Towards a Risk-Cost Model for Financial Adaptive Authentication

Sanchari Das; Supriya Khadka

arxiv: 2605.02979 · v1 · submitted 2026-05-04 · 💻 cs.CR

Towards a Risk-Cost Model for Financial Adaptive Authentication

Supriya Khadka , Sanchari Das This is my paper

Pith reviewed 2026-05-08 18:42 UTC · model grok-4.3

classification 💻 cs.CR

keywords adaptive authenticationrisk-cost modelfinancial securityconditional value-at-risksequential decision makingprivacy constraintsdynamic optimizationfraud detection

0 comments

The pith

A Risk-Cost Model reframes financial adaptive authentication as a constrained dynamic optimization problem that integrates fraud losses, opportunity costs, tail risks via CVaR, sequential adaptation to adversaries, and embedded privacy and

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces a formal Risk-Cost Model to address the fragmented nature of current adaptive authentication in financial systems. It treats authentication decisions as a single constrained dynamic optimization task rather than static classification or compliance checklists. The model incorporates explicit cost-sensitive risk functions that capture fraud loss and opportunity cost, uses Conditional Value-at-Risk to handle tail events, adds sequential mechanisms that respond to probing attacks and changing distributions, and folds privacy and regulatory limits directly into the objective. A sympathetic reader would care because marginal improvements in false acceptance rates can produce large monetary losses, while overly strict checks raise user friction and regulatory exposure. If the model works as described, authentication systems could make decisions that are simultaneously economically rational, resilient to drift, and compliant by construction.

Core claim

The central claim is that authentication in financial systems can be recast as a constrained dynamic risk-cost optimization problem. The Risk-Cost Model supplies the mathematical foundation by uniting three elements: cost-sensitive risk functions that quantify fraud loss, opportunity cost, and tail risk through Conditional Value-at-Risk; sequential decision-making that adapts to adversarial probing and distributional drift; and quantifiable privacy and regulatory constraints placed inside the optimization objective itself.

What carries the argument

The Risk-Cost Model (RCM), a mathematical framework that combines cost-sensitive risk functions using Conditional Value-at-Risk, sequential decision-making for adversarial and drifting conditions, and direct embedding of privacy and regulatory constraints into one constrained dynamic optimization problem.

If this is right

Authentication decisions minimize a combined objective that includes expected fraud loss, opportunity cost of false rejection, and Conditional Value-at-Risk of extreme losses.
The system can update its policy in response to observed adversarial probing without requiring separate detection modules.
Privacy and regulatory requirements become hard constraints or penalty terms inside the same objective rather than post-decision filters.
Performance remains stable under shifts in user behavior or attack patterns because the model is formulated to account for distributional drift.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Real-time deployment would require efficient solvers for the dynamic program, suggesting a need for approximation algorithms or learned policies that preserve the risk-cost guarantees.
The same optimization structure could be applied to other domains that trade security costs against user friction, such as access control in healthcare or critical infrastructure.
Validation would benefit from head-to-head comparisons against production adaptive-authentication systems using historical fraud and transaction datasets to measure net economic improvement.

Load-bearing premise

The three components of cost-sensitive risk, sequential adaptation, and privacy constraints can be merged into one tractable constrained dynamic optimization problem whose solutions are both computable in practice and superior to existing fragmented systems.

What would settle it

An empirical test or simulation in which the proposed optimization produces higher combined fraud-plus-opportunity losses than current adaptive authentication deployments, or cannot be solved within the time limits required for real-time authentication.

Figures

Figures reproduced from arXiv: 2605.02979 by Sanchari Das, Supriya Khadka.

**Figure 1.** Figure 1: RCM metro-map. Contextual evidence is calibrated to impostor posteriors view at source ↗

read the original abstract

Authentication in financial systems remains a uniquely high-stakes security challenge, where even marginal increases in false acceptance can result in catastrophic monetary loss. Existing deployments of adaptive authentication, which combine biometrics, behavioral signals, and contextual risk scoring, remain conceptually fragmented and often prioritize regulatory compliance over explicit economic and adversarial risk modeling. To address this structural imbalance, in this paper we introduce a formal Risk-Cost Model (RCM) for adaptive authentication in financial systems. The RCM provides a principled mathematical foundation that integrates three essential components: (i) cost-sensitive risk functions that explicitly capture fraud loss, opportunity cost, and tail risk through Conditional Value-at-Risk (CVaR); (ii) sequential decision-making mechanisms that adapt to adversarial probing and distributional drift; and (iii) quantifiable privacy and regulatory constraints embedded directly within the optimization objective. By reframing authentication as a constrained dynamic risk-cost optimization problem, the RCM moves beyond static classification and compliance-driven design toward systems that are economically grounded, tail-risk aware, and resilient under adversarial uncertainty.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This is a high-level proposal for a unified risk-cost model in financial adaptive authentication that describes three components conceptually but supplies no equations, algorithms, or validation.

