Analysis and Intellectual Structure of the Multi-Factor Authentication in Information Security

This study presents the current state of research on multi-factor authentication. Authentication is one of the important traits in the security domain as it ensures that legitimate users have access to the secure resource. Attacks on authentication occur even before digital access is given, but it becomes quite challenging with remote access to secure resources. With increasing threats to single authentication schemes, 2Factor and later multi-factor authentication approaches came into practice. Several studies have been done in the multi-factor authentication discipline, and most of them proposed the best possible approaches, but there are very limited studies in the area that can comprehend all these innovative and effective approaches. Using Web of Science data of the research publications on the topic, the study adopted the bibliometric approach to find the evolution of authentication in the security domain, especially multi-factor authentication. This study finds the impact of the research in the selected domain using bibliometric analysis. This research also identifies the key research trends that most of the researchers are paying attention to. The highest number of publications on multi-factor authentication were published in 2019 while the highest number of citations were received in 2014. United States, India, and China are the leading countries publishing the most on multi-factor authentication.

Legitimate access to any resource requires authentication of the person accessing the protected resource [46]. Usually, this protection is done through a username and password which if, compromised, may result in total failure of the system. It can easily be comprehended by considering if someone can sneak into your mobile phone, and the only security provided is a passcode or pin. Biometric, a common authentication scheme, was introduced as a replacement to the password that ensures that a legitimate person is logging. However, it can be compromised as the famous case of Apple Hack in 48 h in a security conference in Germany [47]. Two-factor authentication was introduced where the combination of password and biometric was preferred to be used as it provide chances to have better security. This research focuses on finding the evolution of different authentication schemes and how different combinations of authentication schemes are used to form multi-factor authentication schemes [48].
Several studies and authentication schemes are currently in use for providing legitimate access to the protected resources. Each scheme has its pros and cons making it challenging to adapt in every possible scenario. This results in a multiple-level authentication scheme based on the nature of the resource [47][48][49][50]. The following section presents the common authentication schemes and how they are used.
Password: Usage of password or pin or even passcode is one of the oldest mechanisms for protecting resources from legitimate access. Passwords are considered secure; based on their size and complexity. But the number of passwords released over the dark web as well as other compromises has resulted in failure of the scheme or even, in some cases, ransom or maligning of person. Secondly, if a password is compromised, the whole security scheme becomes null and void [51].
Biometric: Several biometric schemes are used for providing authentication such as facial recognition, fingerprint, and iris authentication. It allows guarantee of real and legitimate human access but advances in the recreation of images, biometric has resulted in the compromise of the scheme [52].
One Time Password (OTP): OTP scheme is widely used these days as it allows live access to resources using a fresh password. Usually, OTP is used in conjunction with other authentication schemes but still can be compromised using a Man-in-the-Browser attack or malware [53].
Smartcard: Barkadehi et al. and Velásquez et al. discussed that smart cards are often used to provide security and authentication by keeping the secret information protected. It is widely used to authenticate resources smartly and efficiently. But it is complex to handle because it may be lost or stolen to resources; also, indirect gains and rouge relay attacks are possible.
Blind-Fold Challenge Scheme: Owing to the increased number of bot attacks, currently verification of human factor has been introduced by random challenges such as identification of the object in the picture, captcha, easy math equation or set of challenges but still with advances in image recognition made it possible to crack captcha, it is challenging for blind or low sight user to use complex scheme. Secondly the blindfold challenge scheme cannot be used as security scheme it only distinguishes humans from machines [53][54][55].
Profiling: Security profiling of users is often considered to be an adaptive authentication scheme where a user profile is completely built, and whenever a slight deviation is considered from normal behavior, complex authentication schemes are introduced again. This scheme results in fast access and ensures legitimate users are using the resources but, in some cases, due to an emergency, if the user is behaving abnormally all of the access may get blocked and may result in some serious injury. Profiling can be location-based, timing-based, device type, or even connection-based. All of them can be used in conjunction with other approaches to achieve better security [55][56][57].
MFA works on three major principles (1) knowledge: what you know such as your pin, password, etc.
(2) possession: an asset that you have in hand such as a mobile phone and (3) inherence that refers to what is unique to you such as biometric information [58]. A better approach must use all these three together based on the level of security that resource requires. This research adopts bibliometric analysis to find out how multifactor is analyzed in scientific literature and which principles are covered in these approaches. Bibliometric analysis is a statistical approach evaluate the published scientific literature. There are several studies that have been conducted using bibliometric studies in the area of security and authentication schemes, but very limited studies have been done in the area of multifactor authentication. [59] conducted a bibliometric study about authentication that covered a variety of security and the Internet of Things (IoT). [60] researched around smart grid and Internet of Things security. Both pieces of research investigate publications made in a vast area and provide a highlight of keywords for consideration also.
[61] conducted a bibliometric study on security and application of bibliometric, while [62] conducted a bibliometric study for how security is analyzed in the blockchain. There are few studies about security such as [63][64][65][66][67] analyzed the security issues using bibliometric studies and extracted the major publication patterns. MFA is not a new research area, but the real usage came with a number of security issues on a rise. Security experts worked on approaches that include MFA but there is a lack of studies that can comprehend what has been done in area and what are the current researches heading too.
The main objective of this study is to present the current state of research on multi-factor authentication. To achieve the stated objective, the study aimed to answer the following research questions interpreting the scope of the research as well.
How have the research publications and citations on multi-factor authentication evolved over time? What is the impact and citation structure of the research on multi-factor authentication? What are the research trends in multi-factor authentication in terms of authorship patterns, active countries, institutions, journals and researchers? What are the main themes in the domain and how have these themes evolved over time? What are the recent research trends in this domain?

