp. 168–173. Publisher Full Text 139. Syafitri W, Shukur Z, Mokhtar UA, et al. : Social Engineering Attacks Prevention: A Systematic Literature Review. IEEE Access. 2022; 10 : 39325–39343. Publisher Full Text 140. Abu Hweidi RF, Eleyan D: Social Engineering Attack concepts, frameworks, and Awareness: A Systematic Literature Review. Int. J. Comput. Digit. Syst. 2023; 13 (1): 691–700. Publisher Full Text 141. Singh A, Choudhary P, Singh AK, et al. : Keylogger Detection and Prevention. J. Phys. Conf. Ser. 2007; 2007 : 012005. Publisher Full Text 142. Choudhary P, Das S, Potta MP, et al. : Online Authentication Habits of Indian Users. 2024 Conference on Building a Secure & Empowered Cyberspace (BuildSEC). 2024; pp. 66–73. Publisher Full Text 143. Lee K, Sjöberg S, Narayanan A: Password policies of most top websites fail to follow best practices. Proc. 18th Symp. Usable Priv. Secur. SOUPS 2022. 2022; (Soups): pp. 561–580. 144. Revathy P, Belshia Jebamalar G: A review based on secure banking application against server attacks. Adv. Parallel Comput. 2021; 38 : 241–245. Publisher Full Text 145. Vaka V, Lindskog D, Zavarsky P: Enhancing of biometric authentication with pass strings and cryptographic checksums. 2016 4th International Symposium on Digital Forensic and Security (ISDFS). 2016; p. 170. Publisher Full Text 146. Gilad Y, Herzberg A, Shulman H: Off-path hacking: The illusion of challenge-response authentication. IEEE Secur. Priv. 2014; 12 (5): 68–77. Publisher Full Text 147. Nosrati L, Bidgoli AM, Javadi HHS: Machine Learning and Metaheuristic Algorithms for Voice-Based Authentication: A Mobile Banking Case Study. Int. J. Comput. Intell. Syst. 2024; 17 (1). Publisher Full Text 148. Wodo W, Stygar D: PSD2 Compliant Hardware Token for Digital Banking. 2021 62nd International Scientific Conference on Information Technology and Management Science of Riga Technical University (ITMS). 2021; pp. 1–6. Publisher Full Text 149. Chen J: An analysis on the comprehensive risk management of Barclays Bank.2024. Reference Source 150. Nawaz T, Ohlrogge O: Clarifying the impact of corporate governance and intellectual capital on financial performance: A longitudinal study of Deutsche Bank (1957–2019). Int. J. Financ. Econ. 2023; 28 (4): 3808–3823. Publisher Full Text 151. Sijan MAH, Shahoriar A, Salimullah M, et al. : A review on e-banking security in Bangladesh: An empirical study. Proceedings of the 2nd international conference on computing advancements. 2022; pp. 330–336. 152. Fong JL, Kornitsky MB, Song Y: Leveraging a Three-Tier Architecture to Restrict Direct Database Access from BNP Paribas’ Internal Applications.2019. Reference Source 153. Samonte MJC, Callejo JK, Lumbera DCN, et al. : Mitigating Vishing in Digital Banking Through Caller Authentication and Verification Technologies. 2024 14th International Conference on Software Technology and Engineering (ICSTE). 2024; pp. 102–108. 154. Ramya S, Sheeba R, Aravind P, et al. : Face Biometric Authentication System for ATM using Deep Learning. 2022 6th International Conference on Intelligent Computing and Control Systems (ICICCS). 2022; pp. 1446–1451. Publisher Full Text 155. Issue V, Chitai W, Wangari L, et al. : International Journal of Finance and Accounting ISSN 2518-4113 (online) E-Banking Strategies and Financial Performance of Commercial Banks in Kenya International Journal of Finance and Accounting ISSN 2518-4113 (online).2024; 9 (2): 62–80. 156. Marasco E, Albanese M, Patibandla VVR, et al. : Biometric multi-factor authentication: On the usability of the FingerPIN scheme. Secur. Priv. 2023; 6 (1): 1–14. Publisher Full Text 157. Ahmad M, et al. : Security, usability, and biometric authentication scheme for electronic voting using multiple keys. Int. J. Distrib. Sens. Networks. 2020; 16 (7): 155014772094402. Publisher Full Text 158. Mróz-Gorgoń B, Wodo W, Andrych A, et al. : Biometrics Innovation and Payment Sector Perception. Sustain. 2022; 14 (15): 1–23. Publisher Full Text 159. Bastan M, Hasani N, Salimi B, et al. : A Systematic Framework for Meet the Challenges of Artificial Intelligence Banking.2024; (October). Publisher Full Text 160. Khan MH: The Impact of AI on the Media Industry. DiVA portal. 2023; 1 (1): 1–52. 161. Botunac I, Parlov N, Bosna J: Opportunities of Gen AI in the Banking Industry with regards to the AI Act, GDPR, Data Act and DORA. 2024 13th Mediterr. Conf. Embed. Comput. MECO 2024. 2024; (July): pp. 1–6. Publisher Full Text 162. Michael K, Abbas R, Jayashree P, et al. : Biometrics and AI Bias. IEEE Trans. Technol. Soc. 2022; 3 (1): 2–8. Publisher Full Text 163. Rabhi M, Bakiras S, Di Pietro R: Audio-deepfake detection: Adversarial attacks and countermeasures. Expert Syst. Appl. 2024; 250 (January): 123941. Publisher Full Text 164. Li Y, Cheng M, Hsieh CJ, et al. : A Review of Adversarial Attack and Defense for Classification Methods. Am. Stat. 2022; 76 (4): 329–345. Publisher Full Text 165. Agarwal S, Farid H: Detecting deep-fake videos from aural and oral dynamics. IEEE Comput. Soc. Conf. Comput. Vis. Pattern Recognit. Work. 2021; pp. 981–989. Publisher Full Text 166. Naitali A, Ridouani M, Salahdine F, et al. : Deepfake Attacks: Generation, Detection, Datasets, Challenges, and Research Directions. Computers. 2023; 12 (10): 1–26. Publisher Full Text 167. Hussain ZF, Ibraheem HR: Novel Convolutional Neural Networks based Jaya algorithm Approach for Accurate Deepfake Video Detection. Mesopotamian J. CyberSecurity. 2023; 2023 : 35–39. Publisher Full Text 168. Ismail S, Alkawaz MH, Kumar AE: Quick Response Code Validation and Phishing Detection Tool. 2021 IEEE 11th IEEE Symposium on Computer Applications & Industrial Electronics (ISCAIE). 2021; pp. 261–266. Publisher Full Text 169. Al-Kateb GE, Khaleel I, Aljanabi M: CryptoGenSec: A Hybrid Generative AI Algorithm for Dynamic Cryptographic Cyber Defence. Mesopotamian J. CyberSecurity. 2024; 4 (3): 150–163. Publisher Full Text 170. Ahmed SJ, Taha DB: Machine Learning for Software Vulnerability Detection: A Survey. 2022 8th International Conference on Contemporary Information Technology and Mathematics (ICCITM). 2022; pp. 66–72. Publisher Full Text 171. Balasubramaniam N, Kauppinen M, Rannisto A, et al. : Transparency and explainability of AI systems: From ethical guidelines to requirements. Inf. Softw. Technol. 2023; 159 : 107197. Publisher Full Text 172. Ehsan U, Liao QV, Muller M, et al. : Expanding explainability: Towards social transparency in ai systems. Conf. Hum. Factors Comput. Syst. - Proc. 2021. Publisher Full Text 173. Muhammad U, Hoque MZ, Oussalah M, et al. : Deep Ensemble Learning with Frame Skipping for Face Anti-Spoofing. 2023 Twelfth International Conference on Image Processing Theory, Tools and Applications (IPTA). 2023; pp. 1–6. Publisher Full Text 174. Hussein MKH, Ucan ON: 3D Face Anti-Spoofing With Dense Squeeze and Excitation Network and Neighborhood-Aware Kernel Adaptation Scheme. IEEE Access. 2025; 13 (March): 43145–43167. Publisher Full Text 175. Liang S, Nguyen HH, Ikehata S, et al. : 3D Morphable Master Face: Towards Controllable Wolf Attacks Against 2D and 3D Face Recognition Systems.2025; (February). Publisher Full Text 176. Mao W, Zhao Y, Pavlenko P, et al. : Innovative Solutions for Worn Fingerprints: A Comparative Analysis of Traditional Fingerprint Impression and 3D Printing. Sensors. 2024; 24 (8). PubMed Abstract | Publisher Full Text | Free Full Text 177. Lim CY, Markus C, Loh TP: Precision verification: Effect of experiment design on false acceptance and false rejection rates. Am. J. Clin. Pathol. 2021; 156 (6): 1058–1067. PubMed Abstract | Publisher Full Text 178. Agboola TO, Adegede J, Jacob JG: Balancing Usability and Security in Secure System Design: A Comprehensive Study on Principles, Implementation, and Impact on Usability. Int. J. Comput. Sci. Res. 2024; 8 : 2995–3009. Publisher Full Text 179. Akinlade EO, Adeleye EO: Designing a secure interactive system: balancing the conflict between security, usability, and functionality. Researchgate. Net. Reference Source 180. Naji H: PRISMA 2020 Checklist, Flow Diagram, and Extracted Dataset for ‘A Systematic Literature Review on Biometric Authentication in Mobile Banking’. Zenodo. 2025. Publisher Full Text Comments on this article Comments (0) Version 2 VERSION 2 PUBLISHED 06 Jan 2026 ADD YOUR COMMENT Comment Author details Author details 1 Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Nineveh Governorate, Iraq 2 Computer Science, Tikrit University College of Computer Science and Mathematics, Tikrit, Saladin Governorate, Iraq 3 Cybersecurity, University of Mosul College of Computer Sciences and Mathematics, Mosul, Nineveh Governorate, Iraq Hasan Naji Ali Roles: Formal Analysis, Funding Acquisition, Methodology, Resources, Visualization, Writing – Original Draft Preparation SUFYAN SALIM MAHMOOD AL-Dabbagh Roles: Validation, Writing – Review & Editing Competing interests No competing interests were disclosed. Grant information The author(s) declared that no grants were involved in supporting this work. Article Versions (2) version 2 Revised Published: 07 May 2026, 15:5 https://doi.org/10.12688/f1000research.173855.2 version 1 Published: 06 Jan 2026, 15:5 https://doi.org/10.12688/f1000research.173855.1 Copyright © 2026 Naji Ali H and SALIM MAHMOOD AL-Dabbagh S. This is an open access article distributed under the terms of the Creative Commons Attribution License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Download Export To Sciwheel Bibtex EndNote ProCite Ref. Manager (RIS) Sente metrics Views Downloads F1000Research - - PubMed Central info_outline Data from PMC are received and updated monthly. - - Citations open_in_new 0 open_in_new 0 open_in_new SEE MORE DETAILS CITE how to cite this article Naji Ali H and SALIM MAHMOOD AL-Dabbagh S. A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 1; peer review: 1 approved with reservations, 1 not approved] . F1000Research 2026, 15 :5 ( https://doi.org/10.12688/f1000research.173855.1 ) NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article. COPY CITATION DETAILS track receive updates on this article Track an article to receive email alerts on any updates to this article. TRACK THIS ARTICLE Share Open Peer Review Current Reviewer Status: ? Key to Reviewer Statuses VIEW HIDE Approved The paper is scientifically sound in its current form and only minor, if any, improvements are suggested Approved with reservations A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit. Not approved Fundamental flaws in the paper seriously undermine the findings and conclusions Version 1 VERSION 1 PUBLISHED 06 Jan 2026 Views 0 Cite How to cite this report: Wodo W. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 1; peer review: 1 approved with reservations, 1 not approved] . F1000Research 2026, 15 :5 ( https://doi.org/10.5256/f1000research.191708.r450385 ) The direct URL for this report is: https://f1000research.com/articles/15-5/v1#referee-response-450385 NOTE: it is important to ensure the information in square brackets after the title is included in this citation. Close Copy Citation Details Reviewer Report 14 Feb 2026 Wojciech Wodo , Wroclaw University of Science and Technology, Wroclaw, Poland Not Approved VIEWS 0 https://doi.org/10.5256/f1000research.191708.r450385 In my opinion, preparing the review paper is quite a challenging task, usually much more demanding than a regular research article, as it requires an extensive knowledge of the domain, a deep understanding of details, nuances, and a broad perspective ... Continue reading READ ALL In my opinion, preparing the review paper is quite a challenging task, usually much more demanding than a regular research article, as it requires an extensive knowledge of the domain, a deep understanding of details, nuances, and a broad perspective of the described area. The contribution of the review paper is sometimes hard to grasp; it requires an in-depth analysis of the state-of-the-art literature and often internal (not publicly available) industry or business practices and the rationale behind them. To provide a vital contribution to the public, the author of the review paper should demonstrate a comprehensive understanding not only of the technology used but also of regulatory frameworks, compliance issues, as well as industrial or business-specific conditions. SOME BASIC INFORMATION ABOUT THE PAPER According to the authors the scope of the paper is: This systematic literature review based on PRISMA methodology, which covers studies from 2020 to 2025, provides a critical review of biometric authentication methods used in mobile banking. Reviewer’s remark: Regarding methodology, authors decided to search four databases: ScienceDirect, Scopus, IEEE, and Google Scholar in order to select papers for analysis. The whole process of selection and eligibility criteria as well as exclusion/inclusion approach was clearly presented. However, in my perspective this extremely important step is flawed by design, because authors limited themselves from the very beginning in learning insights from the industry/business perspective by excluding white papers, technical reports/notes, or from in-depth analysis presented in theses or book chapters. I cannot find any justification for such an approach in the paper and I find it restrictive to the study. Objectives are: 1. An analysis of the existing approaches, security risks and implementation practices adopted by major banks across the world. 2. A detailed overview of the current advances, key issues, and emerging research directions, which will give valuable insight to the development of secure and easy-to-use authentication systems in mobile banking. Reviewer’s remark: Motivation is somewhat not clear to me, authors claimed that they did not find a systematic literature review that focused specifically on the uses of BBA in mobile banking. However, the mere fact that no study exists should not be an end in itself for preparing one. The authors did not clearly state what motivated them to take up this topic and what their main idea and goal for the study was. All information is very generic and superficial in this regard. We can find information that they wanted to analyze biometric authentication methods, but we do not know why. Intended audience: The present manuscript is aimed at a wide audience of both academic researchers and industry practitioners. Reviewer’s remark: I cannot agree with authors in this regard, after my evaluation I would say that paper targets students or entry-level professionals and serve as an educational material, or introductionary material to get oriented in fundamentals of described domain. Authors stated five main research quesitons : 1. Which biometric authentication methods are currently used in mobile banking systems? 2. What are the main security threats and vulnerabilities affecting biometric authentication in mobile banking? 