read the letter

The key takeaway is that the paper outlines an idea for treating authentication decisions as a constrained dynamic optimization problem that folds in CVaR for tail risk, adaptation to probing and drift, and privacy constraints, yet it never shows how those pieces actually combine into a working model. The abstract correctly notes that current adaptive systems in banking tend to be piecemeal and compliance-driven rather than explicitly economic, and the proposal to fix that by centering cost-sensitive risk is a fair observation. That framing is the main thing the work contributes at this stage. It also correctly identifies that opportunity costs and adversarial uncertainty matter in high-stakes settings, which is worth stating plainly. Beyond the framing, there is little new. The three components listed have appeared separately in prior risk-sensitive authentication and sequential decision work, and the paper does not demonstrate a concrete reduction or first-principles derivation that sets this version apart. The central claim of a “principled mathematical foundation” therefore rests on description rather than demonstration. The soft spots follow directly from that gap. No risk functions are written down, no state-action space or transition model is given, no Lagrangian or Bellman formulation appears, and there is no algorithm or complexity bound. Without those elements it is impossible to judge whether the combined problem is tractable or whether its solutions would outperform existing fragmented deployments. The absence of any empirical check or even a toy example leaves the superiority argument unsupported. This paper is mainly for readers who want a high-level roadmap or discussion prompt in security economics and fintech risk modeling. Someone looking for a usable model, reproducible derivation, or comparative evaluation will find little to work with. It does not yet merit a serious referee because the technical content needed to evaluate the claims is missing. I would recommend desk rejection with an invitation to resubmit once the authors supply the actual optimization setup and at least a proof-of-concept analysis.

Referee Report

1 major / 0 minor

Summary. The paper proposes a Risk-Cost Model (RCM) for adaptive authentication in financial systems. It claims to introduce a formal mathematical foundation that integrates (i) cost-sensitive risk functions capturing fraud loss, opportunity cost, and tail risk via Conditional Value-at-Risk (CVaR), (ii) sequential decision-making mechanisms that adapt to adversarial probing and distributional drift, and (iii) quantifiable privacy and regulatory constraints embedded in the optimization objective. Authentication is reframed as a constrained dynamic risk-cost optimization problem to move beyond static and compliance-driven designs.

Significance. If the claimed integration were supplied with explicit formulations, algorithms, and evidence of tractability and superiority, the RCM could provide a valuable contribution to financial security by enabling economically grounded, tail-risk-aware authentication systems that handle adversarial uncertainty and regulatory requirements in a unified framework.

major comments (1)

[Abstract] Abstract and introduction: The central claim that the RCM 'provides a principled mathematical foundation' by integrating the three components into 'a single tractable constrained dynamic risk-cost optimization problem' whose solutions are 'computationally feasible and demonstrably superior' is unsupported. The manuscript supplies only high-level conceptual descriptions of CVaR-based risk functions, sequential adaptation, and embedded constraints, with no concrete risk functions, state-action space, Bellman or Lagrangian formulation, solution method (exact or approximate), runtime bounds, or empirical comparisons.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their thorough and constructive review of our manuscript. We address the major comment point by point below and outline the revisions we will make to strengthen the presentation of our Risk-Cost Model.

read point-by-point responses

Referee: [Abstract] Abstract and introduction: The central claim that the RCM 'provides a principled mathematical foundation' by integrating the three components into 'a single tractable constrained dynamic risk-cost optimization problem' whose solutions are 'computationally feasible and demonstrably superior' is unsupported. The manuscript supplies only high-level conceptual descriptions of CVaR-based risk functions, sequential adaptation, and embedded constraints, with no concrete risk functions, state-action space, Bellman or Lagrangian formulation, solution method (exact or approximate), runtime bounds, or empirical comparisons.

Authors: We agree with the referee that the abstract and introduction present the claims at a high level without sufficient concrete details or references to specific formulations. To address this, we will substantially revise the introduction to provide explicit descriptions of the CVaR-based risk function, the state-action space for the sequential decision process, the Bellman and Lagrangian formulations, the approximate solution method, runtime analysis, and include a new section or subsection with empirical comparisons via simulation to demonstrate superiority. This will ensure the central claims are fully supported. revision: yes

Circularity Check

0 steps flagged

No derivation chain or equations present; conceptual claims cannot exhibit circular reduction.

full rationale

The paper introduces the Risk-Cost Model (RCM) as integrating CVaR risk functions, sequential adaptation to probing/drift, and embedded constraints into a single constrained dynamic optimization. The provided text (abstract and description) contains no equations, state-action formulations, Bellman recursions, Lagrangian objectives, solution algorithms, or parameter fits. No self-citations, ansatzes, or renamings of known results appear. Because no load-bearing derivation steps exist to inspect, no circularity of any enumerated kind can be identified; the manuscript's claims remain at the level of unformalized description.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Only the abstract is available; no free parameters, axioms, or invented entities are specified in the text.

pith-pipeline@v0.9.0 · 5475 in / 1183 out tokens · 44760 ms · 2026-05-08T18:42:56.204348+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith.Cost (Jcost) washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

R(d) = cFA·FAR(d) + cFR·FRR(d) + cCH·CHR(d) + λ·Leakage(d)
Foundation/* (RS chain has zero adjustable parameters) reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Inputs: cFA, cFR, cCH, privacy weight λ, CVaR level α, robust radius δ

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

51 extracted references · 4 canonical work pages · 1 internal anchor

[1]

Enhanced cryptocurrency security by time-based token multi-factor authentication algorithm,

K. A. Taher, T. Nahar, and S. A. Hossain, “Enhanced cryptocurrency security by time-based token multi-factor authentication algorithm,” in2019 International Conference on Robotics, Electrical and Signal Processing Techniques (ICREST). IEEE, 2019, pp. 308–312

2019
[2]

Securing high-stakes digital transactions: a comprehensive study on cybersecurity and data privacy in financial institutions,

