Authentication approach using one-time challenge generation based on user behavior patterns captured in transactional data sets

Knowledge-based authentication methods have become increasingly popular, where they started as simple passwords, before evolving into static questions for fallback authentication and graphical password-based systems. Question-based authentication methods are typically based on static or slowly changing data sources, thereby making them vulnerable to eavesdropping, wiretapping, and other types of attacks. Thus, an alternative approach is needed to create an authentication challenge that could compete with other authentication factors: hardware tokens and biometrics. In this study, we propose a new authentication approach that exploits the user behavior patterns captured in non-public data sources to create unique, one-time challenges. We propose: (i) a model that is capable of representing user behavior patterns in a wide range of user activities captured from various data sources and (ii) a method for creating unique one-time challenges based on the model. We tested the model and the method based on multiple non-public data sources such as bank transactions, phone logs, computer usage data, and e-mail correspondence. We also demonstrated its efficacy with a live user pool. Security analysis indicated the full resilience of the proposed method against eavesdropping as well as its adaptability in response to guessing attacks by dynamically increasing the complexity of the challenge.