Bibliometric Terminology
This study used bibliometric terminology and abbreviations as under Tab. 1.
Active authors, institutions and countries are those with the highest number of publications.

Tools Used
Gephi, an open-source tool was used to visualize the keywords co-occurrences, present co-citation graphs, and create the bibliometric coupling. Thematic evolution and collaboration trends were explored using another open-source tool Biblioshiny [68][69][70], version 2.0. Microsoft Excel was used to scan the titles and abstracts.

Data Source
The selection of a database is an important task in bibliometric studies. Web of Science (WoS) was selected to retrieve data as it is one of the most comprehensive and premier citations and abstract databases of scientific literature in the selected domain. WoS indexes the relevant, authoritative and topranked journals and has a wider coverage of scholarly literature on computer security and allied subject domains.

Method
Bibliometric method of research analysis was applied to conduct this study. The method is widely used in evaluating the research performance in particular fields of knowledge, institutions, regions and journals.

Search Query and Data Retrieval
To retrieve the bibliographic and citation records of "multi-factor authentication" a search query with the keyword "Multi-factor authentication" was run in the "Topic" field in the Web of Science Core Collection. The topic field brings results from the title, keywords, and abstracts of the publications. The search was performed on February 22, 2021. Two of the authors retrieve the data simultaneously to validate the retrieved data. The titles and abstracts of the results were scanned to check their relevancy.

Analysis, Results and Discussion
In this section, data analysis, and results have presented with analytical discussion.

Influential Journals
IEEE Access was the most active journal publishing research on multi-factor authentication. Most of the journals presented in Tab. 4 are impact factor journals listed in Journal Citation Reports of Clarivate Analytics. The majority of these journals are ranked in the first and second quartiles of journal rankings. All of the top ten journals are based in the United States and European countries.

Authorship Pattern
Most of the research on multi-factor authentication is done collaboratively, as indicated in Fig. 2. Threeauthor studies are the most common trend followed by the studies prepared by joint effort of two authors. Seventeen studies were prepared by single authors. Studies prepared in collaboration received citations with better a average than the single-author studies. Studies with eight authors were cited with an average of 12 citations per publication. The second-best citation average of 7. 5 was recorded to the publications with five authors. Single author studies received the lowest citation average of 2 citations per publication.

Co-occurrences Analysis of Keywords
Using Gephi software, the co-occurrences of author-supplied keywords were analyzed. The keywords with a minimum of four assurances were selected to appear in Fig. 3; 28 keywords met the threshold. Fig. 3 shows interesting co-relations between the author keywords indicating connections to multi-factor authentication. Based on the weight of co-occurrences and total link strength, multi-factor authentication was the most frequently used keyword establishing its connections to biometrics, security, and authentication. Seven different colors represent seven clusters.

Bibliographic Coupling of the Authors' Affiliated Institutions
Fig . 5 shows the bibliographic coupling of the institutions of the authors who are publishing on multifactor authentication. With the threshold of three publications, fifteen institutions qualified to appear on the coupling map. The representation of institutions from around the world indicates that research on multi-factor authentication is being carried out globally. A strong collaboration can be observed between the ITMO University and the Tempere University of Technology. Fig. 6 shows a three-field plot of keywords (left), countries (center), and journals (right), identifying the relationship among the keywords, countries, and journals. "Multi-factor authentication" and "authentication" keywords were the most frequently used keywords, as indicated by the size of the boxes. India, China, and  United States are using these keywords the most, while the journals IEEE Access, and Computers and Society have published most of the research on these keywords. Fig. 7 presents the thematic evolution of keywords used in the multi-factor authentication research. The temporal analysis was made on the main themes of the domain that divides the research life span over three different time slices. Results indicate that multi-factor authentication, password, and authentication were the popular keywords since the emergence of the field. Confidentiality, biometrics, and security were the new areas of focus from 2016 to 2018. Behavior, OTP, anonymity, and information security emerged as the new research themes during the last two years. Multi-factor authentication has been the focus of research throughout the lifespan of the field.

Limitations and Future Research Directions
The data source of this study is WoS database. Other citations and abstract databases such as Scopus, Google Scholar may reflect a different number of publications and citations on MFA. The study used the "multi-factor authentication" keyword to search for and retrieve the data. Other keywords will yield other results as databases retrieve a different set of records with the change of keywords. A systematic review of MFA will be a good source of knowledge for the researchers in the field. A bibliometric study using the other abstract and indexing databases to map the current research landscape of MFA will be a good addition to the current literature in the domain. A comparative study of different regions and countries can be carried out that may reflect on priorities or, even in some cases, weakness in the domain. The same study can select best and effective practices to create a general framework for effective multi-factor authentication schemes.

Conclusion
Authentication is an essential aspect of security and has always gained attention as well as attacks over time. This research study focuses on MFA that was coined a long time ago as two-factor or three-factor authentication. The selected data source shows 2004 when it received an approach comprising of MFA and then a steady increase was observed. It was a decade after when MFA gained more popularity and impact, as shown through citation analysis, that was due to the usage of intelligent approaches for compromising the authentication. The United States, India, and China were the most active countries publishing MFA research, while Purdue University was the most prolific institution. The highest number of studies were published in IEEE Access. Researchers preferred to conduct their research collaboratively. MFA, biometrics, security, and authentication were the most frequently used keywords. Behavior, OTP, anonymity, and information security emerged as the new research themes during the last two years, while confidentiality, biometrics, and security were the areas of focus from 2016 to 2018. The study recommends future researchers conduct a systematic literature review on the topic to uncover the research on MFA in terms of security approaches adapted.