H. Singh, “Securing high-stakes digital transactions: a comprehensive study on cybersecurity and data privacy in financial institutions,”Available at SSRN 5267850, 2025

2025
[3]

Grant, verify, revoke: A user-centric pattern for blockchain compliance,

S. Khadka and S. Das, “Grant, verify, revoke: A user-centric pattern for blockchain compliance,” inProceedings of the Extended Abstracts of the 2026 CHI Conference on Human Factors in Computing Systems, 2026, pp. 1–6

2026
[4]

Das,A risk-reduction-based incentivization model for human-centered multi-factor authentication

S. Das,A risk-reduction-based incentivization model for human-centered multi-factor authentication. Indiana University, 2020

2020
[5]

Towards implementing inclusive authentication technologies for older adults,

S. Das, A. Kim, B. Jelen, J. Streiff, L. J. Camp, and L. Huber, “Towards implementing inclusive authentication technologies for older adults,”Who Are You, 2019

2019
[6]

Cryptocurrencies as a subject of financial fraud,

M. Kutera, “Cryptocurrencies as a subject of financial fraud,” Journal of Entrepreneurship, Management and Innovation, vol. 18, no. 4, pp. 45–77, 2022

2022
[7]

Sok: a systematic review of context-and behavior-aware adaptive authentica- tion in mobile environments,

V . H. Podapati, D. Nigam, and S. Das, “Sok: a systematic review of context-and behavior-aware adaptive authentica- tion in mobile environments,” inInternational Symposium on Human Aspects of Information Security and Assurance. Springer, 2025, pp. 406–419

2025
[8]

Advancing passwordless authentication: A systematic review of methods, challenges, and future directions for secure user identity,

M. I. M. Yusop, N. H. Kamarudin, N. H. S. Suhaimi, and M. K. Hasan, “Advancing passwordless authentication: A systematic review of methods, challenges, and future directions for secure user identity,”IEEE Access, 2025

2025
[9]

Review on security of internet of things authentication mechanism,

T. Nandy, M. Y . I. B. Idris, R. M. Noor, L. M. Kiah, L. S. Lun, N. B. A. Juma’at, I. Ahmedy, N. A. Ghani, and S. Bhattacharyya, “Review on security of internet of things authentication mechanism,”IEEE Access, vol. 7, pp. 151 054–151 089, 2019

2019
[10]

Authentication systems: A literature review and classification,

M. H. Barkadehi, M. Nilashi, O. Ibrahim, A. Z. Fardi, and S. Samad, “Authentication systems: A literature review and classification,”Telematics and Informatics, vol. 35, no. 5, pp. 1491–1511, 2018

2018
[11]

Mfa is a necessary chore!: Exploring user mental models of multi- factor authentication technologies,

S. Das, B. Wang, A. Kim, and L. J. Camp, “Mfa is a necessary chore!: Exploring user mental models of multi- factor authentication technologies,” inProceedings of the 53rd Hawaii International Conference on System Sciences, 2020

2020
[12]

From pins to gestures: Analyzing knowledge-based authentication schemes for augmented and virtual reality,

N. Noah and S. Das, “From pins to gestures: Analyzing knowledge-based authentication schemes for augmented and virtual reality,”IEEE Transactions on Visualization and Computer Graphics, 2025

2025
[13]

Cyber security threats to bitcoin exchanges: Adversary exploitation and laundering techniques

K. Oosthoek and C. Doerr, “Cyber security threats to bitcoin exchanges: Adversary exploitation and laundering techniques.”IEEE Trans. Netw. Serv. Manag., vol. 18, no. 2, pp. 1616–1628, 2021

2021
[14]

An investigation on vulnerability analysis of phishing attacks and countermeasures

G. A. Kothamasu, S. K. A. Venkata, Y . Pemmasani, and S. Mathi, “An investigation on vulnerability analysis of phishing attacks and countermeasures.”International Journal of Safety & Security Engineering, vol. 13, no. 2, 2023

2023
[15]

Smart storytelling: Video and text risk communication to increase mfa acceptability,

S. Das, S. Mare, and L. J. Camp, “Smart storytelling: Video and text risk communication to increase mfa acceptability,” in2020 IEEE 6th International Conference on Collabo- ration and Internet Computing (CIC). IEEE, 2020, pp. 153–160

2020
[16]

Sok: An evaluation of quantum authentication through systematic literature review,

R. Majumdar and S. Das, “Sok: An evaluation of quantum authentication through systematic literature review,” in Proceedings of the Workshop on Usable Security and Privacy (USEC), 2021

2021
[17]

Replication study: Cross-country evaluation of the recognition-based graphical authentication scheme in ar and vr environments,

N. Noah, P. Mayer, and S. Das, “Replication study: Cross-country evaluation of the recognition-based graphical authentication scheme in ar and vr environments,” in 2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 2025, pp. 496–507

2025
[18]

Evaluating user perception of multi-factor authentication: A systematic review,

S. Das, B. Wang, Z. Tingle, and L. J. Camp, “Evaluating user perception of multi-factor authentication: A systematic review,” inProceedings of the Thirteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019), 2019

2019
[19]

Dual-technique privacy & security analysis for e-commerce websites through automated and manual implementation,

U. Kishnani and S. Das, “Dual-technique privacy & security analysis for e-commerce websites through automated and manual implementation,” inProceedings of the 2025 Hawaii International Conference on System Sciences (HICSS), 2024