3. How do major banks worldwide implement and integrate biometric authentication into their mobile banking applications? 4. What is the key usability, privacy, and user acceptance challenges related to biometric authentication in mobile banking? 5. What are the limitations and future research directions in improving biometric-based authentication for secure and convenient mobile banking? REVIEWER’S EVALUATION The paper tackles an undeniably important and interesting topic, and the authors demonstrate a transparent methodology of work, selecting multiple papers for analysis. The structure of the review is easy to follow, and there are formulated research questions and appropriate sections. The attached exhibits and tables are prepared in a neat manner. I have no objections to the formal or editorial aspects of the work; however, I have some substantial reservations about its essential content and the way of presenting the results and insights of the study. Major remarks: 1. One cannot elaborate on financial or payment market as a homogenous one, as there are different regulatory frameworks on risk, payments, identity management, AI or personal data protection that should be considered when applying technological solutions. These issues tremendously impact the bank and payment industry. Discussion on security mechanisms used in banking should consider wider context of regulatory domain, market maturity and users’ experience. For instance, according to PSD2 and the accompanying RTS, introducing SCA (Strong Customer Authentication) for a wide range of financial transactions is mandatory since the directive came into force in 2019 in the European Union market. The scope of the regulation tackles not only strengthening the authentication by enforcing 2FA mechanisms but also OTP binding with transaction data and time validity, so that we can achieve the so-called "dynamic linking" property and expiration time of the token. 2. Presentation Attacks and Injection Attacks are very powerful threats for biometric-based systems these days, and with the aid of AI, they are even more dangerous, as it is challenging to differentiate the genuine identity from the impostor. The authors claimed for instance that: “Biometrics offer very high resistance against replication and remain difficult to counterfeit” (page 7) which is clearly incorrect. Almost every vendor of eKYC solutions for the high-risk industry, like banking or gambling, faces this issue. NIST is running a project on Face Analysis Technology Evaluation (FATE), which one of the area is PAD (Presentation Attack Detection) - https://pages.nist.gov/frvt/html/frvt_pad.html , where are competing the best of the best players in the market and still are not good enough in detecting the frauds. 3. The paper contains a multitude of basic definitions and explanations of concepts that are obvious in the world of computer security. The paragraphs devoted to individual cybersecurity risks are very short and superficial. 4. The criteria for selecting the banks included in the study are unknown, and relying solely on information obtained from a literature review may, in this case, result in an incomplete or inaccurate picture of the security solutions and challenges in individual banks. In my opinion, it would be necessary to verify/ensure that the information presented reflects the actual state of affairs. Minor remarks: 1. Regarding Introduction section and BBA bullet point, it would be vital to mention about "cancelable biometrics" approaches there 2. Information provided by Table 3 is too short to be useful, reader without reading the cited paper cannot grasp the essence of the solutions. 3. Figure 5 or Table 4 are fancy, but not meaningful, there is no vital data provided through them 4. Table 5 requires some editorial work – e.g. wrong spacing 5. In Table 6 a lot of data is neither available nor applicable 6. What is the aim of presenting data in Table 8 and Table 9? CONCLUSION OF THE REVIEW The study fails to provide high-level insights on the presented subject; there is no vital contribution from the authors in building the wider context for the examined area and in drawing out meaningful takeaways. The presented material is rather a well-done scrutiny job than in-depth analysis and synthesis of general and more abstract results. The reader can find the answers to the questions What? and sometimes How? but there is no Why? and So what? questions addressed. Almost all of the included exhibits are a reflection of the information provided in the text, without any additional value to the reader - more like for an aesthetic effect. Despite an undeniable load of work done by the authors, the submitted manuscript can be treated rather as preliminary work than ready to go, and in my view, it is not suitable for publication in such a form. It requires additional layers of processing gathered data and formulating conclusions and generalizations. Source selection should also be extended by previously excluded types of bibliographic items, such as industry/business whitepapers, technical reports/notes, or theses and book chapters, as well as or legal acts or international standards containing extremely important data and insights and providing necessary context for the elaborated area. My general impression is that paper lacks its leading specific angle of looking at the area of interest. Analyzing the material through a “specific and more in-depth perspective” would allow for interesting conclusions and observations that would be more concrete and specific and more interesting to the audience. Are the rationale for, and objectives of, the Systematic Review clearly stated? Partly Are sufficient details of the methods and analysis provided to allow replication by others? Yes Is the statistical analysis and its interpretation appropriate? No Are the conclusions drawn adequately supported by the results presented in the review? Partly If this is a Living Systematic Review, is the ‘living’ method appropriate and is the search schedule clearly defined and justified? (‘Living Systematic Review’ or a variation of this term should be included in the title.) No Competing Interests: No competing interests were disclosed. Reviewer Expertise: cybersecurity, biometrics, digital identity, electronic & mobile banking security I confirm that I have read this submission and believe that I have an appropriate level of expertise to state that I do not consider it to be of an acceptable scientific standard, for reasons outlined above. Close READ LESS CITE CITE HOW TO CITE THIS REPORT Wodo W. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 1; peer review: 1 approved with reservations, 1 not approved] . F1000Research 2026, 15 :5 ( https://doi.org/10.5256/f1000research.191708.r450385 ) The direct URL for this report is: https://f1000research.com/articles/15-5/v1#referee-response-450385 NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article. COPY CITATION DETAILS Report a concern Author Response 07 May 2026 Hasan Naji , Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq 07 May 2026 Author Response Response to Reviewer We sincerely thank the reviewer for the careful reading of our manuscript and for the detailed, thoughtful, and constructive comments. We also apologize for the delay in ... Continue reading Response to Reviewer We sincerely thank the reviewer for the careful reading of our manuscript and for the detailed, thoughtful, and constructive comments. We also apologize for the delay in submitting our revised response, which was due to a temporary health issue. We greatly appreciate your patience and understanding. We are especially grateful for the reviewer’s emphasis on the need for stronger contextualization, deeper synthesis, and clearer articulation of the practical significance of the review. We have carefully considered these comments and revised the manuscript accordingly, while also acknowledging certain scope limitations of the present study. Our point-by-point responses are provided below. Major Comment 1: The paper does not sufficiently consider the wider regulatory, compliance, and market context; banking and payment markets are not homogeneous, and frameworks such as PSD2/SCA should be considered. Response: Thank you for this important observation. We agree that regulatory and compliance frameworks play a major role in shaping authentication practices in banking and payment systems, and that the financial sector cannot be treated as fully homogeneous across jurisdictions. In the revised manuscript, we strengthened the discussion of real-world implementation by more explicitly linking authentication practices to practical banking deployment conditions and by expanding the discussion of security–usability trade-offs in operational settings. We also acknowledge that a deeper comparative treatment of jurisdiction-specific regulatory frameworks, such as PSD2/SCA and related compliance requirements, would further strengthen the broader contextual framing. We therefore recognize this as an important direction for future extension of the review and as a limitation of the current study’s scope. Major Comment 2: The manuscript underestimates the seriousness of presentation and injection attacks, particularly in the AI era, and some statements about biometric resistance to counterfeiting are too strong. Response: We thank the reviewer for highlighting this point. We agree that presentation attacks and related spoofing threats are among the most critical challenges facing biometric systems in contemporary high-risk sectors such as banking. In response, we revised the manuscript to place greater emphasis on spoofing resistance, liveness detection, and the limitations of reported biometric performance. In particular, the revised quantitative discussion now clarifies that performance results are often difficult to generalize across real-world deployment conditions and that only a limited number of reviewed studies explicitly evaluated presentation attack detection or spoofing resistance. We also carefully reconsidered overly broad wording regarding biometric resistance to replication and recognize the reviewer’s point that such statements must be qualified in light of current attack capabilities. Major Comment 3: The paper contains too many basic definitions and some cybersecurity risk discussions are short and superficial. Response: Thank you for this observation. We understand the reviewer’s concern and acknowledge that the manuscript includes foundational explanatory material intended to make the review accessible to a broad readership. At the same time, we appreciate that for expert readers, some of these sections may appear introductory. In the revised version, we sought to improve the analytical depth of the manuscript by strengthening the synthesis sections, especially in relation to quantitative findings, implementation practices, and practical implications. We also recognize that further tightening of basic explanatory material and additional expansion of higher-level synthesis could improve the manuscript further, and we appreciate this guidance. Major Comment 4: The criteria for selecting the banks are unclear, and relying only on literature sources may not fully reflect actual banking practices. Response: We appreciate this important point. The bank-related analysis in the manuscript was intended as an illustrative synthesis of practices reported in the reviewed and cited sources, rather than as a definitive audit of the currently deployed security architecture of each institution. We agree that real-world banking implementation may evolve rapidly and may not always be fully captured in academic literature alone. In the revised manuscript, we improved the framing of this section to better reflect its interpretive purpose and to avoid overstating the completeness of the bank comparison. We also acknowledge that future work would benefit from expanding the evidence base to include additional industry and regulatory sources where appropriate. Major Comment 5: The rationale and motivation are not sufficiently clear, and the paper does not adequately answer the questions Why? and So what? Response: Thank you for this valuable comment. We took this concern seriously. In response, we strengthened the manuscript’s framing by clarifying that the purpose of the review is not merely to catalogue biometric methods, but to synthesize how biometric authentication is being used in mobile banking, what practical limitations remain, where current evidence is methodologically uneven, and which approaches appear most relevant for secure and usable deployment. We also strengthened the conclusion so that the review more clearly communicates the practical significance of the findings, particularly the observation that real-world banking practice increasingly favors layered and adaptive authentication rather than reliance on a single biometric factor. Major Comment 6: Source selection should be expanded to include white papers, technical reports, theses, book chapters, legal acts, standards, and related materials. Response: We appreciate this suggestion and agree that such sources can provide valuable insight, especially for industry practices, regulatory interpretation, and deployment realities. However, in the present review, we intentionally limited the formal evidence base to English-language journal and conference publications in order to maintain a more consistent and transparent selection framework under the chosen systematic review methodology. We acknowledge that this decision narrows the scope of the review and may exclude valuable non-traditional or industry-oriented sources. We have therefore treated this issue more explicitly as a limitation of the present study and agree that future reviews could usefully adopt a broader evidence strategy incorporating regulatory, industrial, and technical documentation. Minor Comment 1: Cancelable biometrics should be mentioned in the Introduction. Response: Thank you for this helpful suggestion. We agree that cancelable biometrics are relevant in the broader privacy and security discussion of biometric systems, particularly because they address the problem of revocability when biometric templates are compromised. We appreciate the value of this point and recognize it as an important concept for strengthening the introductory framing. Minor Comment 2: Table 3 is too brief to be useful. Response: We appreciate this comment. Table 3 was designed to provide a concise overview of the reviewed studies and their core focus areas rather than a full technical exposition of each method. However, we understand the reviewer’s concern that brevity may reduce interpretive value for readers. In the revised manuscript, we sought to strengthen the surrounding synthesis