At present, many user activities rely upon trusted and secure access to various computing or cyber devices, systems, resources, or services. Authentication is the main defense to address the issue of illegitimate access. Basic authentication processes using a single factor (e.g., user ID and password) are widely used, but have significant problems. Such systems are relatively easy to breach, and, in addition, if the single factor authentication system fails, the user cannot access the system.
Multi-factor authentication (MFA) systems have been developed to help increase secure access. Two-factor authentication systems, for example, check for two different factors at the time of accessing a computer-based online service. However, with the increasing sophistication of technology, these systems do not provide adequate security in many cases. From a security perspective, the critical question for MFA systems is what authentication factors need to be employed in different operating conditions in order to address authentication-related security breaches in a better way. Existing MFA systems generally follow static factor selection policies that do not choose the authentication factors based on present security risks of dynamic operating environments. As a result, the use of the same set of authentication factors in all situations becomes less effective and more predictable, and their vulnerabilities get exposed to hackers.