With the rapid proliferation of online learning, students are increasingly demanding easy and flexible access to learning content at a time and location of their choosing. In these environments, remote users connecting via the public Internet or other unsecure networks must be authenticated prior to being granted access to sensitive content such as tests or personal/private records. Today, the overwhelming majority of online learning systems rely on weak authentication mechanisms to verify the identity of remote users only at the start of each session. One-time authentication using password, personal identification number (PIN), or even hardware tokens is clearly inadequate in that it cannot defend against insider attacks including remote user impersonation or illegal sharing or disclosure of these authentication secrets. As such, these methods are entirely unsuitable for circumstances where the outcome of an online assessment or a course of study is the granting of a formal degree, professional certification, or qualification or requalification for a particular skill or function. This paper examines the problem of remote authentication in online learning environments and explores the challenges and options of using biometric technology to defend against user impersonation attacks by certifying the presence of the user in front of the computer, at all times. It also leverages a 5-step process as the basis for a systems approach to ensuring that the proposed solution will meet the critical remote authentication assurance requirements. The process and systems approach employed here are generic, and can be exploited when introducing biometric-enabled authentication solutions to other applications and business domains. The paper concludes by presenting a biometrics-based client-server architecture for continuous user authentication in e-learning environments.