so that the table functions more clearly as a reference aid within a broader analytical discussion. Minor Comment 3: Figure 5 and Table 4 are visually appealing but not very meaningful. Response: Thank you for this observation. The intention of Figure 5 and Table 4 was to organize and visualize the diversity of authentication combinations reported across the literature, especially the interplay between biometric, knowledge-based, possession-based, and hybrid approaches. We acknowledge, however, that their analytical value depends on clear integration with the discussion. In the revised manuscript, we worked to improve that integration and appreciate the reviewer’s comment regarding the importance of ensuring that visual elements contribute interpretive value beyond presentation. Minor Comment 4: Table 5 requires editorial refinement. Response: Thank you. We appreciate this observation and carefully reviewed the manuscript for editorial consistency, including tabular formatting. Minor Comment 5: Much of the data in Table 6 is unavailable or not applicable. Response: We agree that this is an important limitation. Table 6 was included precisely to make visible the inconsistency and incompleteness of reporting across the reviewed literature. In the revised text, we more explicitly state that incomplete reporting of FAR, FRR, EER, liveness evaluation, and spoofing resistance is itself an important finding of the review and one of the reasons why stronger standardization is needed in future primary studies. Minor Comment 6: The purpose of Table 8 and Table 9 is unclear. Response: Thank you for raising this point. The purpose of these tables was to connect the academic literature with practical banking deployment patterns and to illustrate which biometric approaches appear most visible in major banking contexts. In the revised manuscript, we clarified this linkage more explicitly, particularly in the discussion of how banks balance usability and security by embedding biometrics within broader MFA strategies rather than using them in isolation. We once again thank the reviewer for the detailed and thought-provoking feedback. The comments helped us identify important areas where the manuscript required stronger synthesis, clearer framing, and more careful qualification of its claims. We believe that the revisions have significantly improved the clarity, depth, and practical relevance of the review. Response to Reviewer We sincerely thank the reviewer for the careful reading of our manuscript and for the detailed, thoughtful, and constructive comments. We also apologize for the delay in submitting our revised response, which was due to a temporary health issue. We greatly appreciate your patience and understanding. We are especially grateful for the reviewer’s emphasis on the need for stronger contextualization, deeper synthesis, and clearer articulation of the practical significance of the review. We have carefully considered these comments and revised the manuscript accordingly, while also acknowledging certain scope limitations of the present study. Our point-by-point responses are provided below. Major Comment 1: The paper does not sufficiently consider the wider regulatory, compliance, and market context; banking and payment markets are not homogeneous, and frameworks such as PSD2/SCA should be considered. Response: Thank you for this important observation. We agree that regulatory and compliance frameworks play a major role in shaping authentication practices in banking and payment systems, and that the financial sector cannot be treated as fully homogeneous across jurisdictions. In the revised manuscript, we strengthened the discussion of real-world implementation by more explicitly linking authentication practices to practical banking deployment conditions and by expanding the discussion of security–usability trade-offs in operational settings. We also acknowledge that a deeper comparative treatment of jurisdiction-specific regulatory frameworks, such as PSD2/SCA and related compliance requirements, would further strengthen the broader contextual framing. We therefore recognize this as an important direction for future extension of the review and as a limitation of the current study’s scope. Major Comment 2: The manuscript underestimates the seriousness of presentation and injection attacks, particularly in the AI era, and some statements about biometric resistance to counterfeiting are too strong. Response: We thank the reviewer for highlighting this point. We agree that presentation attacks and related spoofing threats are among the most critical challenges facing biometric systems in contemporary high-risk sectors such as banking. In response, we revised the manuscript to place greater emphasis on spoofing resistance, liveness detection, and the limitations of reported biometric performance. In particular, the revised quantitative discussion now clarifies that performance results are often difficult to generalize across real-world deployment conditions and that only a limited number of reviewed studies explicitly evaluated presentation attack detection or spoofing resistance. We also carefully reconsidered overly broad wording regarding biometric resistance to replication and recognize the reviewer’s point that such statements must be qualified in light of current attack capabilities. Major Comment 3: The paper contains too many basic definitions and some cybersecurity risk discussions are short and superficial. Response: Thank you for this observation. We understand the reviewer’s concern and acknowledge that the manuscript includes foundational explanatory material intended to make the review accessible to a broad readership. At the same time, we appreciate that for expert readers, some of these sections may appear introductory. In the revised version, we sought to improve the analytical depth of the manuscript by strengthening the synthesis sections, especially in relation to quantitative findings, implementation practices, and practical implications. We also recognize that further tightening of basic explanatory material and additional expansion of higher-level synthesis could improve the manuscript further, and we appreciate this guidance. Major Comment 4: The criteria for selecting the banks are unclear, and relying only on literature sources may not fully reflect actual banking practices. Response: We appreciate this important point. The bank-related analysis in the manuscript was intended as an illustrative synthesis of practices reported in the reviewed and cited sources, rather than as a definitive audit of the currently deployed security architecture of each institution. We agree that real-world banking implementation may evolve rapidly and may not always be fully captured in academic literature alone. In the revised manuscript, we improved the framing of this section to better reflect its interpretive purpose and to avoid overstating the completeness of the bank comparison. We also acknowledge that future work would benefit from expanding the evidence base to include additional industry and regulatory sources where appropriate. Major Comment 5: The rationale and motivation are not sufficiently clear, and the paper does not adequately answer the questions Why? and So what? Response: Thank you for this valuable comment. We took this concern seriously. In response, we strengthened the manuscript’s framing by clarifying that the purpose of the review is not merely to catalogue biometric methods, but to synthesize how biometric authentication is being used in mobile banking, what practical limitations remain, where current evidence is methodologically uneven, and which approaches appear most relevant for secure and usable deployment. We also strengthened the conclusion so that the review more clearly communicates the practical significance of the findings, particularly the observation that real-world banking practice increasingly favors layered and adaptive authentication rather than reliance on a single biometric factor. Major Comment 6: Source selection should be expanded to include white papers, technical reports, theses, book chapters, legal acts, standards, and related materials. Response: We appreciate this suggestion and agree that such sources can provide valuable insight, especially for industry practices, regulatory interpretation, and deployment realities. However, in the present review, we intentionally limited the formal evidence base to English-language journal and conference publications in order to maintain a more consistent and transparent selection framework under the chosen systematic review methodology. We acknowledge that this decision narrows the scope of the review and may exclude valuable non-traditional or industry-oriented sources. We have therefore treated this issue more explicitly as a limitation of the present study and agree that future reviews could usefully adopt a broader evidence strategy incorporating regulatory, industrial, and technical documentation. Minor Comment 1: Cancelable biometrics should be mentioned in the Introduction. Response: Thank you for this helpful suggestion. We agree that cancelable biometrics are relevant in the broader privacy and security discussion of biometric systems, particularly because they address the problem of revocability when biometric templates are compromised. We appreciate the value of this point and recognize it as an important concept for strengthening the introductory framing. Minor Comment 2: Table 3 is too brief to be useful. Response: We appreciate this comment. Table 3 was designed to provide a concise overview of the reviewed studies and their core focus areas rather than a full technical exposition of each method. However, we understand the reviewer’s concern that brevity may reduce interpretive value for readers. In the revised manuscript, we sought to strengthen the surrounding synthesis so that the table functions more clearly as a reference aid within a broader analytical discussion. Minor Comment 3: Figure 5 and Table 4 are visually appealing but not very meaningful. Response: Thank you for this observation. The intention of Figure 5 and Table 4 was to organize and visualize the diversity of authentication combinations reported across the literature, especially the interplay between biometric, knowledge-based, possession-based, and hybrid approaches. We acknowledge, however, that their analytical value depends on clear integration with the discussion. In the revised manuscript, we worked to improve that integration and appreciate the reviewer’s comment regarding the importance of ensuring that visual elements contribute interpretive value beyond presentation. Minor Comment 4: Table 5 requires editorial refinement. Response: Thank you. We appreciate this observation and carefully reviewed the manuscript for editorial consistency, including tabular formatting. Minor Comment 5: Much of the data in Table 6 is unavailable or not applicable. Response: We agree that this is an important limitation. Table 6 was included precisely to make visible the inconsistency and incompleteness of reporting across the reviewed literature. In the revised text, we more explicitly state that incomplete reporting of FAR, FRR, EER, liveness evaluation, and spoofing resistance is itself an important finding of the review and one of the reasons why stronger standardization is needed in future primary studies. Minor Comment 6: The purpose of Table 8 and Table 9 is unclear. Response: Thank you for raising this point. The purpose of these tables was to connect the academic literature with practical banking deployment patterns and to illustrate which biometric approaches appear most visible in major banking contexts. In the revised manuscript, we clarified this linkage more explicitly, particularly in the discussion of how banks balance usability and security by embedding biometrics within broader MFA strategies rather than using them in isolation. We once again thank the reviewer for the detailed and thought-provoking feedback. The comments helped us identify important areas where the manuscript required stronger synthesis, clearer framing, and more careful qualification of its claims. We believe that the revisions have significantly improved the clarity, depth, and practical relevance of the review. Competing Interests: No competing interests were disclosed. Close Report a concern Respond or Comment COMMENTS ON THIS REPORT Author Response 07 May 2026 Hasan Naji , Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq 07 May 2026 Author Response Response to Reviewer We sincerely thank the reviewer for the careful reading of our manuscript and for the detailed, thoughtful, and constructive comments. We also apologize for the delay in ... Continue reading Response to Reviewer We sincerely thank the reviewer for the careful reading of our manuscript and for the detailed, thoughtful, and constructive comments. We also apologize for the delay in submitting our revised response, which was due to a temporary health issue. We greatly appreciate your patience and understanding. We are especially grateful for the reviewer’s emphasis on the need for stronger contextualization, deeper synthesis, and clearer articulation of the practical significance of the review. We have carefully considered these comments and revised the manuscript accordingly, while also acknowledging certain scope limitations of the present study. Our point-by-point responses are provided below. Major Comment 1: The paper does not sufficiently consider the wider regulatory, compliance, and market context; banking and payment markets are not homogeneous, and frameworks such as PSD2/SCA should be considered. Response: Thank you for this important observation. We agree that regulatory and compliance frameworks play a major role in shaping authentication practices in banking and payment systems, and that the financial sector cannot be treated as fully homogeneous across jurisdictions. In the revised manuscript, we strengthened the discussion of real-world implementation by more explicitly linking authentication practices to practical banking deployment conditions and by expanding the discussion of security–usability trade-offs in operational settings. We also acknowledge that a deeper comparative treatment of jurisdiction-specific regulatory frameworks, such as PSD2/SCA and related compliance requirements, would further strengthen the broader contextual framing. We therefore recognize this as an important direction for future extension of the review and as a limitation of the current study’s scope. Major Comment 2: The manuscript underestimates the seriousness of presentation and injection attacks, particularly in the AI era, and some statements about biometric resistance to counterfeiting are too strong. Response: We thank