An Explainable, Context-Aware Zero-Trust Identity Architecture for Continuous Authentication in Hybrid Device Ecosystems

Dr. Alejandro Moreno

Open Access

An Explainable, Context-Aware Zero-Trust Identity Architecture for Continuous Authentication in Hybrid Device Ecosystems

pdf

Dr. Alejandro Moreno ¹ ,

⁴ University of Barcelona

Abstract

Background: The contemporary landscape of user authentication is evolving rapidly as mobile devices, cloud services, and agentic artificial intelligence converge. Traditional reliance on single-factor credentials and static, perimeter-based security models has proven inadequate for resisting sophisticated attacks and for preserving privacy and usability in ubiquitous computing environments (Jakobsson, 2009; Abowd et al., 2000). Contemporary work emphasizes context-aware authentication, continuous and implicit methods, and zero-trust principles, yet there remains a gap in integrating explainability, device integrity mechanisms, and enterprise device management constructs into a unified identity architecture that supports both human and machine (agentic) actors (Hayashi et al., 2013; Badal Bhushan, 2025).

Methods: This article presents a theoretically grounded design for an explainable zero-trust identity architecture that fuses context-aware continuous authentication techniques, device attestation and integrity (including operating-system level protections such as system integrity mechanisms and disk encryption), enterprise device provisioning and management, and privacy-aware explainable decisioning for authentication and access decisions. The methodology is a conceptual synthesis: we systematically analyze the reference corpus provided, extract design primitives and threat models, and then elaborate an architectural blueprint that maps primitives to operational components, authentication flows, and explanation-generation modules. The work adopts rigorous evaluative criteria (security, privacy, usability, scalability, and explainability) and applies them descriptively to anticipated deployments.

Results: The architecture integrates eight functional components—Context Sensing, Behavioural Profiling, Device Integrity Attestation, FIDO-style Public Key Authentication, Continuous Risk Engine, Explanation Generator, Enterprise Management Bridge, and Audit and Recovery Services—and specifies interfaces, data flows, and trust anchors. The design articulates how device features such as FileVault encryption (Apple, 2023a), System Integrity Protection (Apple, 2023b), and backup/restore considerations (Apple, 2023c) affect attestation and key-protection strategies. It further explains how message interception risks (Shah, Jeong & Doss, 2021) and second-factor device-mirroring threats motivate minimizing SMS usage and favoring device-bound cryptographic authenticator approaches (Shah & Kanhere, 2018).

Conclusion: By systematically combining context awareness, continuous implicit authentication, device attestation, enterprise management, and explainability, the proposed zero-trust identity architecture addresses many contemporary deficiencies in authentication ecosystems. The paper articulates implementation guidance, nuance on privacy trade-offs, counter-arguments, and a research agenda for empirical evaluation and standardization. The architecture aims to be extensible to both human users and machine agents, promoting resilient, transparent, and privacy-respecting authentication in hybrid modern IT environments (Hayashi et al., 2013; Badal Bhushan, 2025).

Keywords

Zero-trust, continuous authentication, context-aware security, device attestation

References

📄 Annabelle, L. (2017). Ethics Defined. Retrieved from https://medium.com/the-ethical-world/ethics-defined-33a1a6cc3064

📄 Apple. (2023a). How does FileVault encryption work on a Mac? Retrieved from https://support.apple.com/guide/mac-help/how-does-filevault-encryption-work-on-a-mac-flvlt001/mac

📄 Apple. (2023b). About System Integrity Protection on your Mac. Retrieved from https://support.apple.com/en-us/HT204899

📄 Apple. (2023c). Back up your Mac with Time Machine. Retrieved from https://support.apple.com/en-us/HT201250

📄 Apple. (2023d). Intro to Apple Business Manager. Retrieved from https://support.apple.com/engb/guide/apple-business-manager/axm6a88f692e/1/web/1

📄 Apple. (2023e). Intro to Apple Configurator. Retrieved from https://support.apple.com/engb/guide/apple-configurator-mac/cadf1802aed/mac

📄 Shah, S. W. A., Jeong, J. J., & Doss, R. (2021). How Hackers Can Use Message Mirroring Apps to See All Your SMS texts—and Bypass 2FA Security. Retrieved from https://theconversation.com/how-hackerscan-use-message-mirroring-apps-to-see-all-your-sms-texts-and-bypass-2fa-security-165817

📄 Shah, S. W., & Kanhere, S. S. (2018). Wi-sign: Device-free second factor user authentication. In Proceedings of the 15th EAI International Conference on Mobile Ubiquitous Systems, Comput., Netw. Services, New York, NY, USA, 2018, pp. 135–144.

