A Requirement-Based Framework for Engineering Adaptive Authentication

TL;DR

This paper introduces a framework for designing adaptive authentication systems that dynamically select appropriate methods based on changing contextual factors and security risks, ensuring security and usability.

Contribution

It presents a novel framework using goal and feature models, combined with a Fuzzy Causal network and Z3 solver, to guide the selection of authentication methods in dynamic environments.

Findings

Effective at adapting to changing contexts in IoV and healthcare scenarios.

Improves security risk mitigation while maintaining usability.

Demonstrated feasibility through real-world case studies.

Abstract

Authentication is crucial to confirm that an individual or entity trying to perform an action is actually who or what they claim to be. In dynamic environments such as the Internet of Things (IoT), Internet of Vehicles (IoV), healthcare, and smart cities, security risks can change depending on varying contextual factors (e.g., user attempting to authenticate, location, device type). Thus, authentication methods must adapt to mitigate changing security risks while meeting usability and performance requirements. However, existing adaptive authentication systems provide limited guidance on (a) representing contextual factors, requirements, and authentication methods (b) understanding the influence of contextual factors and authentication methods on the fulfilment of requirements, and (c) selecting effective authentication methods that reduce security risks while maximizing the satisfaction of the requirements. This paper proposes a framework for engineering adaptive authentication systems that dynamically select effective authentication methods to address changes in contextual factors and security risks. The framework leverages a contextual goal model to represent requirements and the influence of contextual factors on security risks and requirement priorities. It uses an extended feature model to represent potential authentication methods and their impacts on mitigating security risks and satisfying requirements. At runtime, when contextual factors change, the framework employs a Fuzzy Causal network encoded using the Z3 SMT solver to analyze the goal and feature models, enabling the selection of effective authentication methods. We demonstrate and evaluate our framework through its application to real-world authentication scenarios in the IoV and the healthcare domains.