the reviewer for highlighting this point. We agree that presentation attacks and related spoofing threats are among the most critical challenges facing biometric systems in contemporary high-risk sectors such as banking. In response, we revised the manuscript to place greater emphasis on spoofing resistance, liveness detection, and the limitations of reported biometric performance. In particular, the revised quantitative discussion now clarifies that performance results are often difficult to generalize across real-world deployment conditions and that only a limited number of reviewed studies explicitly evaluated presentation attack detection or spoofing resistance. We also carefully reconsidered overly broad wording regarding biometric resistance to replication and recognize the reviewer’s point that such statements must be qualified in light of current attack capabilities. Major Comment 3: The paper contains too many basic definitions and some cybersecurity risk discussions are short and superficial. Response: Thank you for this observation. We understand the reviewer’s concern and acknowledge that the manuscript includes foundational explanatory material intended to make the review accessible to a broad readership. At the same time, we appreciate that for expert readers, some of these sections may appear introductory. In the revised version, we sought to improve the analytical depth of the manuscript by strengthening the synthesis sections, especially in relation to quantitative findings, implementation practices, and practical implications. We also recognize that further tightening of basic explanatory material and additional expansion of higher-level synthesis could improve the manuscript further, and we appreciate this guidance. Major Comment 4: The criteria for selecting the banks are unclear, and relying only on literature sources may not fully reflect actual banking practices. Response: We appreciate this important point. The bank-related analysis in the manuscript was intended as an illustrative synthesis of practices reported in the reviewed and cited sources, rather than as a definitive audit of the currently deployed security architecture of each institution. We agree that real-world banking implementation may evolve rapidly and may not always be fully captured in academic literature alone. In the revised manuscript, we improved the framing of this section to better reflect its interpretive purpose and to avoid overstating the completeness of the bank comparison. We also acknowledge that future work would benefit from expanding the evidence base to include additional industry and regulatory sources where appropriate. Major Comment 5: The rationale and motivation are not sufficiently clear, and the paper does not adequately answer the questions Why? and So what? Response: Thank you for this valuable comment. We took this concern seriously. In response, we strengthened the manuscript’s framing by clarifying that the purpose of the review is not merely to catalogue biometric methods, but to synthesize how biometric authentication is being used in mobile banking, what practical limitations remain, where current evidence is methodologically uneven, and which approaches appear most relevant for secure and usable deployment. We also strengthened the conclusion so that the review more clearly communicates the practical significance of the findings, particularly the observation that real-world banking practice increasingly favors layered and adaptive authentication rather than reliance on a single biometric factor. Major Comment 6: Source selection should be expanded to include white papers, technical reports, theses, book chapters, legal acts, standards, and related materials. Response: We appreciate this suggestion and agree that such sources can provide valuable insight, especially for industry practices, regulatory interpretation, and deployment realities. However, in the present review, we intentionally limited the formal evidence base to English-language journal and conference publications in order to maintain a more consistent and transparent selection framework under the chosen systematic review methodology. We acknowledge that this decision narrows the scope of the review and may exclude valuable non-traditional or industry-oriented sources. We have therefore treated this issue more explicitly as a limitation of the present study and agree that future reviews could usefully adopt a broader evidence strategy incorporating regulatory, industrial, and technical documentation. Minor Comment 1: Cancelable biometrics should be mentioned in the Introduction. Response: Thank you for this helpful suggestion. We agree that cancelable biometrics are relevant in the broader privacy and security discussion of biometric systems, particularly because they address the problem of revocability when biometric templates are compromised. We appreciate the value of this point and recognize it as an important concept for strengthening the introductory framing. Minor Comment 2: Table 3 is too brief to be useful. Response: We appreciate this comment. Table 3 was designed to provide a concise overview of the reviewed studies and their core focus areas rather than a full technical exposition of each method. However, we understand the reviewer’s concern that brevity may reduce interpretive value for readers. In the revised manuscript, we sought to strengthen the surrounding synthesis so that the table functions more clearly as a reference aid within a broader analytical discussion. Minor Comment 3: Figure 5 and Table 4 are visually appealing but not very meaningful. Response: Thank you for this observation. The intention of Figure 5 and Table 4 was to organize and visualize the diversity of authentication combinations reported across the literature, especially the interplay between biometric, knowledge-based, possession-based, and hybrid approaches. We acknowledge, however, that their analytical value depends on clear integration with the discussion. In the revised manuscript, we worked to improve that integration and appreciate the reviewer’s comment regarding the importance of ensuring that visual elements contribute interpretive value beyond presentation. Minor Comment 4: Table 5 requires editorial refinement. Response: Thank you. We appreciate this observation and carefully reviewed the manuscript for editorial consistency, including tabular formatting. Minor Comment 5: Much of the data in Table 6 is unavailable or not applicable. Response: We agree that this is an important limitation. Table 6 was included precisely to make visible the inconsistency and incompleteness of reporting across the reviewed literature. In the revised text, we more explicitly state that incomplete reporting of FAR, FRR, EER, liveness evaluation, and spoofing resistance is itself an important finding of the review and one of the reasons why stronger standardization is needed in future primary studies. Minor Comment 6: The purpose of Table 8 and Table 9 is unclear. Response: Thank you for raising this point. The purpose of these tables was to connect the academic literature with practical banking deployment patterns and to illustrate which biometric approaches appear most visible in major banking contexts. In the revised manuscript, we clarified this linkage more explicitly, particularly in the discussion of how banks balance usability and security by embedding biometrics within broader MFA strategies rather than using them in isolation. We once again thank the reviewer for the detailed and thought-provoking feedback. The comments helped us identify important areas where the manuscript required stronger synthesis, clearer framing, and more careful qualification of its claims. We believe that the revisions have significantly improved the clarity, depth, and practical relevance of the review. Response to Reviewer We sincerely thank the reviewer for the careful reading of our manuscript and for the detailed, thoughtful, and constructive comments. We also apologize for the delay in submitting our revised response, which was due to a temporary health issue. We greatly appreciate your patience and understanding. We are especially grateful for the reviewer’s emphasis on the need for stronger contextualization, deeper synthesis, and clearer articulation of the practical significance of the review. We have carefully considered these comments and revised the manuscript accordingly, while also acknowledging certain scope limitations of the present study. Our point-by-point responses are provided below. Major Comment 1: The paper does not sufficiently consider the wider regulatory, compliance, and market context; banking and payment markets are not homogeneous, and frameworks such as PSD2/SCA should be considered. Response: Thank you for this important observation. We agree that regulatory and compliance frameworks play a major role in shaping authentication practices in banking and payment systems, and that the financial sector cannot be treated as fully homogeneous across jurisdictions. In the revised manuscript, we strengthened the discussion of real-world implementation by more explicitly linking authentication practices to practical banking deployment conditions and by expanding the discussion of security–usability trade-offs in operational settings. We also acknowledge that a deeper comparative treatment of jurisdiction-specific regulatory frameworks, such as PSD2/SCA and related compliance requirements, would further strengthen the broader contextual framing. We therefore recognize this as an important direction for future extension of the review and as a limitation of the current study’s scope. Major Comment 2: The manuscript underestimates the seriousness of presentation and injection attacks, particularly in the AI era, and some statements about biometric resistance to counterfeiting are too strong. Response: We thank the reviewer for highlighting this point. We agree that presentation attacks and related spoofing threats are among the most critical challenges facing biometric systems in contemporary high-risk sectors such as banking. In response, we revised the manuscript to place greater emphasis on spoofing resistance, liveness detection, and the limitations of reported biometric performance. In particular, the revised quantitative discussion now clarifies that performance results are often difficult to generalize across real-world deployment conditions and that only a limited number of reviewed studies explicitly evaluated presentation attack detection or spoofing resistance. We also carefully reconsidered overly broad wording regarding biometric resistance to replication and recognize the reviewer’s point that such statements must be qualified in light of current attack capabilities. Major Comment 3: The paper contains too many basic definitions and some cybersecurity risk discussions are short and superficial. Response: Thank you for this observation. We understand the reviewer’s concern and acknowledge that the manuscript includes foundational explanatory material intended to make the review accessible to a broad readership. At the same time, we appreciate that for expert readers, some of these sections may appear introductory. In the revised version, we sought to improve the analytical depth of the manuscript by strengthening the synthesis sections, especially in relation to quantitative findings, implementation practices, and practical implications. We also recognize that further tightening of basic explanatory material and additional expansion of higher-level synthesis could improve the manuscript further, and we appreciate this guidance. Major Comment 4: The criteria for selecting the banks are unclear, and relying only on literature sources may not fully reflect actual banking practices. Response: We appreciate this important point. The bank-related analysis in the manuscript was intended as an illustrative synthesis of practices reported in the reviewed and cited sources, rather than as a definitive audit of the currently deployed security architecture of each institution. We agree that real-world banking implementation may evolve rapidly and may not always be fully captured in academic literature alone. In the revised manuscript, we improved the framing of this section to better reflect its interpretive purpose and to avoid overstating the completeness of the bank comparison. We also acknowledge that future work would benefit from expanding the evidence base to include additional industry and regulatory sources where appropriate. Major Comment 5: The rationale and motivation are not sufficiently clear, and the paper does not adequately answer the questions Why? and So what? Response: Thank you for this valuable comment. We took this concern seriously. In response, we strengthened the manuscript’s framing by clarifying that the purpose of the review is not merely to catalogue biometric methods, but to synthesize how biometric authentication is being used in mobile banking, what practical limitations remain, where current evidence is methodologically uneven, and which approaches appear most relevant for secure and usable deployment. We also strengthened the conclusion so that the review more clearly communicates the practical significance of the findings, particularly the observation that real-world banking practice increasingly favors layered and adaptive authentication rather than reliance on a single biometric factor. Major Comment 6: Source selection should be expanded to include white papers, technical reports, theses, book chapters, legal acts, standards, and related materials. Response: We appreciate this suggestion and agree that such sources can provide valuable insight, especially for industry practices, regulatory interpretation, and deployment realities. However, in the present review, we intentionally limited the formal evidence base to English-language journal and conference publications in order to maintain a more consistent and transparent selection framework under the chosen systematic review methodology. We acknowledge that this decision narrows the scope of the review and may exclude valuable non-traditional or industry-oriented sources. We have therefore treated this issue more explicitly as a limitation of the present study and agree that future reviews could usefully adopt a broader evidence strategy incorporating regulatory, industrial, and technical documentation. Minor Comment 1: Cancelable biometrics should be mentioned in the Introduction. Response: Thank you for this helpful suggestion. We agree that cancelable biometrics are relevant in the broader privacy and security discussion of biometric systems, particularly because they address the problem of revocability when biometric templates are compromised. We appreciate the value of this point and