Embodiments of the invention include methods for providing policy-driven, adaptive, multi-factor authentication procedures. A pool of potential authentication challenges is defined. Each of the potential authentication challenges is assigned a category and a weighted difficulty level. One or more authentication challenges are selected from the pool of potential authentication challenges using one or more security policies that are based upon the assigned category and the assigned weighted difficulty level, wherein a quantity of authentication challenges is determined using the one or more security policies. One or more historical access patterns are utilized in conjunction with the selected one or more authentication challenges to authenticate a user, wherein the historical access patterns include at least one of an access time or an access location. One or more dummy challenges are used to authenticate the user.