📄 Shah, S. W., & Kanhere, S. S. (2018). Wi-access: Second factor user authentication leveraging WiFi signals. In Proceedings of the IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), March 2018, pp. 330–335.

📄 Abowd, G. D., Dey, A. K., Brown, P. J., Davies, N., Smith, M., & Steggles, P. (2000). Towards a better understanding of context and context-awareness. In Proceedings of the CHI Workshop What, Who, When, How Context-Awareness, 2000, pp. 304–307.

📄 Hayashi, E., Das, S., Amini, S., Hong, J., & Oakley, I. (2013). CASA: Context-aware scalable authentication. In Proceedings of the 9th Symposium on Usable Privacy and Security (SOUPS), 2013, pp. 1–10.

📄 Buthpitiya, S., Zhang, Y., Dey, A. K., & Griss, M. (2011). n-gram geo-trace modeling. In Proceedings of the 9th International Conference on Pervasive Computing, 2011, pp. 97–114.

📄 Badal Bhushan. (2025). An Explainable Zero Trust Identity Framework for LLMs, AI Agents, and Agentic AI Systems. International Journal of Computer Applications, 187(46), 42–52. DOI=10.5120/ijca2025925777

📄 Jakobsson, M. (2009). Implicit authentication for mobile devices. In Proceedings of the 4th USENIX Workshop on Hot Topics in Security, 2009, pp. 25–27.

📄 Benzekki, K., El Fergougui, A., & ElAlaoui, A. E. B. (2018). A context-aware authentication system for mobile cloud computing. Procedia Computer Science, 127, 379–387.

📄 Kim, S. H., Choi, D., Kim, S. H., Cho, S., & Lim, K. S. (2018). Context-aware multimodal FIDO authenticator for sustainable IT services. Sustainability, 10(5), 1656.

📄 Ashibani, Y., Kauling, D., & Mahmoud, Q. (2019). Design and implementation of a contextual-based continuous authentication framework for smart homes. Applied System Innovation, 2(1), 4.

📄 Olejnik, K., Dacosta, I., Machado, J. S., Huguenin, K., Khan, M. E., & Hubaux, J.-P. (2017). SmarPer: Context-aware and automatic runtime permissions for mobile devices. In Proceedings of the IEEE Symposium on Security and Privacy (SP), May 2017, pp. 1058–1076.

📄 Gupta, P., Wee, T. K., Ramasubbu, N., Lo, D., Gao, D., & Balan, R. K. (2012). HuMan: Creating memorable fingerprints of mobile users. In Proceedings of the IEEE International Conference on Pervasive Computing and Communications Workshops, March 2012, pp. 479–482.

📄 Dandapat, S. K., Pradhan, S., Mitra, B., Choudhury, R. R., & Ganguly, N. (2015). ActivPass: Your daily activity is your password. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI), 2015, pp. 2325–2334.

📄 Niinuma, K., Park, U., & Jain, A. K. (2010). Soft biometric traits for continuous user authentication. IEEE Transactions on Information Forensics and Security, 5(4), 771–780.

📄 Anderson, B., & McGrew, D. (2017). Machine learning for encrypted malware traffic classification: Accounting for noisy labels and non-stationarity. Proceedings of the 23rd ACM SIGKDD.

International Journal of Advanced Artificial Intelligence Research

An Explainable, Context-Aware Zero-Trust Identity Architecture for Continuous Authentication in Hybrid Device Ecosystems

Abstract

Keywords

References

Similar Articles