recognize it as an important concept for strengthening the introductory framing. Minor Comment 2: Table 3 is too brief to be useful. Response: We appreciate this comment. Table 3 was designed to provide a concise overview of the reviewed studies and their core focus areas rather than a full technical exposition of each method. However, we understand the reviewer’s concern that brevity may reduce interpretive value for readers. In the revised manuscript, we sought to strengthen the surrounding synthesis so that the table functions more clearly as a reference aid within a broader analytical discussion. Minor Comment 3: Figure 5 and Table 4 are visually appealing but not very meaningful. Response: Thank you for this observation. The intention of Figure 5 and Table 4 was to organize and visualize the diversity of authentication combinations reported across the literature, especially the interplay between biometric, knowledge-based, possession-based, and hybrid approaches. We acknowledge, however, that their analytical value depends on clear integration with the discussion. In the revised manuscript, we worked to improve that integration and appreciate the reviewer’s comment regarding the importance of ensuring that visual elements contribute interpretive value beyond presentation. Minor Comment 4: Table 5 requires editorial refinement. Response: Thank you. We appreciate this observation and carefully reviewed the manuscript for editorial consistency, including tabular formatting. Minor Comment 5: Much of the data in Table 6 is unavailable or not applicable. Response: We agree that this is an important limitation. Table 6 was included precisely to make visible the inconsistency and incompleteness of reporting across the reviewed literature. In the revised text, we more explicitly state that incomplete reporting of FAR, FRR, EER, liveness evaluation, and spoofing resistance is itself an important finding of the review and one of the reasons why stronger standardization is needed in future primary studies. Minor Comment 6: The purpose of Table 8 and Table 9 is unclear. Response: Thank you for raising this point. The purpose of these tables was to connect the academic literature with practical banking deployment patterns and to illustrate which biometric approaches appear most visible in major banking contexts. In the revised manuscript, we clarified this linkage more explicitly, particularly in the discussion of how banks balance usability and security by embedding biometrics within broader MFA strategies rather than using them in isolation. We once again thank the reviewer for the detailed and thought-provoking feedback. The comments helped us identify important areas where the manuscript required stronger synthesis, clearer framing, and more careful qualification of its claims. We believe that the revisions have significantly improved the clarity, depth, and practical relevance of the review. Competing Interests: No competing interests were disclosed. Close Report a concern COMMENT ON THIS REPORT Views 0 Cite How to cite this report: Nadella GS. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 1; peer review: 1 approved with reservations, 1 not approved] . F1000Research 2026, 15 :5 ( https://doi.org/10.5256/f1000research.191708.r450383 ) The direct URL for this report is: https://f1000research.com/articles/15-5/v1#referee-response-450383 NOTE: it is important to ensure the information in square brackets after the title is included in this citation. Close Copy Citation Details Reviewer Report 29 Jan 2026 Geeta Sandeep Nadella , University of the Cumberlands, Williamsburg, USA Approved with Reservations VIEWS 0 https://doi.org/10.5256/f1000research.191708.r450383 The review is well-structured, methodologically sound, and clearly reports its rationale, methods, and conclusions. It does not involve statistical analysis beyond reporting existing metrics, and it is not a living review. This systematic literature review provides a valuable and timely synthesis ... Continue reading READ ALL The review is well-structured, methodologically sound, and clearly reports its rationale, methods, and conclusions. It does not involve statistical analysis beyond reporting existing metrics, and it is not a living review. This systematic literature review provides a valuable and timely synthesis of research on biometric authentication in mobile banking from 2020 to 2025. The rationale and objectives are clearly articulated, establishing a strong foundation for the work. The methodology is rigorously described using the PRISMA framework, with transparent reporting on databases, search strings, and inclusion criteria, which makes the process highly replicable. The analysis successfully addresses the stated research questions, offering a comprehensive overview of methods, threats, and banking practices, and the conclusions are well-supported by the presented evidence. To further strengthen this already solid work, several constructive avenues are worth considering. While the review effectively categorizes biometric methods and their performance metrics (e.g., FAR, FRR, EER), a more synthesized critical discussion of these quantitative results would be beneficial. For instance, highlighting the specific conditions under which certain biometrics excel or fail, based on the aggregated data, could offer more actionable insights for practitioners. Additionally, the section on usability and privacy challenges is comprehensive, but it could be enhanced by more explicitly linking these challenges to the specific implementation strategies of the banks analyzed earlier. Discussing how leading banks are practically navigating the trade-off between security strength and user experience would bridge the analysis and its real-world application more powerfully. Finally, the limitation regarding the heterogeneity of studies is well-noted. A forward-looking recommendation could be to explicitly call for more standardized evaluation protocols in future primary research to facilitate more robust comparative synthesis in subsequent reviews. Overall, this is a commendable and useful piece of scholarship that makes a clear contribution to the field by organizing a rapidly evolving body of knowledge. With some refinement in synthesizing quantitative findings and connecting analysis threads, its impact could be even greater. Are the rationale for, and objectives of, the Systematic Review clearly stated? Yes Are sufficient details of the methods and analysis provided to allow replication by others? Yes Is the statistical analysis and its interpretation appropriate? Yes Are the conclusions drawn adequately supported by the results presented in the review? Yes If this is a Living Systematic Review, is the ‘living’ method appropriate and is the search schedule clearly defined and justified? (‘Living Systematic Review’ or a variation of this term should be included in the title.) Not applicable Competing Interests: No competing interests were disclosed. Reviewer Expertise: MIS, Artificial Intelligence, HCI, Cybersecurity, Business and IT alignment I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above. Close READ LESS CITE CITE HOW TO CITE THIS REPORT Nadella GS. Reviewer Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 1; peer review: 1 approved with reservations, 1 not approved] . F1000Research 2026, 15 :5 ( https://doi.org/10.5256/f1000research.191708.r450383 ) The direct URL for this report is: https://f1000research.com/articles/15-5/v1#referee-response-450383 NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article. COPY CITATION DETAILS Report a concern Author Response 07 May 2026 Hasan Naji , Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq 07 May 2026 Author Response We sincerely thank the reviewer for the careful reading of our manuscript and for the constructive and insightful comments. We also apologize for the delay in submitting our revised response, ... Continue reading We sincerely thank the reviewer for the careful reading of our manuscript and for the constructive and insightful comments. We also apologize for the delay in submitting our revised response, which was due to a temporary health issue. We greatly appreciate your patience and understanding. In response to the reviewer’s comments, we have revised the manuscript in three main ways. First, we strengthened the synthesized discussion of the quantitative findings by expanding the interpretation of the reported FAR, FRR, EER, and accuracy values, with greater emphasis on the conditions under which particular biometric approaches perform well or show limitations. Second, we revised the usability and privacy discussion to more explicitly connect these challenges with the real-world implementation strategies used by major banks, particularly the use of biometrics together with OTP, device recognition, app-based approval, secure tokens, and step-up authentication. Third, we strengthened the conclusion and future directions by adding a clearer recommendation for more standardized evaluation protocols in future primary studies to support stronger comparative synthesis in subsequent reviews. We are grateful for the reviewer’s positive overall assessment of the manuscript and believe that these revisions have improved its clarity, depth, and practical relevance. We sincerely thank the reviewer for the careful reading of our manuscript and for the constructive and insightful comments. We also apologize for the delay in submitting our revised response, which was due to a temporary health issue. We greatly appreciate your patience and understanding. In response to the reviewer’s comments, we have revised the manuscript in three main ways. First, we strengthened the synthesized discussion of the quantitative findings by expanding the interpretation of the reported FAR, FRR, EER, and accuracy values, with greater emphasis on the conditions under which particular biometric approaches perform well or show limitations. Second, we revised the usability and privacy discussion to more explicitly connect these challenges with the real-world implementation strategies used by major banks, particularly the use of biometrics together with OTP, device recognition, app-based approval, secure tokens, and step-up authentication. Third, we strengthened the conclusion and future directions by adding a clearer recommendation for more standardized evaluation protocols in future primary studies to support stronger comparative synthesis in subsequent reviews. We are grateful for the reviewer’s positive overall assessment of the manuscript and believe that these revisions have improved its clarity, depth, and practical relevance. Competing Interests: No competing interests were disclosed. Close Report a concern Respond or Comment COMMENTS ON THIS REPORT Author Response 07 May 2026 Hasan Naji , Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq 07 May 2026 Author Response We sincerely thank the reviewer for the careful reading of our manuscript and for the constructive and insightful comments. We also apologize for the delay in submitting our revised response, ... Continue reading We sincerely thank the reviewer for the careful reading of our manuscript and for the constructive and insightful comments. We also apologize for the delay in submitting our revised response, which was due to a temporary health issue. We greatly appreciate your patience and understanding. In response to the reviewer’s comments, we have revised the manuscript in three main ways. First, we strengthened the synthesized discussion of the quantitative findings by expanding the interpretation of the reported FAR, FRR, EER, and accuracy values, with greater emphasis on the conditions under which particular biometric approaches perform well or show limitations. Second, we revised the usability and privacy discussion to more explicitly connect these challenges with the real-world implementation strategies used by major banks, particularly the use of biometrics together with OTP, device recognition, app-based approval, secure tokens, and step-up authentication. Third, we strengthened the conclusion and future directions by adding a clearer recommendation for more standardized evaluation protocols in future primary studies to support stronger comparative synthesis in subsequent reviews. We are grateful for the reviewer’s positive overall assessment of the manuscript and believe that these revisions have improved its clarity, depth, and practical relevance. We sincerely thank the reviewer for the careful reading of our manuscript and for the constructive and insightful comments. We also apologize for the delay in submitting our revised response, which was due to a temporary health issue. We greatly appreciate your patience and understanding. In response to the reviewer’s comments, we have revised the manuscript in three main ways. First, we strengthened the synthesized discussion of the quantitative findings by expanding the interpretation of the reported FAR, FRR, EER, and accuracy values, with greater emphasis on the conditions under which particular biometric approaches perform well or show limitations. Second, we revised the usability and privacy discussion to more explicitly connect these challenges with the real-world implementation strategies used by major banks, particularly the use of biometrics together with OTP, device recognition, app-based approval, secure tokens, and step-up authentication. Third, we strengthened the conclusion and future directions by adding a clearer recommendation for more standardized evaluation protocols in future primary studies to support stronger comparative synthesis in subsequent reviews. We are grateful for the reviewer’s positive overall assessment of the manuscript and believe that these revisions have improved its clarity, depth, and practical relevance. Competing Interests: No competing interests were disclosed. Close Report a concern COMMENT ON THIS REPORT Comments on this article Comments (0) Version 2 VERSION 2 PUBLISHED 06 Jan 2026 ADD YOUR COMMENT Comment keyboard_arrow_left keyboard_arrow_right Open Peer Review Reviewer Status info_outline Alongside their report, reviewers assign a status to the article: Approved The paper is scientifically sound in its current form and only minor, if any, improvements are suggested Approved with reservations A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit. Not approved Fundamental flaws in the paper seriously undermine the findings and conclusions Reviewer Reports Invited Reviewers 1 2 Version 2 (revision) 07 May 26 Version 1 06 Jan 26 read read Geeta Sandeep Nadella , University of the Cumberlands, Williamsburg, USA Wojciech Wodo , Wroclaw University of Science and Technology, Wroclaw, Poland Comments on this article All Comments (0) Add a comment Sign up for content alerts Sign Up You are now signed up to receive this alert Browse by related subjects keyboard_arrow_left Back to all reports Reviewer Report 0 Views copyright © 2026 Wodo W. This is an open access peer review report distributed under the terms of the Creative Commons Attribution License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. 