Testing My Sixth Authentication Factor on One Real and Two Imagined Corporate Office Visits

This is the third post in a series on my proposed sixth factor of authentication.

Perhaps you’ve heard people say there are three factors of authentication, or four factors of authentication, or five factors of authentication.

But what if there are six?

I know what you’re thinking, punk. You’re thinking: did he define 6 factors of authentication, or only 5? (Repurposing Dirty Harry, whose sixth bullet must have 404’ed.)

Introduction: what are factors of authentication, anyway?

Authentication is the process of determining whether a person is truly THE person who is associated with a particular account, such as a computer login or a bank account.

Five authentication factors

There are many ways in which you can authenticate yourself, but (as I previously noted before starting the “6fa” series) all of these methods fall into up to five general categories, or “factors.”

1. Something you know.
2. Something you have.
3. Something you are.
4. Something you do.
5. Somewhere you are.

By the way, if you provide a password, a PIN, your mother’s maiden name, and the name of your favorite pet, that is not four authentication factors, but four instances of the same authentication factor (something you know). And this is not a recipe for robust security.

For another example of multiple uses of the same factor, see kao’s post in Life in Hex.

What if there is a sixth authentication factor?

In April 2022, while I was consulting for the identity industry but not employed by it, I proposed a sixth authentication factor.

I’d like to propose a sixth authentication factor.

What about the authentication factor “why”?

This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.

From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/

Testing my theory

Two months later, I was employed in the identity industry, and therefore Bredemarket was pivoting away from identity consulting. But I was still musing about identity topics that had nothing to do with my employment, and decided to test my sixth authentication factor theory on a case in which a person, or possibly multiple persons, were boarding buses.

After I laid out the whole story, which involved capturing the times at which a person (or persons) boarded a bus, I wondered if there were really just five authentication factors after all.

Now I’ll grant that “why?” might not be a sixth factor of authentication at all, but may fall under the existing “something you do” category. This factor is normally reserved for gestures or touches. For example, some facial liveness detection methods require you to move your head up, down, right, or left on command to prove that you are a real person. But you could probably classify boarding a bus as “something you do.”

From https://bredemarket.com/2022/07/24/testing-my-sixth-authentication-factor-on-omnitrans-bus-passes/

So I tried to think of a “why” action that couldn’t be classified as “something you do.” But I didn’t think that hard, because I was busy in my day job, and I didn’t really need 6fa in my non-identity consulting work.

Well, that changed. So I’m revisiting the 6fa issue again, and this time I’ve devised a new test in which I visit two buildings over the course of three months. Can the sixth authentication factor truly confirm or deny my identity?

Why am I visiting a corporate office?

For this test, I will examine three instances—one real, two imagined—in which I visited a corporate office associated with a well-known identity verification firm.

As I consider whether I should be authenticated to enter the facility in question, I will use my proposed “why?” factor to measure whether there is a reasonable intent for me to be present, which could determine whether I pass or fail authentication.

Visit number one, April 2023

This visit really happened. One day I presented myself at a corporate office to be authenticated for entry.

If we use my six factors of authentication, should I be allowed in?

Let’s start with the first five factors:

• Something you know, have, and are. Without disclosing confidential information about the corporate office’s security procedures, I can simply say that I satisfied all three of these factors.
• Something you do. It is a matter of public record that the corporation that controls this corporate office does not employ active liveness, but instead employs passive liveness. Therefore I can disclose that when visiting this corporate office, I didn’t have to shake my head in one hundred different directions to prove that I was a live person.
• Somewhere you are. It sounds silly, but let’s ask the question anyway. If I want to physically enter a corporate office, am I at that corporate office? It is possible to detect that my phone is there (something you have), but does that necessarily mean that I am there (something you are)? To simplify things, let’s assert that I passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

Now let’s apply the sixth factor, why/intent/reasonableness. Was there a reason why I was standing outside the office door?

In this case, there was a reason why I was there. I was a member of the Marketing Department, and the entire Marketing Department was gathering for a week-long meeting at the corporate office. So my presence there was legitimate.

Authentication: PASSED.

Visit number two, June 2023

This visit never happened except in my imagination. But would would have occurred if I had presented myself at the corporate office this month?

Let’s start by going through the five authentication factors again.

• Something you know, have, and are. Without disclosing confidential information, I can simply say that in this instance I would have failed at least one of the three authentication factors. Obviously not the “something you are” factor, since I was still the same person that I was two months previously, but I would have failed at least one of the other two.
• Something you do. Again, no liveness testing, so “something you do” would not apply.
• Somewhere you are. Let’s assert that I would have again passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

So I’ve already failed one or two of the five authetication factors, but would I fail the sixth?

Yes, because there was no valid reason for me to enter the corporate office.

Why not?

Because by June 2023 I was no longer an employee, and therefore had no intent or reason to visit the corporate office. I didn’t work there, after all.

(And incidentally, this is why I would have failed one or two of the other authentication factors. Because I was no longer an employee, I no longer knew something and/or had something I needed to enter the office.)

Authentication: FAILED.

Visit number three, June 2023

This visit never happened either, except in my imagionation. Let’s assume all of the facts from visit number two, with one critical exception: I arrived at the corporate office carrying computer equipment.

So how does the authentication process unfold now?

• Something you know, have, and are. The presence of computer equipment would not have changed these three authentication factors. I still would have passed the “something you are” factor and failed one or both of the other two. (In this instance, computer equipment does not count as “something you have.”)
• Something you do. Again, no liveness testing, so “something you do” would not apply.
• Somewhere you are. Let’s assert that I would have again passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

Now let’s turn to the sixth authentication factor. No, I am not a current employee who is usually entitled to visit the corporate office, but my possession of computing equipment introduces a new variable into the why/intent/reasonableness factor.

Why? Because the computer equipment belonged to the company, and in this instance I would have been visiting the corporate office to return the computer equipment to the company.

Authentication: PASSED.

So I guess there IS a sixth authentication factor

And there you have it.

In visits number two and three, all of the standard five authentication factors provided identical results. In both instances:

• I passed the something you are test.
• I failed the something you know and/or the something you have test.
• Something you do was never tested.
• I passed the somewhere you are test.

But for visit number two authentication failed, while for visit number three authentication passed, solely on the basis of the sixth authentication factor. I had no valid reason to be at the corporate office…except to return the company’s equipment.

So the sixth authentication factor exists in theory, but it will take some work to make it a reality.

So now how do I make a ton of money by bringing this sixth authentication factor to market?

As I said over a year ago…

Maybe I should speak to a patent attorney.

From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/