User profiling is critical for risk-adaptive authentication but poses severe privacy risks due to re-identification via quasi-identifiers. To address this, we propose the first privacy-enhancing adaptive authentication protocol integrating oblivious pseudorandom functions (OPRFs), anonymous tokens, and differential privacy. Our method dynamically adjusts authentication strength based on real-time risk assessment while preserving the confidentiality of sensitive behavioral data. We formally prove that the protocol satisfies GDPR and CCPA compliance requirements, providing strong privacy guarantees—including unlinkability—and rigorous security against adversarial re-identification. Empirical evaluation demonstrates that computational and communication overheads remain practical, confirming industrial deployability. This work bridges a fundamental gap in the co-design of privacy and security for risk-adaptive authentication, advancing both theoretical foundations and practical implementation.

User profiling is a critical component of adaptive risk-based authentication, yet it raises significant privacy concerns, particularly when handling sensitive data. Profiling involves collecting and aggregating various user features, potentially creating quasi-identifiers that can reveal identities and compromise privacy. Even anonymized profiling methods remain vulnerable to re-identification attacks through these quasi-identifiers. This paper introduces a novel privacy-enhanced adaptive authentication protocol that leverages Oblivious Pseudorandom Functions (OPRF), anonymous tokens, and Differential Privacy (DP) to provide robust privacy guarantees. Our proposed approach dynamically adjusts authentication requirements based on real-time risk assessments, enhancing security while safeguarding user privacy. By integrating privacy considerations into the core of adaptive risk-based adaptive authentication, this approach addresses a gap often overlooked in traditional models. Advanced cryptographic techniques ensure confidentiality, integrity, and unlinkability of user data, while differential privacy mechanisms minimize the impact of individual data points on overall analysis. Formal security and privacy proofs demonstrate the protocol's resilience against various threats and its ability to provide strong privacy guarantees. Additionally, a comprehensive performance evaluation reveals that the computational and communication overheads are manageable, making the protocol practical for real-world deployment. By adhering to data protection regulations such as GDPR and CCPA, our protocol not only enhances security but also fosters user trust and compliance with legal standards.