14 Feb 2026 | for Version 1 Wojciech Wodo , Wroclaw University of Science and Technology, Wroclaw, Poland 0 Views copyright © 2026 Wodo W. This is an open access peer review report distributed under the terms of the Creative Commons Attribution License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. format_quote Cite this report speaker_notes Responses (1) Not Approved info_outline Alongside their report, reviewers assign a status to the article: Approved The paper is scientifically sound in its current form and only minor, if any, improvements are suggested Approved with reservations A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit. Not approved Fundamental flaws in the paper seriously undermine the findings and conclusions In my opinion, preparing the review paper is quite a challenging task, usually much more demanding than a regular research article, as it requires an extensive knowledge of the domain, a deep understanding of details, nuances, and a broad perspective of the described area. The contribution of the review paper is sometimes hard to grasp; it requires an in-depth analysis of the state-of-the-art literature and often internal (not publicly available) industry or business practices and the rationale behind them. To provide a vital contribution to the public, the author of the review paper should demonstrate a comprehensive understanding not only of the technology used but also of regulatory frameworks, compliance issues, as well as industrial or business-specific conditions. SOME BASIC INFORMATION ABOUT THE PAPER According to the authors the scope of the paper is: This systematic literature review based on PRISMA methodology, which covers studies from 2020 to 2025, provides a critical review of biometric authentication methods used in mobile banking. Reviewer’s remark: Regarding methodology, authors decided to search four databases: ScienceDirect, Scopus, IEEE, and Google Scholar in order to select papers for analysis. The whole process of selection and eligibility criteria as well as exclusion/inclusion approach was clearly presented. However, in my perspective this extremely important step is flawed by design, because authors limited themselves from the very beginning in learning insights from the industry/business perspective by excluding white papers, technical reports/notes, or from in-depth analysis presented in theses or book chapters. I cannot find any justification for such an approach in the paper and I find it restrictive to the study. Objectives are: 1. An analysis of the existing approaches, security risks and implementation practices adopted by major banks across the world. 2. A detailed overview of the current advances, key issues, and emerging research directions, which will give valuable insight to the development of secure and easy-to-use authentication systems in mobile banking. Reviewer’s remark: Motivation is somewhat not clear to me, authors claimed that they did not find a systematic literature review that focused specifically on the uses of BBA in mobile banking. However, the mere fact that no study exists should not be an end in itself for preparing one. The authors did not clearly state what motivated them to take up this topic and what their main idea and goal for the study was. All information is very generic and superficial in this regard. We can find information that they wanted to analyze biometric authentication methods, but we do not know why. Intended audience: The present manuscript is aimed at a wide audience of both academic researchers and industry practitioners. Reviewer’s remark: I cannot agree with authors in this regard, after my evaluation I would say that paper targets students or entry-level professionals and serve as an educational material, or introductionary material to get oriented in fundamentals of described domain. Authors stated five main research quesitons : 1. Which biometric authentication methods are currently used in mobile banking systems? 2. What are the main security threats and vulnerabilities affecting biometric authentication in mobile banking? 3. How do major banks worldwide implement and integrate biometric authentication into their mobile banking applications? 4. What is the key usability, privacy, and user acceptance challenges related to biometric authentication in mobile banking? 5. What are the limitations and future research directions in improving biometric-based authentication for secure and convenient mobile banking? REVIEWER’S EVALUATION The paper tackles an undeniably important and interesting topic, and the authors demonstrate a transparent methodology of work, selecting multiple papers for analysis. The structure of the review is easy to follow, and there are formulated research questions and appropriate sections. The attached exhibits and tables are prepared in a neat manner. I have no objections to the formal or editorial aspects of the work; however, I have some substantial reservations about its essential content and the way of presenting the results and insights of the study. Major remarks: 1. One cannot elaborate on financial or payment market as a homogenous one, as there are different regulatory frameworks on risk, payments, identity management, AI or personal data protection that should be considered when applying technological solutions. These issues tremendously impact the bank and payment industry. Discussion on security mechanisms used in banking should consider wider context of regulatory domain, market maturity and users’ experience. For instance, according to PSD2 and the accompanying RTS, introducing SCA (Strong Customer Authentication) for a wide range of financial transactions is mandatory since the directive came into force in 2019 in the European Union market. The scope of the regulation tackles not only strengthening the authentication by enforcing 2FA mechanisms but also OTP binding with transaction data and time validity, so that we can achieve the so-called "dynamic linking" property and expiration time of the token. 2. Presentation Attacks and Injection Attacks are very powerful threats for biometric-based systems these days, and with the aid of AI, they are even more dangerous, as it is challenging to differentiate the genuine identity from the impostor. The authors claimed for instance that: “Biometrics offer very high resistance against replication and remain difficult to counterfeit” (page 7) which is clearly incorrect. Almost every vendor of eKYC solutions for the high-risk industry, like banking or gambling, faces this issue. NIST is running a project on Face Analysis Technology Evaluation (FATE), which one of the area is PAD (Presentation Attack Detection) - https://pages.nist.gov/frvt/html/frvt_pad.html , where are competing the best of the best players in the market and still are not good enough in detecting the frauds. 3. The paper contains a multitude of basic definitions and explanations of concepts that are obvious in the world of computer security. The paragraphs devoted to individual cybersecurity risks are very short and superficial. 4. The criteria for selecting the banks included in the study are unknown, and relying solely on information obtained from a literature review may, in this case, result in an incomplete or inaccurate picture of the security solutions and challenges in individual banks. In my opinion, it would be necessary to verify/ensure that the information presented reflects the actual state of affairs. Minor remarks: 1. Regarding Introduction section and BBA bullet point, it would be vital to mention about "cancelable biometrics" approaches there 2. Information provided by Table 3 is too short to be useful, reader without reading the cited paper cannot grasp the essence of the solutions. 3. Figure 5 or Table 4 are fancy, but not meaningful, there is no vital data provided through them 4. Table 5 requires some editorial work – e.g. wrong spacing 5. In Table 6 a lot of data is neither available nor applicable 6. What is the aim of presenting data in Table 8 and Table 9? CONCLUSION OF THE REVIEW The study fails to provide high-level insights on the presented subject; there is no vital contribution from the authors in building the wider context for the examined area and in drawing out meaningful takeaways. The presented material is rather a well-done scrutiny job than in-depth analysis and synthesis of general and more abstract results. The reader can find the answers to the questions What? and sometimes How? but there is no Why? and So what? questions addressed. Almost all of the included exhibits are a reflection of the information provided in the text, without any additional value to the reader - more like for an aesthetic effect. Despite an undeniable load of work done by the authors, the submitted manuscript can be treated rather as preliminary work than ready to go, and in my view, it is not suitable for publication in such a form. It requires additional layers of processing gathered data and formulating conclusions and generalizations. Source selection should also be extended by previously excluded types of bibliographic items, such as industry/business whitepapers, technical reports/notes, or theses and book chapters, as well as or legal acts or international standards containing extremely important data and insights and providing necessary context for the elaborated area. My general impression is that paper lacks its leading specific angle of looking at the area of interest. Analyzing the material through a “specific and more in-depth perspective” would allow for interesting conclusions and observations that would be more concrete and specific and more interesting to the audience. Are the rationale for, and objectives of, the Systematic Review clearly stated? Partly Are sufficient details of the methods and analysis provided to allow replication by others? Yes Is the statistical analysis and its interpretation appropriate? No Are the conclusions drawn adequately supported by the results presented in the review? Partly If this is a Living Systematic Review, is the ‘living’ method appropriate and is the search schedule clearly defined and justified? (‘Living Systematic Review’ or a variation of this term should be included in the title.) No Competing Interests No competing interests were disclosed. Reviewer Expertise cybersecurity, biometrics, digital identity, electronic & mobile banking security I confirm that I have read this submission and believe that I have an appropriate level of expertise to state that I do not consider it to be of an acceptable scientific standard, for reasons outlined above. reply Respond to this report Responses (1) Author Response 07 May 2026 Hasan Naji, Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq Response to Reviewer We sincerely thank the reviewer for the careful reading of our manuscript and for the detailed, thoughtful, and constructive comments. We also apologize for the delay in submitting our revised response, which was due to a temporary health issue. We greatly appreciate your patience and understanding. We are especially grateful for the reviewer’s emphasis on the need for stronger contextualization, deeper synthesis, and clearer articulation of the practical significance of the review. We have carefully considered these comments and revised the manuscript accordingly, while also acknowledging certain scope limitations of the present study. Our point-by-point responses are provided below. Major Comment 1: The paper does not sufficiently consider the wider regulatory, compliance, and market context; banking and payment markets are not homogeneous, and frameworks such as PSD2/SCA should be considered. Response: Thank you for this important observation. We agree that regulatory and compliance frameworks play a major role in shaping authentication practices in banking and payment systems, and that the financial sector cannot be treated as fully homogeneous across jurisdictions. In the revised manuscript, we strengthened the discussion of real-world implementation by more explicitly linking authentication practices to practical banking deployment conditions and by expanding the discussion of security–usability trade-offs in operational settings. We also acknowledge that a deeper comparative treatment of jurisdiction-specific regulatory frameworks, such as PSD2/SCA and related compliance requirements, would further strengthen the broader contextual framing. We therefore recognize this as an important direction for future extension of the review and as a limitation of the current study’s scope. Major Comment 2: The manuscript underestimates the seriousness of presentation and injection attacks, particularly in the AI era, and some statements about biometric resistance to counterfeiting are too strong. Response: We thank the reviewer for highlighting this point. We agree that presentation attacks and related spoofing threats are among the most critical challenges facing biometric systems in contemporary high-risk sectors such as banking. In response, we revised the manuscript to place greater emphasis on spoofing resistance, liveness detection, and the limitations of reported biometric performance. In particular, the revised quantitative discussion now clarifies that performance results are often difficult to generalize across real-world deployment conditions and that only a limited number of reviewed studies explicitly evaluated presentation attack detection or spoofing resistance. We also carefully reconsidered overly broad wording regarding biometric resistance to replication and recognize the reviewer’s point that such statements must be qualified in light of current attack capabilities. Major Comment 3: The paper contains too many basic definitions and some cybersecurity risk discussions are short and superficial. Response: Thank you for this observation. We understand the reviewer’s concern and acknowledge that the manuscript includes foundational explanatory material intended to make the review accessible to a broad readership. At the same time, we appreciate that for expert readers, some of these sections may appear introductory. In the revised version, we sought to improve the analytical depth of the manuscript by strengthening the synthesis sections, especially in relation to quantitative findings, implementation practices, and practical implications. We also recognize that further tightening of basic explanatory material and additional expansion of higher-level synthesis could improve the manuscript further, and