2025
[20]

Adaptive authentication based on analysis of user behavior,

K. A. A. Bakar and G. R. Haron, “Adaptive authentication based on analysis of user behavior,” in2014 Science and Information Conference. IEEE, 2014, pp. 601–606

2014
[21]

Ai and behavioral biometrics for secure financial transactions,

S. Chitraju, “Ai and behavioral biometrics for secure financial transactions,” 2025

2025
[22]

On understanding context modelling for adaptive authentication systems,

A. Bumiller, S. Challita, B. Combemale, O. Barais, N. Aillery, and G. Le Lan, “On understanding context modelling for adaptive authentication systems,”ACM Trans- actions on Autonomous and Adaptive Systems, vol. 18, no. 1, pp. 1–35, 2023

2023
[23]

Continuous authentication and behavioral bio- metrics: Enhancing cybersecurity in the digital era,

S. Oduri, “Continuous authentication and behavioral bio- metrics: Enhancing cybersecurity in the digital era,”In- ternational Journal of Innovative Research in Science Engineering and Technology, vol. 13, no. 7, pp. 13 632– 13 640, 2024

2024
[24]

Cybersecurity and adversarial machine learning: A review of threats, de- fenses, and architectural considerations in western financial systems,

A. C. Nzomiwu and M. N. Nwobodo, “Cybersecurity and adversarial machine learning: A review of threats, de- fenses, and architectural considerations in western financial systems,”Defenses, and Architectural Considerations in Western Financial Systems (August 10, 2025), 2025

2025
[25]

Threat modelling for artificial intelligence governance: integrating ethical considerations into adver- sarial attack simulations for critical infrastructure using generative ai,

M. F. Umakor, “Threat modelling for artificial intelligence governance: integrating ethical considerations into adver- sarial attack simulations for critical infrastructure using generative ai,”World J Adv Res Rev, vol. 15, no. 2, pp. 873–90, 2022

2022
[26]

Authenti- cation mechanisms and classification: a literature survey,

I. Chenchev, A. Aleksieva-Petrova, and M. Petrov, “Authenti- cation mechanisms and classification: a literature survey,” in Intelligent Computing: Proceedings of the 2021 Computing Conference, Volume 3. Springer, 2021, pp. 1051–1070

2021
[27]

A survey on adaptive authentication,

P. Arias-Cabarcos, C. Krupitzer, and C. Becker, “A survey on adaptive authentication,”ACM Computing Surveys (CSUR), vol. 52, no. 4, pp. 1–30, 2019

2019
[28]

Authguide: Analyzing security, privacy and usability trade-offs in multi- factor authentication,

D. Preuveneers, S. Joos, and W. Joosen, “Authguide: Analyzing security, privacy and usability trade-offs in multi- factor authentication,” inInternational Conference on Trust and Privacy in Digital Business. Springer, 2021, pp. 155– 170

2021
[29]

The design and evaluation of adaptive biometric authentication systems: Current status, challenges and future direction,

R. Ryu, S. Yeom, D. Herbert, and J. Dermoudy, “The design and evaluation of adaptive biometric authentication systems: Current status, challenges and future direction,” ICT Express, vol. 9, no. 6, pp. 1183–1197, 2023

2023
[30]

Poster: Privacy- preserving compliance checks on ethereum via selective disclosure,

S. Khadka, D. Goswami, and S. Das, “Poster: Privacy- preserving compliance checks on ethereum via selective disclosure,”NDSS Symposium 2026, 2026

2026
[31]

Sensor-based continuous authentication of smartphones’ users using behavioral biometrics: A contemporary survey,

M. Abuhamad, A. Abusnaina, D. Nyang, and D. Mohaisen, “Sensor-based continuous authentication of smartphones’ users using behavioral biometrics: A contemporary survey,” IEEE Internet of Things Journal, vol. 8, no. 1, pp. 65–84, 2020

2020
[32]

Assessing security, privacy, user interaction, and accessibility features in popular e-payment applications,

U. Kishnani, N. Noah, S. Das, and R. Dewri, “Assessing security, privacy, user interaction, and accessibility features in popular e-payment applications,” inProceedings of the 2023 European Symposium on Usable Security, 2023, pp. 143–157

2023
[33]

Towards perceived security, perceived privacy, and the universal design of e-payment applications,

U. Kishnani, I. Cardenas, J. Castillo, R. Conry, L. Rodwin, R. Ruiz, M. Walther, and S. Das, “Towards perceived security, perceived privacy, and the universal design of e-payment applications,”arXiv preprint arXiv:2407.05446, 2024

work page arXiv 2024
[34]

Multi-factor authentica- tion application assessment: Risk assessment of expert- recommended mfa mobile applications,

K. Jensen, F. Tazi, and S. Das, “Multi-factor authentica- tion application assessment: Risk assessment of expert- recommended mfa mobile applications,”Proceeding of the Who Are You, 2021

2021
[35]

Why johnny doesn’t use two factor a two-phase usability study of the fido u2f security key,

S. Das, A. Dingman, and L. J. Camp, “Why johnny doesn’t use two factor a two-phase usability study of the fido u2f security key,” inInternational Conference on Financial Cryptography and Data Security. Springer, 2018, pp. 160–179

2018
[36]

Mfa is a waste of time! understanding negative connotation towards mfa applications via user generated content,

