Thursday, July 9, 2026 - 09:00 am
online

DISSERTATION DEFENSE

Author :  Jonathan Sharp
Advisors: Dr. Csilla Farkas
Date: July 09, 2026
Time: 09:00 Am
Location:  Virtual
Link:  https://teams.microsoft.com/meet/22071693515848?p=LRAW7BhvdNDjot6moR


Abstract
In this dissertation, we studied how to improve multi-factor authentication using context-aware and adaptive authentication methods. We developed the ContextAware Adaptive Multi-factor Authentication (CAA-MFA) framework to enhance the usability and security of authentication systems in dynamic environments. Traditional multi-factor authentication (MFA) systems often rely on static combinations of factors regardless of contextual risk. This limits their effectiveness against evolving threats such as phishing, social engineering, credential compromise, and MFA
fatigue attacks (1). CAA-MFA addresses these challenges by adjusting authentication requirements based on real-time context, trust, policy constraints, and access risk.
The proposed framework treats authentication as a decision-making problem shaped by dynamic risk and policy compliance. It models user and environmental context semantically, evaluates the trustworthiness of available authentication factors, selects
authentication factors through constraint solving, and quantifies access risk using a Risk Level Assessment (RLA) model. By modeling context through ontologies and enforcing factor-selection constraints formally, CAA-MFA supports structured adaptation and scalable policy enforcement across heterogeneous environments (2). The framework also builds on trust-based reasoning for adaptive authentication by assigning trust scores to authentication factor-source pairs and selecting factors that satisfy constraints related to trustworthiness, privacy, usability, and required security level
(3).
The framework was evaluated using 12,000 labeled login attempts, including
iii
10,000 legitimate login attempts and 2,000 attacker attempts. The evaluation measured authentication performance, computational overhead, runtime cost, and the contribution of SAT-based factor selection and RLA. The strongest configuration,using both SAT-based selection and RLA with an SVM classifier, achieved an Equal Error Rate (EER) of 0.0102, Area Under the Curve (AUC) of 0.9965, and F1-score of 0.9852. These results show that CAA-MFA can distinguish legitimate and adversarial login attempts with strong performance while providing a structured method
for adjusting authentication strength according to contextual risk. The main research questions in this dissertation are as follows:


1. How can we model user and environmental context to support adaptive multi-factor authentication?
 

We proposed a semantic context model that captures relevant features from users, devices, behavior, history, and the surrounding environment. These features include user roles, device attributes, network conditions, location, time, behavioral indicators, and privacy requirements. The model uses ontologies to support structured reasoning about contextual conditions, enabling the authentication system to interpret contextual changes and supply meaningful inputs to downstream trust evaluation and factor selection.


2. How can we dynamically select authentication factors using constraintsolving based on contextual trust?
 

We proposed a formal mechanism for selecting authentication factors using trust evaluation and constraint satisfaction. The framework supports both passive and active authentication factors. Passive factors include device identifiers, location data, application history, and other contextual signals, while active factors include biometric input, typing behavior, user-entered PINs, and other explicit verification methods. Each factor-source pair is assigned a trust score iv reflecting reliability, source integrity, and contextual relevance. The selection of factors is modeled as a constraint satisfaction problem, and a SAT solver is used to enforce policy requirements such as minimum trust thresholds, usability constraints, and privacy constraints. This approach enables dynamic adaptation to changing contexts without relying on static authentication workflows.
 

3. How can we quantify the cost versus benefit of utilizing CAA-MFA over traditional MFA?
 

We evaluated the practical trade-offs introduced by deploying CAA-MFA compared to static MFA systems. The evaluation considers usability, computational overhead, implementation complexity, and security effectiveness. The results show that CAA-MFA introduces additional operational cost through context modeling, SAT-based factor selection, RLA computation, and classifier evaluation. However, these costs are justified in environments where authentication risk varies across users, devices, networks, and resources because the adaptive model provides measurable improvement in authentication performance and policy-aware factor selection.
 

4. How can we quantify access risk and use it to adjust authentication strength in real time?


We developed an access-risk model that incorporates contextual factors, authentication strength, historical user behavior, user clearance, and resource sensitivity. The model generates a continuous Risk Level Assessment (RLA) score that supports real-time adjustment of authentication strength. This score helps determine when to escalate verification requirements in high-risk contexts and when to reduce unnecessary authentication burden in low-risk contexts. The RLA model is integrated with the context-aware factor selection framework and evaluated through the authentication performance and ablation studies.