Dynamic Identity with Behavioral Attestation
- Dynamic Identity with Behavioral Attestation is a regime that continuously verifies identity by correlating declared claims with observed behavioral signals.
- It leverages diverse modalities—such as keystroke dynamics, pedal pressure, and runtime logs—to recalibrate trust and permissions in real time, with performance metrics reaching up to 96.90% accuracy.
- The approach integrates privacy-preserving techniques, including random projections and zero-knowledge proofs, to minimize data exposure while ensuring robust authentication.
Dynamic identity with behavioral attestation denotes an identity regime in which identity is not treated as a static credential but as an adaptive, context-aware, and continually attested relation between an entity’s declared identity and its observed behavior. In the AI-agent literature, AI Identity is defined as “the continuous relationship between what an AI agent is declared to be and what it is observed to do, bounded by the confidence that those two things correspond at any given moment,” while the behavioral-authentication literature frames appropriate behavior as “the right agent performing the right actions at the right time under certain conditions” (Otsuka et al., 25 Apr 2026, Wang et al., 2023). Across intelligent vehicles, desktop and mobile systems, application authentication, confidential computing, zero-trust architectures, and agentic systems, the shared objective is to replace one-time verification with continuous or periodic evidence derived from behavioral, contextual, or execution-state signals (Huang et al., 17 Aug 2025).
1. Conceptual foundations
Dynamic identity departs from binary, point-in-time authentication. In this view, identity is continuously re-evaluated as new evidence arrives, rather than being fixed by an initial login, certificate presentation, or biometric check. One formulation models identity through three layers—declaration, observation, and confidence—so that identity is a correspondence between what an entity claims to be and what it is observed to do, bounded by uncertainty (Otsuka et al., 25 Apr 2026).
Behavioral attestation is the mechanism that supplies this evolving evidence. In human-facing systems it commonly refers to behavioral biometrics such as keystroke timing, touch dynamics, or pedal pressure; in software and infrastructure systems it extends to runtime behaviors, control-flow paths, log semantics, execution context, and policy-constrained state (Manandhar et al., 2019, Abera et al., 2016). The underlying claim is not merely that a credential was once valid, but that present behavior remains consistent with the enrolled subject, application, workload, or agent.
A broader taxonomy distinguishes three levels of behavioral authentication: behavioral Identity, behavioral Conformity, and behavioral Benignity. Identity asks who is acting; Conformity asks whether the action is compliant even if the actor is legitimate; Benignity asks whether the action is risk-free even if it is legitimate and compliant. This expands dynamic identity from mere user recognition to the regulation of ongoing behavior within system, policy, and safety constraints (Wang et al., 2023).
Dynamic identity is therefore not synonymous with periodic reauthentication. A plausible implication is that it should be understood as a continuous control problem in which trust, privilege, and containment are updated as behavior changes. That framing appears explicitly in zero-trust and agentic-web proposals, where permissions and runtime controls are recalibrated in real time as behavioral and contextual evidence evolves (Ahmadi, 10 Jan 2025, Huang et al., 17 Aug 2025).
2. Behavioral evidence and signal modalities
The observable substrate of behavioral attestation varies by domain. In intelligent vehicles, one line of work uses raw gas and brake pedal pressure time series collected during everyday driving. The data are multivariate sequences of gas and brake signals, with no handcrafted features required, and are segmented into 20-second non-overlapping windows for classification (Hammann et al., 2020).
For desktop continuous authentication, keystroke dynamics are represented through timing features rather than textual content. Spy Hunter captures hold time, up-down, down-down, and up-up intervals, validates users over blocks of data, and explicitly avoids recording the specific keys pressed. Its two-phase design separates prompted typing from free use, thereby covering both controlled and authentic environments (Manandhar et al., 2019).
