Tag Archives: 6fa

On Intent

I’ve been playing with the idea of intent (what I call “somewhat you why”) as a factor of identity verification and authentication. And although most people aren’t willing to go that far, intent analysis is becoming more important.

Biometric Update’s Chris Burt quoted RealSense Chief Marketing Officer Mike Nielsen on the company’s ID Pro. In this case, intent detection is used in a non-biometric fashion.

“We now have the ability to detect a person — not just a face — on the module.  Meaning, we can classify body parts (legs, arms, hands, feet) and estimate pose in real time, without any additional external software.  This includes which direction they are walking, how far away they are, and how quickly they are moving. This opens up an enormous opportunity for next-gen applications where you need to know the intent of a person beyond identifying their identity.  And you still get the ability to authenticate faces on the same platform.”

This is definitely NOT identity verification or authentication, but is certainly useful.

If accurate. If a system misreads intent, it can be disastrous.

Returning to Lattice Identity

The last time I delved into lattices, it was in connection with the NIST FIPS 204 Module-Lattice-Based Digital Signature Standard. To understand why the standard is lattice-based, I turned to NordVPN:

“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”

In essence, the lattice structure allows more elaborate access rights.

This article (“Lattice-Based Identity and Access Management for AI Agents”) discusses lattices more. Well, not explicitly; the word “lattice” only appears in the title. But here is the article’s main point:

“We are finally moving away from those clunky, “if-this-then-that” systems. The shift to deep learning means agents can actually reason through a mess instead of just crashing when a customer uses a slang word or a shipping invoice is slightly blurry.”

It then says

“Deep learning changes this because it uses neural networks to understand intent, not just keywords.”

Hmm…intent? Sounds a little somewhat you why…or maybe it’s just me.

But it appears that we sometimes don’t care about the intent of AI agents.

“If you gave a new employee the keys to your entire office and every filing cabinet on day one, you’d be sweating, right? Yet, that is exactly what many companies do with ai agents by just slapping an api key on them and hoping for the best.”

This is not recommended. See my prior post on attribute-based access control, which led me to focus more on non-person entities (non-human identities).

As should we all.

The Eagles, Geolocation, and Somewhat You (I Can’t Tell You) Why

If you’re not familiar with the complete history of the Eagles, you may not know that they began as practitioners of country rock. Their early songs were therefore softer than the ones from the Joe Walsh years.

One of those songs (actually later, but earlier in feel) was “Lyin’ Eyes.”

And it contains a lyrical oddity.

Glenn Frey and Don Henley could tell stories with the best country songwriters. And this was no exception, with a tale of a woman seeking solace outside of her marriage. Her life gets more scattered, until the singer turns judge and announces, “My, oh my, you sure know how to arrange things.”

But before that, when the singer is merely telling the story, the woman needs to seek solace.

Google Gemini.

So the singer says what the woman is doing:

“She is headed toward the cheatin’ side of town”

Now this is a lyrical fiction.

To my knowledge, no town in California or anywhere else enforces residential zoning regulations that segregate cheaters from non-cheaters. When “the boy” in the song rented his apartment (in Buena Park?), he didn’t need to indicate his receptiveness to desperate housewives. (Different decade, I know.)

Google Gemini.

So if the cheatin’ side of town is not a geolocation, is it perhaps tied to another factor of authentication?

Such as the sixth factor—somewhat you why?

After all, you could use non-identity biometrics such as respiration to discover the intent of a woman, whether she is driving

  • to comfort an old friend who’s feeling down, or
  • to rush into a man’s arms as they fall together.

Cheaterland is a state of mind. My, oh my.

Google Gemini.

And if I may interject an author’s note, I am VERY impressed with Google Gemini (Nano Banana 2) for knowing what a “Thomas Brothers Map” is. Except that I had to change my story setting from North Hollywood to Buena Park to match the images.

“Life in the Fast Lane,” of course, would need a Los Angeles County map.

Access and “Somewhat You Why”

In case you missed it, I’ve been pushing a sixth factor of authentication called “Somewhat You Why.”

“As I refined my thinking, I came to the conclusion that “why” is a reasonable factor of authentication, and that this was separate from the other authentication factors (such as “something you do”).”

And now Identity Jedi Harvey Lee is also asking the “why” question, but specifically in terms of access control.

“[B]ecause we couldn’t determine why someone needed access, we built systems that tried to guess the answer for us….

“Roles were never about “least privilege.” Roles were our attempt to predict intent at scale. And like most predictions, especially in complex systems, they were right until they weren’t….

“Instead of front-loading permissions for every possible future scenario, we authorize the current scenario. Identity might still be the new perimeter — but intent is the new access key.”

Read “Intent Is the New Access Key.”

For example, if a dehydrated man wants to unlock a water tank, I have a pretty good idea of his intent.

Google Gemini.

Continuous Authentication HAS To Be Multi-Factor

If you authenticate a person at the beginning of a session and never authenticate them again, you have a huge security hole.

For example, you may authenticate an adult delivery person and then find a kid illegally making your delivery. 31,000 Brazilians already know how to do this.

