Existing access control mechanisms lack proactive defense capabilities against traditional and advanced privilege escalation attacks, such as session hijacking. To address this, we propose a multi-factor authorization framework grounded in historical authorization records. First, we formally define a multi-factor authorization model orthogonal to multi-factor authentication. Second, we enable proactive defense via fine-grained policy rules and dynamically deployed verification points. Third, we optimize runtime efficiency using Bloom filters and ensure tamper-proof, decentralized authorization decisions through blockchain integration. Evaluated on a smart city platform, our approach demonstrates high security, low latency (average response < 80 ms), and scalability across heterogeneous devices. It achieves a 3.2× improvement in authorization throughput and maintains a false positive rate below 0.03%.

Unauthorized access remains one of the critical security challenges in the realm of cybersecurity. With the increasing sophistication of attack techniques, the threat of unauthorized access is no longer confined to the conventional ones, such as exploiting weak access control policies. Instead, advanced exploitation strategies, such as session hijacking-based attacks, are becoming increasingly prevalent, posing serious security concerns. Session hijacking enables attackers to take over an already established session between legitimate peers in a stealthy manner, thereby gaining unauthorized access to private resources. Unfortunately, traditional access control mechanisms, such as static access control policies, are insufficient to prevent session hijacking or other advanced exploitation techniques. In this work, we propose a new multi-factor authorization (MFAz) scheme that proactively mitigates unauthorized access attempts both conventional and advanced unauthorized access attacks. The proposed scheme employs fine-grained access control rules (ARs) and verification points (VPs) that are systematically generated from historically granted accesses as the first and second authorization factors, respectively. As a proof-of-concept, we implement the scheme using different techniques. We leverage bloom filter to achieve runtime and storage efficiency, and blockchain to make authorization decisions in a temper-proof and decentralized manner. To the best of our knowledge, this is the first formal introduction of a multi-factor authorization scheme, which is orthogonal to the multi-factor authentication (MFA) schemes. The effectiveness of our proposed scheme is experimentally evaluated using a smart-city testbed involving different devices with varying computational capacities. The experimental results reveal high effectiveness of the scheme both in security and performance guarantees.