On mobile devices, touch dynamics provide another behavioral biometric. Reported features include timestamp, position, button touch, width major, pressure, orientation, and finger ID, followed by engineered dynamics such as speed, acceleration, jerk, path tangent, and angular velocity. These are aggregated statistically over groups of touch events to form segment-level profiles for continuous authentication (Pelto et al., 2023).
Behavioral evidence also extends beyond human input. In application-to-application authentication, runtime behavior is collected from software, OS event logs, network IDS, firewalls, and related sensors, with examples including CPU usage, number of unique connections, audit events, and network patterns. In Android continuous authentication, raw logcat streams are parsed into event templates and dynamic variables, then partitioned into network/device identity, battery-transition timing, and Wi-Fi topology modalities (Christodorescu et al., 2022, Lantzos et al., 20 Jun 2026).
In remote attestation and confidential computing, “behavior” can mean execution traces and runtime-bound configuration. C-FLAT measures the actual control-flow path of an application by hashing control-flow events at runtime, while dstack-capsule binds pod_uid, pod_spec_hash, and workload_id to hardware-signed Quotes on every request. In these cases, behavioral attestation is less about user habits than about proving that the current execution instance, policy state, and runtime path remain within expected bounds (Abera et al., 2016, Yang et al., 2 Jun 2026).
3. Models, protocols, and reported performance
The operational core of dynamic identity systems is a decision procedure that maps behavioral evidence to an identity judgment, risk score, or normality score. Implementations range from deep sequence models and one-class classifiers to fuzzy extractors, outlier detection, hardware-backed attestation, and challenge-response protocols. Representative studies report the following operating points for continuous or behavior-bound identity verification (Hammann et al., 2020, Manandhar et al., 2019, Pelto et al., 2023, Christodorescu et al., 2022, Islam et al., 2023, Lantzos et al., 20 Jun 2026).
| Setting | Mechanism | Reported result |
|---|---|---|
| Driver identification | LSTM-ResNet on gas and brake pedal pressure | 79.49% accuracy on a 10-drivers subset of NUDrive; 96.90% accuracy on a 5-drivers subset of UTDrive |
| Desktop continuous authentication | One-Class SVM on keystroke timing blocks | Error rates below 6%; 1.8–3.0 blocks on average to verification/decision |
| Mobile continuous authentication | NN, XGBoost, and SVC on touch dynamics | Accuracy ranging from 80% to 95% |
| Application-to-application authentication | Fuzzy extractor layer over behavioral runtime features | 0 percent False Accept Rate; average False Rejection Rate 14 percent; about 51 ms to authenticate |
| Privacy-preserving behavioral authentication | Neural network on random-projected profiles | Below 2.0% FRR and below 1.0% FAR |
| Android continuous authentication | Multi-expert BERT log analysis with 5-nearest-neighbor fusion | Sub-1% False Positive Rate (FPR) |
In vehicle identity recognition, the combined LSTM-ResNet removes the standalone softmax and Dropout layers from each component, concatenates extracted LSTM and ResNet features, and passes them through a 1D convolution, BatchNorm, PReLU, Dropout, and final softmax. The reported improvement over standalone models is explicit: the combined network outperforms the ResNet and LSTM models trained solely by 35.9 % and 53.85 % accuracy respectively on the reported subset (Hammann et al., 2020).
Spy Hunter implements a different logic. It trains a One-Class SVM on genuine-user keystroke timing and performs block-wise decisions over sliding windows. Identity verification in each block is checked against a certainty threshold, with the best results reported at 65% accuracy; if a block matches the user model, access continues, and if it fails, the user is prompted to re-authenticate or access is blocked (Manandhar et al., 2019).
The Android log framework uses a shared BERT-base encoder, domain-adapted pre-training on log syntax, and three expert models: an Identity Expert, a Battery Expert, and a Wi-Fi Topology Expert. Their scores are fused after log-space transformation and z-score standardization, with anomaly detection based on the average distance to the 5 nearest normal points. The final normality score sent to the Policy Decision Point is
where the anomaly threshold is set as the 99.9th percentile over normal samples and is reported empirically as (Lantzos et al., 20 Jun 2026).