S. Das, B. Wang, and L. J. Camp, “Mfa is a waste of time! understanding negative connotation towards mfa applications via user generated content,” inProceedings of the Thriteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019), 2019

2019
[37]

Optimization of conditional value-at-risk,

R. T. Rockafellar, S. Uryasevet al., “Optimization of conditional value-at-risk,”Journal of risk, vol. 2, pp. 21–42, 2000

2000
[38]

Ad- versarial attacks and defenses in multivariate time-series forecasting for smart and connected infrastructures,

P. Krishan, R. Mohapatra, S. Das, and S. Sengupta, “Ad- versarial attacks and defenses in multivariate time-series forecasting for smart and connected infrastructures,”arXiv preprint arXiv:2408.14875, 2024

work page arXiv 2024
[39]

Privacy preserving policy framework: User-aware and user-driven,

S. Das, J. Dev, and L. J. Camp, “Privacy preserving policy framework: User-aware and user-driven,” inTPRC47: The 47th Research Conference on Communication, Information and Internet Policy, 2019

2019
[40]

Policypulse: Preci- sion semantic role extraction for enhanced privacy policy comprehension

A. Adhikari, S. Das, and R. Dewri, “Policypulse: Preci- sion semantic role extraction for enhanced privacy policy comprehension.” inNDSS, 2025

2025
[41]

A transcontinen- tal analysis of account remediation protocols of popular websites,

P. Markert, A. Adhikari, and S. Das, “A transcontinen- tal analysis of account remediation protocols of popular websites,”arXiv preprint arXiv:2302.01401, 2023

work page arXiv 2023
[42]

Evolution of composi- tion, readability, and structure of privacy policies over two decades,

A. Adhikari, S. Das, and R. Dewri, “Evolution of composi- tion, readability, and structure of privacy policies over two decades,”Proceedings on Privacy Enhancing Technologies, 2023

2023
[43]

SoK: Analysis of Privacy Risks and Mitigation in Online Propaganda Detection through the PROMPT Framework

D. Goswami, A. N. B. Emran, M. H. U. Sadi, and S. Das, “Sok: Analysis of privacy risks and mitigation in online propaganda detection through the prompt framework,”arXiv preprint arXiv:2604.17788, 2026

work page internal anchor Pith review Pith/arXiv arXiv 2026
[44]

Regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 (general data protection regulation),

“Regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 (general data protection regulation),” Official Journal of the Euro- pean Union, L 119, 2016, available at: https://eur- lex.europa.eu/eli/reg/2016/679/oj

2016
[45]

Directive (eu) 2015/2366 of the european parliament and of the council of 25 november 2015 on payment services in the internal market (psd2),

“Directive (eu) 2015/2366 of the european parliament and of the council of 25 november 2015 on payment services in the internal market (psd2),” Official Journal of the European Union, L 337, 2015, available at: https://eur- lex.europa.eu/eli/dir/2015/2366/oj

2015
[46]

Defending against fraud: Cyber fraud detection and prevention techniques,

I. Mabitsela, M. J Matomeet al., “Defending against fraud: Cyber fraud detection and prevention techniques,”Available at SSRN 5652552, 2025

2025
[47]

Instance-dependent cost-sensitive learning for detecting transfer fraud,

S. H ¨oppner, B. Baesens, W. Verbeke, and T. Verdonck, “Instance-dependent cost-sensitive learning for detecting transfer fraud,”European Journal of Operational Research, vol. 297, no. 1, pp. 291–300, 2022

2022
[48]

Threshold optimization strategies for imbalanced fraud detection models,

T. T. Wai and K. W. Thar, “Threshold optimization strategies for imbalanced fraud detection models,” International Research Journal of Modernization in Engineering Technology and Science, vol. 07, no. 09, pp. 3486–3491, 2025, peer-Reviewed, Open Access. [On- line]. Available: https://www.irjmets.com/upload newfiles/ irjmets70900013262/paper file/irjmets70...

2025
[49]

Organizational security: Implementing a risk-reduction-based incentivization model for mfa adoption,

S. Das, A. Kim, and L. J. Camp, “Organizational security: Implementing a risk-reduction-based incentivization model for mfa adoption,” inInternational Conference on Financial Cryptography and Data Security. Springer, 2021, pp. 406– 413

2021
[50]

Blockchain authen- tication of network applications: Taxonomy, classification, capabilities, open challenges, motivations, recommendations and future directions,

A. H. Mohsin, A. Zaidan, B. Zaidan, O. S. Albahri, A. S. Al- bahri, M. Alsalem, and K. Mohammed, “Blockchain authen- tication of network applications: Taxonomy, classification, capabilities, open challenges, motivations, recommendations and future directions,”Computer Standards & Interfaces, vol. 64, pp. 41–60, 2019

2019
[51]

Authentication schemes and methods: A systematic literature review,

I. Vel´asquez, A. Caro, and A. Rodr ´ıguez, “Authentication schemes and methods: A systematic literature review,” Information and Software Technology, vol. 94, pp. 30–37, 2018

2018

[1] [1]

Enhanced cryptocurrency security by time-based token multi-factor authentication algorithm,

K. A. Taher, T. Nahar, and S. A. Hossain, “Enhanced cryptocurrency security by time-based token multi-factor authentication algorithm,” in2019 International Conference on Robotics, Electrical and Signal Processing Techniques (ICREST). IEEE, 2019, pp. 308–312

2019

[2] [2]

