Non-IID data in decentralized Risk-Based Authentication (RBA) induces model bias, poor generalization, and privacy leakage. Method: We propose the first federated learning framework for RBA that jointly ensures fairness and mitigates cold-start issues. It introduces an IID vectorization technique based on similarity transformations, integrates clustering-assisted risk labeling with differential privacy, employs message authentication codes and gamified security proofs formally verified in the random oracle model, and supports privacy-preserving aggregation and personalized risk modeling over multimodal behavioral features. Contribution/Results: This work establishes the first mathematically provable fairness guarantee for federated aggregation in RBA; significantly enhances model robustness and detection accuracy for high-risk users; and effectively resists model inversion and membership inference attacks under stringent privacy constraints.

Balancing robust security with strong privacy guarantees is critical for Risk-Based Adaptive Authentication (RBA), particularly in decentralized settings. Federated Learning (FL) offers a promising solution by enabling collaborative risk assessment without centralizing user data. However, existing FL approaches struggle with Non-Independent and Identically Distributed (Non-IID) user features, resulting in biased, unstable, and poorly generalized global models. This paper introduces FL-RBA2, a novel Federated Learning framework for Risk-Based Adaptive Authentication that addresses Non-IID challenges through a mathematically grounded similarity transformation. By converting heterogeneous user features (including behavioral, biometric, contextual, interaction-based, and knowledge-based modalities) into IID similarity vectors, FL-RBA2 supports unbiased aggregation and personalized risk modeling across distributed clients. The framework mitigates cold-start limitations via clustering-based risk labeling, incorporates Differential Privacy (DP) to safeguard sensitive information, and employs Message Authentication Codes (MACs) to ensure model integrity and authenticity. Federated updates are securely aggregated into a global model, achieving strong balance between user privacy, scalability, and adaptive authentication robustness. Rigorous game-based security proofs in the Random Oracle Model formally establish privacy, correctness, and adaptive security guarantees. Extensive experiments on keystroke, mouse, and contextual datasets validate FL-RBA2's effectiveness in high-risk user detection and its resilience to model inversion and inference attacks, even under strong DP constraints.