In application authentication, a fuzzy extractor locks a cryptographic key to an enrolled behavioral feature vector and releases it only when the current behavior is close enough to the enrolled behavior. Genuine points are placed on a polynomial, chaff points are added, and successful reconstruction requires enough matching points to interpolate the polynomial and recover the key. This couples identity to dynamic runtime behavior while leaving server-side credential verification largely unchanged (Christodorescu et al., 2022).
4. Privacy, anonymization, and minimal disclosure
A recurring tension in behavioral attestation is that the same signals that strengthen identity assurance can expose sensitive information. Spy Hunter addresses this by focusing on timing rather than content: it does not record the specific keys pressed and stores only timing intervals, thereby enabling anonymous data to authenticate users and avoiding collection of actual text, passwords, or sensitive input (Manandhar et al., 2019).
A non-cryptographic privacy layer appears in random-projection-based behavioral authentication. Each user applies a secret random projection matrix to the behavioral profile before sending it to the server, so the server trains and verifies only on projected data. Sparse random projection reduces computation for low-compute devices, while the changeability property allows users to refresh their secret projection matrix and re-enroll if the projected profile is compromised (Islam et al., 2023).
A stronger privacy construction is given by zero-knowledge process attestation. ZK-PoP commits to behavioral biometric features with Pedersen commitments, proves range membership with Bulletproofs, and proves overall process consistency with Groth16. The verifier learns only whether sequential work function chains were computed correctly, behavioral feature vectors fall within human population distributions, and content evolution is consistent with incremental human editing, without learning the underlying behavioral data, exact timing, or intermediate content. Reported performance is proof generation in under 30 seconds for a 1-hour writing session, 192-byte proofs verifiable in 8.2 ms, and less than 5% accuracy loss in simulation at practical privacy levels compared to non-private baselines (Condrey, 26 Feb 2026).
Privacy preservation also appears in machine and system identity. In the application-authentication fuzzy-extractor design, the server and vault do not learn the behavior vector and learn only whether key reconstruction succeeds. In decentralized identity discussions, selective disclosure, Verifiable Credentials, Decentralized Identifiers, and minimum-disclosure designs are presented as ways to verify authenticity or uniqueness without exposing the full underlying identity record (Christodorescu et al., 2022, Jain et al., 2023).
This creates a broad pattern: dynamic identity systems increasingly try to separate evidence of compliance from exposure of raw behavior. The privacy-attestation paradox is therefore not incidental but constitutive. Behavioral attestation is most useful when it is continuous and information-rich, yet those same properties intensify privacy risk (Condrey, 26 Feb 2026).
5. Zero-trust, confidential computing, and agentic systems
In zero-trust architectures, behavioral attestation becomes an input to access governance rather than a standalone biometric classifier. One proposal computes a real-time risk score from behavioral anomaly and context, expressed as
or, in a two-factor form,
If the score exceeds a threshold, the system can isolate the identity, restrict access, prompt MFA, or alert SOC teams. Users, devices, and services are dynamically re-evaluated against learned patterns rather than being authenticated once and left unchecked (Ahmadi, 10 Jan 2025).
The agentic-web literature extends this into a richer trust fabric. The proposed architecture combines DIDs, VCs, an Agent Name Service, Dynamic Identity with Behavioral Attestation, Causal Chain Auditing, and Trust-Adaptive Runtime Environments. Agents are assigned a behavioral fingerprint
1 |
BF_i = <decision_patterns, interaction_style, resource_usage, temporal_patterns> |
Trust is updated continuously via
linking behavior, reputation, history, and compliance to runtime containment (Huang et al., 17 Aug 2025).
