As password-based authentication fails to provide adequate security for online activities such as financial transactions, additional authentication factors are required. Such factors should provide both ease of use and an adequate level of privacy protection, while being easy to implement, operate and maintain, even for applications with thousands of users. As an approach meeting these requirements, we outline Scalable and Privacy-Preserving Continuous Authentication (SPCAuth). SPCAuth determines risk levels for actions that should be authenticated, without requiring explicit user interactions. It analyzes different aspects of user behavior by means of machine learning methods, while preserving the privacy of the affected individuals. SPCAuth trains only a single model per aspect of user behavior being considered, based on observations of all users, ensuring scalability and increasing accuracy for users with infrequent activities. In two experiments, we have confirmed that this key concept enables a scalable and accurate user authentication.