we appreciate this guidance. Major Comment 4: The criteria for selecting the banks are unclear, and relying only on literature sources may not fully reflect actual banking practices. Response: We appreciate this important point. The bank-related analysis in the manuscript was intended as an illustrative synthesis of practices reported in the reviewed and cited sources, rather than as a definitive audit of the currently deployed security architecture of each institution. We agree that real-world banking implementation may evolve rapidly and may not always be fully captured in academic literature alone. In the revised manuscript, we improved the framing of this section to better reflect its interpretive purpose and to avoid overstating the completeness of the bank comparison. We also acknowledge that future work would benefit from expanding the evidence base to include additional industry and regulatory sources where appropriate. Major Comment 5: The rationale and motivation are not sufficiently clear, and the paper does not adequately answer the questions Why? and So what? Response: Thank you for this valuable comment. We took this concern seriously. In response, we strengthened the manuscript’s framing by clarifying that the purpose of the review is not merely to catalogue biometric methods, but to synthesize how biometric authentication is being used in mobile banking, what practical limitations remain, where current evidence is methodologically uneven, and which approaches appear most relevant for secure and usable deployment. We also strengthened the conclusion so that the review more clearly communicates the practical significance of the findings, particularly the observation that real-world banking practice increasingly favors layered and adaptive authentication rather than reliance on a single biometric factor. Major Comment 6: Source selection should be expanded to include white papers, technical reports, theses, book chapters, legal acts, standards, and related materials. Response: We appreciate this suggestion and agree that such sources can provide valuable insight, especially for industry practices, regulatory interpretation, and deployment realities. However, in the present review, we intentionally limited the formal evidence base to English-language journal and conference publications in order to maintain a more consistent and transparent selection framework under the chosen systematic review methodology. We acknowledge that this decision narrows the scope of the review and may exclude valuable non-traditional or industry-oriented sources. We have therefore treated this issue more explicitly as a limitation of the present study and agree that future reviews could usefully adopt a broader evidence strategy incorporating regulatory, industrial, and technical documentation. Minor Comment 1: Cancelable biometrics should be mentioned in the Introduction. Response: Thank you for this helpful suggestion. We agree that cancelable biometrics are relevant in the broader privacy and security discussion of biometric systems, particularly because they address the problem of revocability when biometric templates are compromised. We appreciate the value of this point and recognize it as an important concept for strengthening the introductory framing. Minor Comment 2: Table 3 is too brief to be useful. Response: We appreciate this comment. Table 3 was designed to provide a concise overview of the reviewed studies and their core focus areas rather than a full technical exposition of each method. However, we understand the reviewer’s concern that brevity may reduce interpretive value for readers. In the revised manuscript, we sought to strengthen the surrounding synthesis so that the table functions more clearly as a reference aid within a broader analytical discussion. Minor Comment 3: Figure 5 and Table 4 are visually appealing but not very meaningful. Response: Thank you for this observation. The intention of Figure 5 and Table 4 was to organize and visualize the diversity of authentication combinations reported across the literature, especially the interplay between biometric, knowledge-based, possession-based, and hybrid approaches. We acknowledge, however, that their analytical value depends on clear integration with the discussion. In the revised manuscript, we worked to improve that integration and appreciate the reviewer’s comment regarding the importance of ensuring that visual elements contribute interpretive value beyond presentation. Minor Comment 4: Table 5 requires editorial refinement. Response: Thank you. We appreciate this observation and carefully reviewed the manuscript for editorial consistency, including tabular formatting. Minor Comment 5: Much of the data in Table 6 is unavailable or not applicable. Response: We agree that this is an important limitation. Table 6 was included precisely to make visible the inconsistency and incompleteness of reporting across the reviewed literature. In the revised text, we more explicitly state that incomplete reporting of FAR, FRR, EER, liveness evaluation, and spoofing resistance is itself an important finding of the review and one of the reasons why stronger standardization is needed in future primary studies. Minor Comment 6: The purpose of Table 8 and Table 9 is unclear. Response: Thank you for raising this point. The purpose of these tables was to connect the academic literature with practical banking deployment patterns and to illustrate which biometric approaches appear most visible in major banking contexts. In the revised manuscript, we clarified this linkage more explicitly, particularly in the discussion of how banks balance usability and security by embedding biometrics within broader MFA strategies rather than using them in isolation. We once again thank the reviewer for the detailed and thought-provoking feedback. The comments helped us identify important areas where the manuscript required stronger synthesis, clearer framing, and more careful qualification of its claims. We believe that the revisions have significantly improved the clarity, depth, and practical relevance of the review. View more View less Competing Interests No competing interests were disclosed. reply Respond Report a concern Wodo W. Peer Review Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 1; peer review: 1 approved with reservations, 1 not approved] . F1000Research 2026, 15 :5 ( https://doi.org/10.5256/f1000research.191708.r450385) NOTE: it is important to ensure the information in square brackets after the title is included in this citation. The direct URL for this report is: https://f1000research.com/articles/15-5/v1#referee-response-450385 keyboard_arrow_left Back to all reports Reviewer Report 0 Views copyright © 2026 Nadella G. This is an open access peer review report distributed under the terms of the Creative Commons Attribution License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. 29 Jan 2026 | for Version 1 Geeta Sandeep Nadella , University of the Cumberlands, Williamsburg, USA 0 Views copyright © 2026 Nadella G. This is an open access peer review report distributed under the terms of the Creative Commons Attribution License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. format_quote Cite this report speaker_notes Responses (1) Approved With Reservations info_outline Alongside their report, reviewers assign a status to the article: Approved The paper is scientifically sound in its current form and only minor, if any, improvements are suggested Approved with reservations A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit. Not approved Fundamental flaws in the paper seriously undermine the findings and conclusions The review is well-structured, methodologically sound, and clearly reports its rationale, methods, and conclusions. It does not involve statistical analysis beyond reporting existing metrics, and it is not a living review. This systematic literature review provides a valuable and timely synthesis of research on biometric authentication in mobile banking from 2020 to 2025. The rationale and objectives are clearly articulated, establishing a strong foundation for the work. The methodology is rigorously described using the PRISMA framework, with transparent reporting on databases, search strings, and inclusion criteria, which makes the process highly replicable. The analysis successfully addresses the stated research questions, offering a comprehensive overview of methods, threats, and banking practices, and the conclusions are well-supported by the presented evidence. To further strengthen this already solid work, several constructive avenues are worth considering. While the review effectively categorizes biometric methods and their performance metrics (e.g., FAR, FRR, EER), a more synthesized critical discussion of these quantitative results would be beneficial. For instance, highlighting the specific conditions under which certain biometrics excel or fail, based on the aggregated data, could offer more actionable insights for practitioners. Additionally, the section on usability and privacy challenges is comprehensive, but it could be enhanced by more explicitly linking these challenges to the specific implementation strategies of the banks analyzed earlier. Discussing how leading banks are practically navigating the trade-off between security strength and user experience would bridge the analysis and its real-world application more powerfully. Finally, the limitation regarding the heterogeneity of studies is well-noted. A forward-looking recommendation could be to explicitly call for more standardized evaluation protocols in future primary research to facilitate more robust comparative synthesis in subsequent reviews. Overall, this is a commendable and useful piece of scholarship that makes a clear contribution to the field by organizing a rapidly evolving body of knowledge. With some refinement in synthesizing quantitative findings and connecting analysis threads, its impact could be even greater. Are the rationale for, and objectives of, the Systematic Review clearly stated? Yes Are sufficient details of the methods and analysis provided to allow replication by others? Yes Is the statistical analysis and its interpretation appropriate? Yes Are the conclusions drawn adequately supported by the results presented in the review? Yes If this is a Living Systematic Review, is the ‘living’ method appropriate and is the search schedule clearly defined and justified? (‘Living Systematic Review’ or a variation of this term should be included in the title.) Not applicable Competing Interests No competing interests were disclosed. Reviewer Expertise MIS, Artificial Intelligence, HCI, Cybersecurity, Business and IT alignment I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above. reply Respond to this report Responses (1) Author Response 07 May 2026 Hasan Naji, Computer Science, University of Mosul College of Computer Sciences and Mathematics, Mosul, Iraq We sincerely thank the reviewer for the careful reading of our manuscript and for the constructive and insightful comments. We also apologize for the delay in submitting our revised response, which was due to a temporary health issue. We greatly appreciate your patience and understanding. In response to the reviewer’s comments, we have revised the manuscript in three main ways. First, we strengthened the synthesized discussion of the quantitative findings by expanding the interpretation of the reported FAR, FRR, EER, and accuracy values, with greater emphasis on the conditions under which particular biometric approaches perform well or show limitations. Second, we revised the usability and privacy discussion to more explicitly connect these challenges with the real-world implementation strategies used by major banks, particularly the use of biometrics together with OTP, device recognition, app-based approval, secure tokens, and step-up authentication. Third, we strengthened the conclusion and future directions by adding a clearer recommendation for more standardized evaluation protocols in future primary studies to support stronger comparative synthesis in subsequent reviews. We are grateful for the reviewer’s positive overall assessment of the manuscript and believe that these revisions have improved its clarity, depth, and practical relevance. View more View less Competing Interests No competing interests were disclosed. reply Respond Report a concern Nadella GS. Peer Review Report For: A Systematic Literature Review on Biometric Authentication in Mobile Banking [version 1; peer review: 1 approved with reservations, 1 not approved] . F1000Research 2026, 15 :5 ( https://doi.org/10.5256/f1000research.191708.r450383) NOTE: it is important to ensure the information in square brackets after the title is included in this citation. The direct URL for this report is: https://f1000research.com/articles/15-5/v1#referee-response-450383 Alongside their report, reviewers assign a status to the article: Approved - the paper is scientifically sound in its current form and only minor, if any, improvements are suggested Approved with reservations - A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit. Not approved - fundamental flaws in the paper seriously undermine the findings and conclusions Adjust parameters to alter display View on desktop for interactive features Includes Interactive Elements View on desktop for interactive features Competing Interests Policy Provide sufficient details of any financial or non-financial competing interests to enable users to assess whether your comments might lead a reasonable person to question your impartiality. Consider the following examples, but note that this is not an exhaustive list: Examples of 'Non-Financial Competing Interests' Within the past 4 years, you have held joint grants, published or collaborated with any of the authors of the selected paper. You have a close personal relationship (e.g. parent, spouse, sibling, or domestic partner) with any of the authors. You are a close professional associate of any of the authors (e.g. scientific mentor, recent student). You work at the same institute as any of the authors. You hope/expect to benefit (e.g. favour or employment) as a result of your submission. You are an Editor for the journal in which the article is published. Examples of 'Financial Competing Interests' You expect to receive, or in the past 4 years have received, any of the following from any commercial organisation that may gain financially from your submission: a salary, fees, funding, reimbursements. You expect to receive, or in the past 4 years have received, shared grant support or other funding with any of the authors. You hold, or are currently applying for, any patents or significant stocks/shares relating to the subject matter of the paper you are commenting