AgentDID provides a related but more protocol-centric design. It uses W3C-compliant DIDs and VCs for decentralized agent identity, then adds a challenge-response protocol for dynamic execution-state verification. The verifier sends a nonce, the holder returns a signed Verifiable Presentation, and state verification proceeds through a readiness probe and a context consistency check based on signed cryptographic hashes of conversational state. In the reported evaluation, identity authentication is about 6.5s, the readiness probe about 6.5s, the context check less than 1s, latency remains stable at about 13.5s with up to 50 concurrent agent pairs, and throughput scales from 0.07 TPS to 3.25 TPS (Xu et al., 28 Apr 2026).
Confidential-computing systems translate dynamic identity into hardware-backed runtime identity. dstack-capsule separates static platform measurements, frozen in RTMR[3] via a privilege fuse, from dynamic Pod identities embedded in the TDX Quote’s report_data field. The report field is constructed from user_report_data, pod_uid, pod_spec_hash, and workload_id, and hardware signs the Quote on every request. Reported performance includes about 24ms per Pod attestation, pod startup of 6.25s versus CoCo’s 8.85s, and approximately 0.8GB node baseline memory plus about 2MB per idle Pod (Yang et al., 2 Jun 2026).
Related systems show that behavioral attestation can also certify relay eligibility and control-flow execution. AR-ACE replaces on-path validity proofs with compact identity-bound attestations for relay nodes, while C-FLAT computes a cumulative hash over control-flow events,
so that the attestation report binds a specific execution path rather than merely an initial code image (Wang, 9 Mar 2026, Abera et al., 2016).
6. Limitations, controversies, and research directions
A central limitation is that behavioral evidence is rarely absolute. The AI identity literature argues that current infrastructures do not adequately address nondeterministic, boundary-crossing agents, and that no stable behavioral anchor exists for AI agents because identical models and prompts can still yield different outputs. On this account, attestation can certify what code is running or what actions were taken, but cannot certify intent or guarantee semantic alignment with a principal’s goals. The identified gaps include semantic intent verification, recursive delegation accountability, agent identity integrity, governance opacity and enforcement, and operational sustainability; the paper explicitly states that these gaps are structural and that more engineering effort alone will not close them (Otsuka et al., 25 Apr 2026).
Even outside AI agents, behavioral authentication faces data quality, privacy, and scaling constraints. Reported challenges include sensor noise, missing data, data biases, class imbalance, privacy laws, communication cost, scarcity of illicit or edge-case behavior, and the difficulty of integrating models across heterogeneous, distributed environments. The review literature therefore calls for fine-grained behavioral modeling, distributed behavioral authentication, formalization through information-theoretic metrics, and adaptive models that can cope with evolving threats and behavioral drift (Wang et al., 2023).
Control-flow attestation illustrates a different limitation profile. C-FLAT detects runtime control-flow hijacking and some non-control-data attacks that induce path changes, but the number of possible valid measurements grows rapidly for large programs with loops and complex branching, and pure data-flow attacks that do not produce observable control-flow deviation remain out of scope. This suggests that “behavioral attestation” is not a single technique but a family of partial observability mechanisms whose coverage depends on what behaviors are made measurable (Abera et al., 2016).
A further controversy concerns centralization. One line of argument holds that the most resilient digital identity systems create an identity that evolves over time and is connected to a network of similarly evolving identities that verify one another, while warning that centralized identity authentication systems may themselves threaten the democratic processes they are intended to defend (Jain et al., 2023). The dispute is not over whether identity should be dynamic, but over who may observe, score, and govern the behaviors that sustain it.
Formal verification work indicates that dynamic trust transfer itself is now an object of rigorous reasoning. Cerisier develops a program logic for modular reasoning about trusted, untrusted, and attested code, explicitly tracking how trust evolves after successful attestation. This suggests that future work is likely to combine behavioral telemetry, cryptographic attestation, policy enforcement, and formal reasoning about trust evolution rather than treating them as separate layers (Rousseau et al., 15 Apr 2026).