By combining multiple factors during authentication, a service can provide better assurance of security. However, the users are likely to feel inconvenient, or even discard the service. This paper, therefore, addresses this issue and introduces a novel method, referred to as the Quantified riSk and Benefit adaptive Authentication Factors combination (QSBAF). QSBAF balances the requirements for both security and usability in the authentication of an information system and improves the system's ability to respond quickly to emerging risky events. In QSBAF, the authentication factors can be dynamically combined on the basis of quantified risk, benefit measurements, and combination policies. Furthermore, QSBAF provides an adaptive mechanism, which is driven by history data to justify the measurements of risk and benefit. In this paper, we use the online banking system as a typical scenario to demonstrate the usage of QSBAF. We also implement a prototype of QSBAF to evaluate the performance of its feasibility in real application scenarios. Copyright © 2013 John Wiley & Sons, Ltd.