on. Stay Updated Sign up for content alerts and receive a weekly or monthly email with all newly published articles Register with F1000Research Already registered? Sign in Not now, thanks close PLEASE NOTE If you are an AUTHOR of this article, please check that you signed in with the account associated with this article otherwise we cannot automatically identify your role as an author and your comment will be labelled as a “User Comment”. If you are a REVIEWER of this article, please check that you have signed in with the account associated with this article and then go to your account to submit your report, please do not post your review here. If you do not have access to your original account, please contact us . All commenters must hold a formal affiliation as per our Policies . The information that you give us will be displayed next to your comment. User comments must be in English, comprehensible and relevant to the article under discussion. We reserve the right to remove any comments that we consider to be inappropriate, offensive or otherwise in breach of the User Comment Terms and Conditions . Commenters must not use a comment for personal attacks. When criticisms of the article are based on unpublished data, the data should be made available. I accept the User Comment Terms and Conditions Please confirm that you accept the User Comment Terms and Conditions. Affiliation ✕ refresh Please enter your institution. Note: To add your institution or organisation, start typing the name and then select the correct name from the list. Where applicable, the name will appear in both the original language and in English. Do not paste in the name. If the name does not appear in the drop-down list, we will display the information you have entered. ✕ refresh Country/Region * USA UK Canada China France Germany Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Cook Islands Costa Rica Cote d'Ivoire Croatia Cuba Cyprus Czech Republic Democratic Republic of the Congo Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Federated States of Micronesia Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and Mcdonald Islands Holy See (Vatican City State) Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Kosovo (Serbia and Montenegro) Kuwait Kyrgyzstan Lao People's Democratic Republic Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macao Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Minor Outlying Islands of the United States Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island North Korea North Macedonia Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russian Federation Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and the South Sandwich Is South Korea South Sudan Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand The Gambia The Netherlands Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu UK USA Uganda Ukraine United Arab Emirates United States Virgin Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam Wallis and Futuna West Bank and Gaza Strip Western Sahara Yemen Zambia Zimbabwe Please select your country/region. You must enter a comment. Competing Interests Please disclose any competing interests that might be construed to influence your judgment of the article's or peer review report's validity or importance. Competing Interests Policy Provide sufficient details of any financial or non-financial competing interests to enable users to assess whether your comments might lead a reasonable person to question your impartiality. Consider the following examples, but note that this is not an exhaustive list: Examples of 'Non-Financial Competing Interests' Within the past 4 years, you have held joint grants, published or collaborated with any of the authors of the selected paper. You have a close personal relationship (e.g. parent, spouse, sibling, or domestic partner) with any of the authors. You are a close professional associate of any of the authors (e.g. scientific mentor, recent student). You work at the same institute as any of the authors. You hope/expect to benefit (e.g. favour or employment) as a result of your submission. You are an Editor for the journal in which the article is published. Examples of 'Financial Competing Interests' You expect to receive, or in the past 4 years have received, any of the following from any commercial organisation that may gain financially from your submission: a salary, fees, funding, reimbursements. You expect to receive, or in the past 4 years have received, shared grant support or other funding with any of the authors. You hold, or are currently applying for, any patents or significant stocks/shares relating to the subject matter of the paper you are commenting on. Please state your competing interests The comment has been saved. An error has occurred. Please try again. Cancel Post var lTitle = "A Systematic Literature Review on Biometric...".replace("'", ''); var linkedInUrl = "http://www.linkedin.com/shareArticle?url=https://f1000research.com/articles/15-5/v1" + "&title=" + encodeURIComponent(lTitle) + "&summary=" + encodeURIComponent('Read the article by '); var deliciousUrl = "https://del.icio.us/post?url=https://f1000research.com/articles/15-5/v1&title=" + encodeURIComponent(lTitle); var redditUrl = "http://reddit.com/submit?url=https://f1000research.com/articles/15-5/v1" + "&title=" + encodeURIComponent(lTitle); linkedInUrl += encodeURIComponent('Naji Ali H and SALIM MAHMOOD AL-Dabbagh S'); var offsetTop = /chrome/i.test( navigator.userAgent ) ? 4 : -10; var addthis_config = { ui_offset_top: offsetTop, services_compact : "facebook,twitter,www.linkedin.com,www.mendeley.com,reddit.com", services_expanded : "facebook,twitter,www.linkedin.com,www.mendeley.com,reddit.com", services_custom : [ { name: "LinkedIn", url: linkedInUrl, icon:"/img/icon/at_linkedin.svg" }, { name: "Mendeley", url: "http://www.mendeley.com/import/?url=https://f1000research.com/articles/15-5/v1/mendeley", icon:"/img/icon/at_mendeley.svg" }, { name: "Reddit", url: redditUrl, icon:"/img/icon/at_reddit.svg" }, ] }; var addthis_share = { url: "https://f1000research.com/articles/15-5", templates : { twitter : "A Systematic Literature Review on Biometric Authentication in.... Naji Ali H and SALIM MAHMOOD AL-Dabbagh S, published by " + "@F1000Research" + ", https://f1000research.com/articles/15-5/v1" } }; if (typeof(addthis) != "undefined"){ addthis.addEventListener('addthis.ready', checkCount); addthis.addEventListener('addthis.menu.share', checkCount); } $(".f1r-shares-twitter").attr("href", "https://twitter.com/intent/tweet?text=" + addthis_share.templates.twitter); $(".f1r-shares-facebook").attr("href", "https://www.facebook.com/sharer/sharer.php?u=" + addthis_share.url); $(".f1r-shares-linkedin").attr("href", addthis_config.services_custom[0].url); $(".f1r-shares-reddit").attr("href", addthis_config.services_custom[2].url); $(".f1r-shares-mendelay").attr("href", addthis_config.services_custom[1].url); function checkCount(){ setTimeout(function(){ $(".addthis_button_expanded").each(function(){ var count = $(this).text(); if (count !== "" && count != "0") $(this).removeClass("is-hidden"); else $(this).addClass("is-hidden"); }); }, 1000); } close How to cite this report {{reportCitation}} Cancel Copy Citation Details $(function(){R.ui.buttonDropdowns('.dropdown-for-downloads');}); $(function(){R.ui.toolbarDropdowns('.toolbar-dropdown-for-downloads');}); $.get("/articles/acj/173855/191708") new F1000.Clipboard(); new F1000.ThesaurusTermsDisplay("articles", "article", "191708"); $(document).ready(function() { $( "#frame1" ).on('load', function() { var mydiv = $(this).contents().find("div"); var h = mydiv.height(); console.log(h) }); var tooltipLivingFigure = jQuery(".interactive-living-figure-label .icon-more-info"), titleLivingFigure = tooltipLivingFigure.attr("title"); tooltipLivingFigure.simpletip({ fixed: true, position: ["-115", "30"], baseClass: 'small-tooltip', content:titleLivingFigure + " " }); tooltipLivingFigure.removeAttr("title"); $("body").on("click", ".cite-living-figure", function(e) { e.preventDefault(); var ref = $(this).attr("data-ref"); $(this).closest(".living-figure-list-container").find("#" + ref).fadeIn(200); }); $("body").on("click", ".close-cite-living-figure", function(e) { e.preventDefault(); $(this).closest(".popup-window-wrapper").fadeOut(200); }); $(document).on("mouseup", function(e) { var metricsContainer = $(".article-metrics-popover-wrapper"); if (!metricsContainer.is(e.target) && metricsContainer.has(e.target).length === 0) { $(".article-metrics-close-button").click(); } }); var articleId = $('#articleId').val(); if($("#main-article-count-box").attachArticleMetrics) { $("#main-article-count-box").attachArticleMetrics(articleId, { articleMetricsView: true }); } }); var figshareWidget = $(".new_figshare_widget"); if (figshareWidget.length > 0) { window.figshare.load("f1000", function(Widget) { // Select a tag/tags defined in your page. In this tag we will place the widget. _.map(figshareWidget, function(el){ var widget = new Widget({ articleId: $(el).attr("figshare_articleId") //height:300 // this is the height of the viewer part. [Default: 550] }); widget.initialize(); // initialize the widget widget.mount(el); // mount it in a tag that's on your page // this will save the widget on the global scope for later use from // your JS scripts. This line is optional. //window.widget = widget; }); }); } close Error Close Add Reset F1000.MICROSERVICES.AFFILIATION = ''; $(document).ready(function () { $('.js-affiliations-form').each((index, form) => { new AffiliationForm({ formId: form.id, institutionErrorSelector: '.comment-enter-institution', departmentErrorSelector: '.comment-enter-department', placeSelector: '.js-add-comment-place', stateSelector: '.js-add-comment-state', zipCodeSelector: '.js-add-comment-zipcode', countrySelector: '.js-add-comment-country', countryErrorSelector: '.comment-enter-country', }); }); }); $(document).ready(function () { var reportIds = { "482951": 0, "448390": 0, "482374": 0, "482950": 0, "448391": 0, "482373": 0, "482949": 0, "448388": 0, "482948": 0, "448389": 0, "482947": 0, "448386": 0, "482946": 0, "448387": 0, "482945": 0, "448384": 0, "482944": 0, "448385": 0, "450382": 0, "450383": 22, "450380": 0, "450381": 0, "450379": 0, "448392": 0, "448393": 0, "450388": 0, "450386": 0, "450387": 0, "450384": 0, "450385": 21, "485471": 0, "485470": 0, "485469": 0, "485478": 0, "485477": 0, "485476": 0, "485475": 0, "485474": 0, "485473": 0, "485472": 0, }; $(".referee-response-container,.js-referee-report").each(function(index, el) { var reportId = $(el).attr("data-reportid"), reportCount = reportIds[reportId] || 0; $(el).find(".comments-count-container,.js-referee-report-views").html(reportCount); }); var uuidInput = $("#article_uuid"), oldUUId = uuidInput.val(), newUUId = "143a61f9-151b-4414-938e-ea37858b55f0"; uuidInput.val(newUUId); $("a[href*='article_uuid=']").each(function(index, el) { var newHref = $(el).attr("href").replace(oldUUId, newUUId); $(el).attr("href", newHref); }); }); An innovative open access publishing platform offering rapid publication and open peer review, whilst supporting data deposition and sharing. Browse Gateways Collections How it Works Contact For Developers Cookie Notice Privacy Notice RSS Submit Your Research Follow us © 2012-2026 F1000 Research Ltd. ISSN 2046-1402 | Legal | Partner of Research4Life • CrossRef • ORCID • FAIRSharing R.templateTests.simpleTemplate = R.template(' $text $text $text $text $text '); R.templateTests.runTests(); var F1000platform = new F1000.Platform({ name: "f1000research", displayName: "F1000Research", hostName: "f1000research.com", id: "1", editorialEmail: "[email protected]", infoEmail: "[email protected]", usePmcStats: true }); $(function(){R.ui.dropdowns('.dropdown-for-authors, .dropdown-for-about, .dropdown-for-myresearch');}); // $(function(){R.ui.dropdowns('.dropdown-for-referees');}); $(document).ready(function () { if ($(".cookie-warning").is(":visible")) { $(".sticky").css("margin-bottom", "35px"); $(".devices").addClass("devices-and-cookie-warning"); } $(".cookie-warning .close-button").click(function (e) { $(".devices").removeClass("devices-and-cookie-warning"); $(".sticky").css("margin-bottom", "0"); }); $("#tweeter-feed .tweet-message").each(function (i, message) { var self = $(message); self.html(linkify(self.html())); }); $(".partner").on("mouseenter mouseleave", function() { $(this).find(".gray-scale, .colour").toggleClass("is-hidden"); }); }); Sign In Remember me Forgotten your password? Sign In Cancel Email or password not correct. Please try again Please wait... $(function(){ // Note: All the setup needs to run against a name attribute and *not* the id due the clonish // nature of facebox... $("a[id=googleSignInButton]").click(function(event){ event.preventDefault(); $("input[id=oAuthSystem]").val("GOOGLE"); $("form[id=oAuthForm]").submit(); }); $("a[id=facebookSignInButton]").click(function(event){ event.preventDefault(); $("input[id=oAuthSystem]").val("FACEBOOK"); $("form[id=oAuthForm]").submit(); }); $("a[id=orcidSignInButton]").click(function(event){ event.preventDefault(); $("input[id=oAuthSystem]").val("ORCID"); $("form[id=oAuthForm]").submit(); }); }); If you've forgotten your password, please enter your email address below and we'll send you instructions on how to reset your password. The email address should be the one you originally registered with F1000. Email address not valid, please try again You registered with F1000 via Google, so we cannot reset your password. To sign in, please click here . If you still need help with your Google account password, please click here . You registered with F1000 via Facebook, so we cannot reset your password. To sign in, please click here . If you still need help with your Facebook account password, please click here . Code not correct, please try again Reset password Cancel Email us for further assistance. Server error, please try again. If your email address is registered with us, we will email you instructions to reset your password. If you think you should have received this email but it has not arrived, please check your spam filters and/or contact for further assistance. Please wait... Register $(document).ready(function () { signIn.createSignInAsRow($("#sign-in-form-gfb-popup")); $(".target-field").each(function () { var uris = $(this).val().split("/"); if (uris.pop() === "login") { $(this).val(uris.toString().replace(",","/")); } }); });
Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.
My notes (saved in your browser only)
Ask this paper
Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works
Citation neighborhood (no data yet)
We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2026) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.
Source provenance
- europepmc
- last seen: 2026-05-20T01:45:00.602351+00:00