Privacy-Preserving Federated Learning Framework for Risk-Based Adaptive Authentication

TL;DR

This paper presents FL-RBA2, a federated learning framework that enhances risk-based adaptive authentication by addressing Non-IID data challenges, ensuring privacy, security, and personalized risk assessment in decentralized environments.

Contribution

FL-RBA2 introduces a mathematically grounded similarity transformation to handle Non-IID data, incorporates privacy-preserving techniques, and provides formal security proofs for adaptive authentication.

Findings

Effective detection of high-risk users across multiple datasets.

Robustness against inference and model inversion attacks.

Maintains privacy and security under strong differential privacy constraints.

Abstract

Balancing robust security with strong privacy guarantees is critical for Risk-Based Adaptive Authentication (RBA), particularly in decentralized settings. Federated Learning (FL) offers a promising solution by enabling collaborative risk assessment without centralizing user data. However, existing FL approaches struggle with Non-Independent and Identically Distributed (Non-IID) user features, resulting in biased, unstable, and poorly generalized global models. This paper introduces FL-RBA2, a novel Federated Learning framework for Risk-Based Adaptive Authentication that addresses Non-IID challenges through a mathematically grounded similarity transformation. By converting heterogeneous user features (including behavioral, biometric, contextual, interaction-based, and knowledge-based modalities) into IID similarity vectors, FL-RBA2 supports unbiased aggregation and personalized risk modeling across distributed clients. The framework mitigates cold-start limitations via clustering-based risk labeling, incorporates Differential Privacy (DP) to safeguard sensitive information, and employs Message Authentication Codes (MACs) to ensure model integrity and authenticity. Federated updates are securely aggregated into a global model, achieving strong balance between user privacy, scalability, and adaptive authentication robustness. Rigorous game-based security proofs in the Random Oracle Model formally establish privacy, correctness, and adaptive security guarantees. Extensive experiments on keystroke, mouse, and contextual datasets validate FL-RBA2's effectiveness in high-risk user detection and its resilience to model inversion and inference attacks, even under strong DP constraints.