If someone steals your thumbprint, you cannot get a new thumb!

You have set up your email on your mobile and your laptop. And you access the same daily from your work and home locations. This morning you flew to a different city. And after finishing the day’s work you purchased a laptop for yourself. Late in the night back in your hotel room, on your hotel network you decide to access your email from your new laptop. You enter your credentials (mail ID and password) in a new user-friendly browser that your cousin told you about only last week. Your password accepted, your phone receives a prompt asking you to verify if it is indeed you who is trying to log in from a new device. You confirm to the prompt. But now, instead of logging you in, the system throws another challenge. It presents you with all of the five secret questions you had answered while setting up your mailbox initially. You have got good memory, so you answer them correctly. Voila, you successfully log in to your email account on your new laptop.

For you as a user it was a matter of less than a minute. Let us explain to you what happened here.  

  1. You entered your email ID and your password into the email login screen on your new laptop to get access to your email. Knowing the password is a matter of your 𝗸𝗻𝗼𝘄𝗹𝗲𝗱𝗴𝗲.
  2. The system saw that you were logging from a new device & new location. So to establish your device’s integrity, the system sent you a mail prompt for an additional authentication factor. You would respond to the prompt either from your mobile, or the older laptop – both devices whose integrity is already established in the system. And both the devices that the systems knows are in your 𝗽𝗼𝘀𝘀𝗲𝘀𝘀𝗶𝗼𝗻.
  3. Despite verifying your identity, the system still does not grant you access via authentication factor in the above step. It further noticed the following unusual factors: the location, the browser, the time of logging in and the network you are on. So to verify your identity further, comes an additional authentication factor. The system made you answer the questions to which only you had the 𝗸𝗻𝗼𝘄𝗹𝗲𝗱𝗴𝗲. Upon getting all the correct answers, the system finally lets you sign in.

“The authentication process involved multiple factors – password, verification prompt and security questions, and is thus called Multi Factor Authentication (MFA). It is a security mechanism that requires multiple factors independent of each other, for verification of a user’s identity. The factors of authentication being Knowledge, Possession, Inherent, Location, Adaptive Authentication.”

  1. 𝗞𝗻𝗼𝘄𝗹𝗲𝗱𝗴𝗲 – something that we know: Password / PIN / Security questions and their answers.
  2. 𝗣𝗼𝘀𝘀𝗲𝘀𝘀𝗶𝗼𝗻 – something that we possess: Smart phones capable of receiving OTPs via SMS or email. Then there could be authorisation apps on the mobile / Connected token devices / Disconnected token devices / Smart cards / Access badges / Software token
  3. 𝗜𝗻𝗵𝗲𝗿𝗲𝗻𝘁 – something we possess biologically. Biometrics like: Fingerprint / Voice recognition / Face recognition / Retina scan / Iris scan / Hand geometry / Earlobe geometry
  4. 𝗟𝗼𝗰𝗮𝘁𝗶𝗼𝗻 – IP address & geo location. Certain locations would be on the user’s whitelist. When the user not in those, the system can verify user identity through additional authentication layer(s). These could be security questions, OTP, verification prompt, authorisation through smart phone app or a biometric scan on laptop or smart phone. Even if there is no such whitelist, the system can be location sensitive enough to pick up (change in network or IP address) a change in location, therefore calling in additional authentication layer(s).  
  5. 𝗔𝗱𝗮𝗽𝘁𝗶𝘃𝗲 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 – this method observes the behaviour and context of login, and based on that calculates the risk of login. Therefore, it is also referred to as risk based authentication. For example; Is the user trying to access IT systems during normal hours or otherwise / Is the device used the same as the one used regularly / How about the network connection – is it public or private / From where is the user accessing this information?

So the factor or location here is not a standalone factor, but it is in a context.  

You might have heard of Dual Factor Authentication (DFA). We use the term DFA when a system relies on only two factors of authentication. When the system relies on more than two factors, it is called Multi Factor Authentication. DFA is a subset of Multi Factor Authentication.

, , , , , , , ,