Securing high-stakes digital transactions: a comprehensive study on cybersecurity and data privacy in financial institutions,

H. Singh, “Securing high-stakes digital transactions: a comprehensive study on cybersecurity and data privacy in financial institutions,”Available at SSRN 5267850, 2025

2025

[3] [3]

Grant, verify, revoke: A user-centric pattern for blockchain compliance,

S. Khadka and S. Das, “Grant, verify, revoke: A user-centric pattern for blockchain compliance,” inProceedings of the Extended Abstracts of the 2026 CHI Conference on Human Factors in Computing Systems, 2026, pp. 1–6

2026

[4] [4]

Das,A risk-reduction-based incentivization model for human-centered multi-factor authentication

S. Das,A risk-reduction-based incentivization model for human-centered multi-factor authentication. Indiana University, 2020

2020

[5] [5]

Towards implementing inclusive authentication technologies for older adults,

S. Das, A. Kim, B. Jelen, J. Streiff, L. J. Camp, and L. Huber, “Towards implementing inclusive authentication technologies for older adults,”Who Are You, 2019

2019

[6] [6]

Cryptocurrencies as a subject of financial fraud,

M. Kutera, “Cryptocurrencies as a subject of financial fraud,” Journal of Entrepreneurship, Management and Innovation, vol. 18, no. 4, pp. 45–77, 2022

2022

[7] [7]

Sok: a systematic review of context-and behavior-aware adaptive authentica- tion in mobile environments,

V . H. Podapati, D. Nigam, and S. Das, “Sok: a systematic review of context-and behavior-aware adaptive authentica- tion in mobile environments,” inInternational Symposium on Human Aspects of Information Security and Assurance. Springer, 2025, pp. 406–419

2025

[8] [8]

Advancing passwordless authentication: A systematic review of methods, challenges, and future directions for secure user identity,

M. I. M. Yusop, N. H. Kamarudin, N. H. S. Suhaimi, and M. K. Hasan, “Advancing passwordless authentication: A systematic review of methods, challenges, and future directions for secure user identity,”IEEE Access, 2025

2025

[9] [9]

Review on security of internet of things authentication mechanism,

T. Nandy, M. Y . I. B. Idris, R. M. Noor, L. M. Kiah, L. S. Lun, N. B. A. Juma’at, I. Ahmedy, N. A. Ghani, and S. Bhattacharyya, “Review on security of internet of things authentication mechanism,”IEEE Access, vol. 7, pp. 151 054–151 089, 2019

2019

[10] [10]

Authentication systems: A literature review and classification,

M. H. Barkadehi, M. Nilashi, O. Ibrahim, A. Z. Fardi, and S. Samad, “Authentication systems: A literature review and classification,”Telematics and Informatics, vol. 35, no. 5, pp. 1491–1511, 2018

2018

[11] [11]

Mfa is a necessary chore!: Exploring user mental models of multi- factor authentication technologies,

S. Das, B. Wang, A. Kim, and L. J. Camp, “Mfa is a necessary chore!: Exploring user mental models of multi- factor authentication technologies,” inProceedings of the 53rd Hawaii International Conference on System Sciences, 2020

2020

[12] [12]

From pins to gestures: Analyzing knowledge-based authentication schemes for augmented and virtual reality,

N. Noah and S. Das, “From pins to gestures: Analyzing knowledge-based authentication schemes for augmented and virtual reality,”IEEE Transactions on Visualization and Computer Graphics, 2025

2025

[13] [13]

Cyber security threats to bitcoin exchanges: Adversary exploitation and laundering techniques

K. Oosthoek and C. Doerr, “Cyber security threats to bitcoin exchanges: Adversary exploitation and laundering techniques.”IEEE Trans. Netw. Serv. Manag., vol. 18, no. 2, pp. 1616–1628, 2021

2021

[14] [14]

An investigation on vulnerability analysis of phishing attacks and countermeasures

G. A. Kothamasu, S. K. A. Venkata, Y . Pemmasani, and S. Mathi, “An investigation on vulnerability analysis of phishing attacks and countermeasures.”International Journal of Safety & Security Engineering, vol. 13, no. 2, 2023

2023

[15] [15]

Smart storytelling: Video and text risk communication to increase mfa acceptability,

S. Das, S. Mare, and L. J. Camp, “Smart storytelling: Video and text risk communication to increase mfa acceptability,” in2020 IEEE 6th International Conference on Collabo- ration and Internet Computing (CIC). IEEE, 2020, pp. 153–160

2020

[16] [16]

Sok: An evaluation of quantum authentication through systematic literature review,

R. Majumdar and S. Das, “Sok: An evaluation of quantum authentication through systematic literature review,” in Proceedings of the Workshop on Usable Security and Privacy (USEC), 2021

2021

[17] [17]

Replication study: Cross-country evaluation of the recognition-based graphical authentication scheme in ar and vr environments,

N. Noah, P. Mayer, and S. Das, “Replication study: Cross-country evaluation of the recognition-based graphical authentication scheme in ar and vr environments,” in 2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 2025, pp. 496–507

2025

[18] [18]

Evaluating user perception of multi-factor authentication: A systematic review,

S. Das, B. Wang, Z. Tingle, and L. J. Camp, “Evaluating user perception of multi-factor authentication: A systematic review,” inProceedings of the Thirteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019), 2019

2019

[19] [19]

Dual-technique privacy & security analysis for e-commerce websites through automated and manual implementation,

