Privacy-Enhanced Adaptive Authentication: User Profiling with Privacy Guarantees

TL;DR

This paper presents a privacy-preserving adaptive authentication protocol that uses cryptographic techniques and differential privacy to enhance security and protect user data during risk-based authentication.

Contribution

It introduces a novel protocol combining OPRF, anonymous tokens, and differential privacy to improve privacy guarantees in adaptive authentication systems.

Findings

Protocol provides strong privacy guarantees with formal proofs.

Performance evaluation shows manageable computational and communication overheads.

Enhances compliance with data protection regulations like GDPR and CCPA.

Abstract

User profiling is a critical component of adaptive risk-based authentication, yet it raises significant privacy concerns, particularly when handling sensitive data. Profiling involves collecting and aggregating various user features, potentially creating quasi-identifiers that can reveal identities and compromise privacy. Even anonymized profiling methods remain vulnerable to re-identification attacks through these quasi-identifiers. This paper introduces a novel privacy-enhanced adaptive authentication protocol that leverages Oblivious Pseudorandom Functions (OPRF), anonymous tokens, and Differential Privacy (DP) to provide robust privacy guarantees. Our proposed approach dynamically adjusts authentication requirements based on real-time risk assessments, enhancing security while safeguarding user privacy. By integrating privacy considerations into the core of adaptive risk-based adaptive authentication, this approach addresses a gap often overlooked in traditional models. Advanced cryptographic techniques ensure confidentiality, integrity, and unlinkability of user data, while differential privacy mechanisms minimize the impact of individual data points on overall analysis. Formal security and privacy proofs demonstrate the protocol's resilience against various threats and its ability to provide strong privacy guarantees. Additionally, a comprehensive performance evaluation reveals that the computational and communication overheads are manageable, making the protocol practical for real-world deployment. By adhering to data protection regulations such as GDPR and CCPA, our protocol not only enhances security but also fosters user trust and compliance with legal standards.