By LukaszKatlewa – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=49248622.

That’s why more secure firms practice continuous authentication for high-risk transactions.

But continuous authentication can be intrusive.

How would you feel if you had to press your finger on a fingerprint reader every six seconds?

Grok.

Enough of that and you’ll start using the middle finger to authenticate.

Even face authentication is intrusive, if it’s 3 am and you don’t feel like being on camera.

Now I’ve already said that Amazon doesn’t want to over-authenticate everything. 

Grok.

But Amazon does want to authenticate the critical transactions. Identity Week

“Amazon treats authentication as a continuous process, not a one-time event. It starts with verifying who a user is at login, but risk is assessed throughout the entire session, watching for unusual behaviours or signals to ensure ongoing confidence in the user’s identity.”

That’s right: Amazon uses “somewhat you why” as an authentication factor.

I say they’re smart.

“Somewhat You Why” and Geolocation Stalkerware

Geolocation and “somewhat you why” (my proposed sixth factor of identity verification and authentication) can not only be used to identify and authenticate people.

They can also be used to learn things about people already authenticated, via the objects they might have in their possession.

Stalkerware

404 Media recently wrote an article about “stalkerware” geolocation tools that vendors claim can secretly determine if your partner is cheating on you.

Before you get excited about them, 404 Media reveals that many of these tools are NOT secret.

“Immediately notifies anyone traveling with it.” (From a review)

Three use cases for geolocation tracking

But let’s get back to the tool, and the intent. Because I maintain that intent makes all the difference. Look at these three use cases for geolocation tracking of objects:

  • Tracking an iPhone (held by a person). Many years ago, an iPhone user had to take a long walk from one location to another after dark. This iPhone user asked me to track their whereabouts while on that walk. Both of us consented to the arrangement.
  • Tracking luggage. Recently, passengers have placed AirTags in their luggage before boarding a flight. This lets the passengers know where their luggage is at any given time. But some airlines were not fans of the practice:

“Lufthansa created all sorts of unnecessary confusion after it initially banned AirTags out of concern that they are powered by a lithium battery and could emit radio signals and potentially interfere with aircraft navigation.

“The FAA put an end to those baseless concerns saying, “Luggage tracking devices powered by lithium metal cells that have 0.3 grams or less of lithium can be used on checked baggage”.   The Apple AirTag battery is a third of that size and poses no risk to aircraft operation.”

  • Tracking an automobile. And then there’s the third case, raised by the 404 Media article. 404 Media found countless TikTok advertisements for geolocation trackers with pitches such as “men with cheating wives, you might wanna get one of these.” As mentioned above, the trackers claim to be undetectable, which reinforces the fact that the person whose car is being tracked did NOT consent.

From consent to stalkerware, and the privacy implications

Geolocation technologies are used in every instance. But in one case it’s perfectly acceptable, while it’s less acceptable in the other two cases.

Banning geolocation tracking technology would be heavy-handed since it would prevent legitimate, consent-based uses of the technology.

So how do we set up the business and technical solutions that ensure that any tracking is authorized by all parties?

Does your firm offer a solution that promotes privacy? Do you need Bredemarket’s help to tell prospects about your solution? Contact me.

Stop losing prospects! Use Bredemarket content for tech marketers

How Many Authentication Factor Types Are There?

(Imagen 4)

An authentication factor is a discrete method of authenticating yourself. Each factor is a distinct category.

For example, authenticating with fingerprint biometrics and authenticating with facial image biometrics are both the same factor type, because they both involve “something you are.”

But how many factors are there?

Three factors of authentication

There are some people who argue that there are only really three authentication factors:

  • Something you know, such as a password, or a personal identification number (PIN), or your mother’s maiden name.
  • Something you have, such as a driver’s license, passport, or hardware or software token.
  • Something you are, such as the aforementioned fingerprint and facial image, plus others such as iris, voice, vein, DNA, and behavioral biometrics such as gait.

Five factors of authentication, not three

I argue that there are more than three.

  • Something you do, such as super-secret swiping patterns to unlock a device.
  • Somewhere you are, or geolocation.

For some of us, these are the five standard authentication factors. And they can also function for identity verification.

Six factors of authentication, not five

But I’ve postulated that there is one more.

  • Somewhat you why, or a measure of intent and reasonableness.

For example, take a person with a particular password, ID card, biometric, action, and geolocation (the five factors). Sometimes this person may deserve access, sometimes they may not.

  • The person may deserve access if they are an employee and arrive at the location during working hours.
  • That same person may deserve access if they were fired and are returning a company computer. (But wouldn’t their ID card and biometric access have already been revoked if they were fired? Sometimes…sometimes not.)
  • That same person may NOT deserve access if they were fired and they’re heading straight for their former boss’ personal HR file.

Or maybe just five factors of authentication

Now not everyone agrees that this sixth factor of authentication is truly a factor. If “not everyone” means no one, and I’m the only person blabbering about it.

So while I still work on evangelizing the sixth factor, use the partially accepted notion that there are five factors.