U. Kishnani and S. Das, “Dual-technique privacy & security analysis for e-commerce websites through automated and manual implementation,” inProceedings of the 2025 Hawaii International Conference on System Sciences (HICSS), 2024

2025

[20] [20]

Adaptive authentication based on analysis of user behavior,

K. A. A. Bakar and G. R. Haron, “Adaptive authentication based on analysis of user behavior,” in2014 Science and Information Conference. IEEE, 2014, pp. 601–606

2014

[21] [21]

Ai and behavioral biometrics for secure financial transactions,

S. Chitraju, “Ai and behavioral biometrics for secure financial transactions,” 2025

2025

[22] [22]

On understanding context modelling for adaptive authentication systems,

A. Bumiller, S. Challita, B. Combemale, O. Barais, N. Aillery, and G. Le Lan, “On understanding context modelling for adaptive authentication systems,”ACM Trans- actions on Autonomous and Adaptive Systems, vol. 18, no. 1, pp. 1–35, 2023

2023

[23] [23]

Continuous authentication and behavioral bio- metrics: Enhancing cybersecurity in the digital era,

S. Oduri, “Continuous authentication and behavioral bio- metrics: Enhancing cybersecurity in the digital era,”In- ternational Journal of Innovative Research in Science Engineering and Technology, vol. 13, no. 7, pp. 13 632– 13 640, 2024

2024

[24] [24]

Cybersecurity and adversarial machine learning: A review of threats, de- fenses, and architectural considerations in western financial systems,

A. C. Nzomiwu and M. N. Nwobodo, “Cybersecurity and adversarial machine learning: A review of threats, de- fenses, and architectural considerations in western financial systems,”Defenses, and Architectural Considerations in Western Financial Systems (August 10, 2025), 2025

2025

[25] [25]

Threat modelling for artificial intelligence governance: integrating ethical considerations into adver- sarial attack simulations for critical infrastructure using generative ai,

M. F. Umakor, “Threat modelling for artificial intelligence governance: integrating ethical considerations into adver- sarial attack simulations for critical infrastructure using generative ai,”World J Adv Res Rev, vol. 15, no. 2, pp. 873–90, 2022

2022

[26] [26]

Authenti- cation mechanisms and classification: a literature survey,

I. Chenchev, A. Aleksieva-Petrova, and M. Petrov, “Authenti- cation mechanisms and classification: a literature survey,” in Intelligent Computing: Proceedings of the 2021 Computing Conference, Volume 3. Springer, 2021, pp. 1051–1070

2021

[27] [27]

A survey on adaptive authentication,

P. Arias-Cabarcos, C. Krupitzer, and C. Becker, “A survey on adaptive authentication,”ACM Computing Surveys (CSUR), vol. 52, no. 4, pp. 1–30, 2019

2019

[28] [28]

Authguide: Analyzing security, privacy and usability trade-offs in multi- factor authentication,

D. Preuveneers, S. Joos, and W. Joosen, “Authguide: Analyzing security, privacy and usability trade-offs in multi- factor authentication,” inInternational Conference on Trust and Privacy in Digital Business. Springer, 2021, pp. 155– 170

2021

[29] [29]

The design and evaluation of adaptive biometric authentication systems: Current status, challenges and future direction,

R. Ryu, S. Yeom, D. Herbert, and J. Dermoudy, “The design and evaluation of adaptive biometric authentication systems: Current status, challenges and future direction,” ICT Express, vol. 9, no. 6, pp. 1183–1197, 2023

2023

[30] [30]

Poster: Privacy- preserving compliance checks on ethereum via selective disclosure,

S. Khadka, D. Goswami, and S. Das, “Poster: Privacy- preserving compliance checks on ethereum via selective disclosure,”NDSS Symposium 2026, 2026

2026

[31] [31]

Sensor-based continuous authentication of smartphones’ users using behavioral biometrics: A contemporary survey,

M. Abuhamad, A. Abusnaina, D. Nyang, and D. Mohaisen, “Sensor-based continuous authentication of smartphones’ users using behavioral biometrics: A contemporary survey,” IEEE Internet of Things Journal, vol. 8, no. 1, pp. 65–84, 2020

2020

[32] [32]

Assessing security, privacy, user interaction, and accessibility features in popular e-payment applications,

U. Kishnani, N. Noah, S. Das, and R. Dewri, “Assessing security, privacy, user interaction, and accessibility features in popular e-payment applications,” inProceedings of the 2023 European Symposium on Usable Security, 2023, pp. 143–157

2023

[33] [33]

Towards perceived security, perceived privacy, and the universal design of e-payment applications,

U. Kishnani, I. Cardenas, J. Castillo, R. Conry, L. Rodwin, R. Ruiz, M. Walther, and S. Das, “Towards perceived security, perceived privacy, and the universal design of e-payment applications,”arXiv preprint arXiv:2407.05446, 2024

work page arXiv 2024

[34] [34]

Multi-factor authentica- tion application assessment: Risk assessment of expert- recommended mfa mobile applications,

K. Jensen, F. Tazi, and S. Das, “Multi-factor authentica- tion application assessment: Risk assessment of expert- recommended mfa mobile applications,”Proceeding of the Who Are You, 2021

2021

[35] [35]

Why johnny doesn’t use two factor a two-phase usability study of the fido u2f security key,

S. Das, A. Dingman, and L. J. Camp, “Why johnny doesn’t use two factor a two-phase usability study of the fido u2f security key,” inInternational Conference on Financial Cryptography and Data Security. Springer, 2018, pp. 160–179

2018

[36] [36]

Mfa is a waste of time! understanding negative connotation towards mfa applications via user generated content,

S. Das, B. Wang, and L. J. Camp, “Mfa is a waste of time! understanding negative connotation towards mfa applications via user generated content,” inProceedings of the Thriteenth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2019), 2019

2019

[37] [37]

Optimization of conditional value-at-risk,

R. T. Rockafellar, S. Uryasevet al., “Optimization of conditional value-at-risk,”Journal of risk, vol. 2, pp. 21–42, 2000

2000

[38] [38]

Ad- versarial attacks and defenses in multivariate time-series forecasting for smart and connected infrastructures,

P. Krishan, R. Mohapatra, S. Das, and S. Sengupta, “Ad- versarial attacks and defenses in multivariate time-series forecasting for smart and connected infrastructures,”arXiv preprint arXiv:2408.14875, 2024

work page arXiv 2024

[39] [39]

Privacy preserving policy framework: User-aware and user-driven,

S. Das, J. Dev, and L. J. Camp, “Privacy preserving policy framework: User-aware and user-driven,” inTPRC47: The 47th Research Conference on Communication, Information and Internet Policy, 2019

2019

[40] [40]

Policypulse: Preci- sion semantic role extraction for enhanced privacy policy comprehension

A. Adhikari, S. Das, and R. Dewri, “Policypulse: Preci- sion semantic role extraction for enhanced privacy policy comprehension.” inNDSS, 2025

2025

[41] [41]

A transcontinen- tal analysis of account remediation protocols of popular websites,

P. Markert, A. Adhikari, and S. Das, “A transcontinen- tal analysis of account remediation protocols of popular websites,”arXiv preprint arXiv:2302.01401, 2023

work page arXiv 2023

[42] [42]

Evolution of composi- tion, readability, and structure of privacy policies over two decades,

A. Adhikari, S. Das, and R. Dewri, “Evolution of composi- tion, readability, and structure of privacy policies over two decades,”Proceedings on Privacy Enhancing Technologies, 2023

2023

[43] [43]

SoK: Analysis of Privacy Risks and Mitigation in Online Propaganda Detection through the PROMPT Framework

D. Goswami, A. N. B. Emran, M. H. U. Sadi, and S. Das, “Sok: Analysis of privacy risks and mitigation in online propaganda detection through the prompt framework,”arXiv preprint arXiv:2604.17788, 2026

work page internal anchor Pith review Pith/arXiv arXiv 2026

[44] [44]

Regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 (general data protection regulation),

“Regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 (general data protection regulation),” Official Journal of the Euro- pean Union, L 119, 2016, available at: https://eur- lex.europa.eu/eli/reg/2016/679/oj

2016

[45] [45]

Directive (eu) 2015/2366 of the european parliament and of the council of 25 november 2015 on payment services in the internal market (psd2),

“Directive (eu) 2015/2366 of the european parliament and of the council of 25 november 2015 on payment services in the internal market (psd2),” Official Journal of the European Union, L 337, 2015, available at: https://eur- lex.europa.eu/eli/dir/2015/2366/oj

2015

[46] [46]

Defending against fraud: Cyber fraud detection and prevention techniques,

I. Mabitsela, M. J Matomeet al., “Defending against fraud: Cyber fraud detection and prevention techniques,”Available at SSRN 5652552, 2025

2025

[47] [47]

Instance-dependent cost-sensitive learning for detecting transfer fraud,

S. H ¨oppner, B. Baesens, W. Verbeke, and T. Verdonck, “Instance-dependent cost-sensitive learning for detecting transfer fraud,”European Journal of Operational Research, vol. 297, no. 1, pp. 291–300, 2022

2022

[48] [48]

Threshold optimization strategies for imbalanced fraud detection models,

T. T. Wai and K. W. Thar, “Threshold optimization strategies for imbalanced fraud detection models,” International Research Journal of Modernization in Engineering Technology and Science, vol. 07, no. 09, pp. 3486–3491, 2025, peer-Reviewed, Open Access. [On- line]. Available: https://www.irjmets.com/upload newfiles/ irjmets70900013262/paper file/irjmets70...

2025

[49] [49]

Organizational security: Implementing a risk-reduction-based incentivization model for mfa adoption,

S. Das, A. Kim, and L. J. Camp, “Organizational security: Implementing a risk-reduction-based incentivization model for mfa adoption,” inInternational Conference on Financial Cryptography and Data Security. Springer, 2021, pp. 406– 413

2021

[50] [50]

Blockchain authen- tication of network applications: Taxonomy, classification, capabilities, open challenges, motivations, recommendations and future directions,

A. H. Mohsin, A. Zaidan, B. Zaidan, O. S. Albahri, A. S. Al- bahri, M. Alsalem, and K. Mohammed, “Blockchain authen- tication of network applications: Taxonomy, classification, capabilities, open challenges, motivations, recommendations and future directions,”Computer Standards & Interfaces, vol. 64, pp. 41–60, 2019

2019

[51] [51]

Authentication schemes and methods: A systematic literature review,

I. Vel´asquez, A. Caro, and A. Rodr ´ıguez, “Authentication schemes and methods: A systematic literature review,” Information and Software Technology, vol. 94, pp. 30–37, 2018

2018