Tag Archives: 6fa

Testing My Sixth Authentication Factor on One Real and Two Imagined Corporate Office Visits

This is the third post in a series on my proposed sixth factor of authentication.

Perhaps you’ve heard people say there are three factors of authentication, or four factors of authentication, or five factors of authentication.

But what if there are six?

I know what you’re thinking, punk. You’re thinking: did he define 6 factors of authentication, or only 5? (Repurposing Dirty Harry, whose sixth bullet must have 404’ed.)

By unknown – Screenshot from the DVD version of the 1971 film Dirty Harry, extracted from Harry’s infamous “do ya feel lucky” monologue, Fair use, https://en.wikipedia.org/w/index.php?curid=6867681

Introduction: what are factors of authentication, anyway?

Authentication is the process of determining whether a person is truly THE person who is associated with a particular account, such as a computer login or a bank account.

Five authentication factors

There are many ways in which you can authenticate yourself, but (as I previously noted before starting the “6fa” series) all of these methods fall into up to five general categories, or “factors.”

  1. Something you know.
  2. Something you have.
  3. Something you are.
  4. Something you do.
  5. Somewhere you are.

By the way, if you provide a password, a PIN, your mother’s maiden name, and the name of your favorite pet, that is not four authentication factors, but four instances of the same authentication factor (something you know). And this is not a recipe for robust security.

From https://www.nist.gov/news-events/news/2009/04/new-nist-guidelines-organization-wide-password-management

For another example of multiple uses of the same factor, see kao’s post in Life in Hex.

What if there is a sixth authentication factor?

In April 2022, while I was consulting for the identity industry but not employed by it, I proposed a sixth authentication factor.

I’d like to propose a sixth authentication factor.

What about the authentication factor “why”?

This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.

From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/

Testing my theory

Two months later, I was employed in the identity industry, and therefore Bredemarket was pivoting away from identity consulting. But I was still musing about identity topics that had nothing to do with my employment, and decided to test my sixth authentication factor theory on a case in which a person, or possibly multiple persons, were boarding buses.

After I laid out the whole story, which involved capturing the times at which a person (or persons) boarded a bus, I wondered if there were really just five authentication factors after all.

Now I’ll grant that “why?” might not be a sixth factor of authentication at all, but may fall under the existing “something you do” category. This factor is normally reserved for gestures or touches. For example, some facial liveness detection methods require you to move your head up, down, right, or left on command to prove that you are a real person. But you could probably classify boarding a bus as “something you do.”

From https://bredemarket.com/2022/07/24/testing-my-sixth-authentication-factor-on-omnitrans-bus-passes/

So I tried to think of a “why” action that couldn’t be classified as “something you do.” But I didn’t think that hard, because I was busy in my day job, and I didn’t really need 6fa in my non-identity consulting work.

Well, that changed. So I’m revisiting the 6fa issue again, and this time I’ve devised a new test in which I visit two buildings over the course of three months. Can the sixth authentication factor truly confirm or deny my identity?

Why am I visiting a corporate office?

For this test, I will examine three instances—one real, two imagined—in which I visited a corporate office associated with a well-known identity verification firm.

No, not THAT firm. By Arne Müseler / http://www.arne-mueseler.com, CC BY-SA 3.0 de, https://commons.wikimedia.org/w/index.php?curid=78985341

As I consider whether I should be authenticated to enter the facility in question, I will use my proposed “why?” factor to measure whether there is a reasonable intent for me to be present, which could determine whether I pass or fail authentication.

Visit number one, April 2023

This visit really happened. One day I presented myself at a corporate office to be authenticated for entry.

If we use my six factors of authentication, should I be allowed in?

Let’s start with the first five factors:

  • Something you know, have, and are. Without disclosing confidential information about the corporate office’s security procedures, I can simply say that I satisfied all three of these factors.
  • Something you do. It is a matter of public record that the corporation that controls this corporate office does not employ active liveness, but instead employs passive liveness. Therefore I can disclose that when visiting this corporate office, I didn’t have to shake my head in one hundred different directions to prove that I was a live person.
  • Somewhere you are. It sounds silly, but let’s ask the question anyway. If I want to physically enter a corporate office, am I at that corporate office? It is possible to detect that my phone is there (something you have), but does that necessarily mean that I am there (something you are)? To simplify things, let’s assert that I passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

Now let’s apply the sixth factor, why/intent/reasonableness. Was there a reason why I was standing outside the office door?

In this case, there was a reason why I was there. I was a member of the Marketing Department, and the entire Marketing Department was gathering for a week-long meeting at the corporate office. So my presence there was legitimate.

Authentication: PASSED.

Visit number two, June 2023

This visit never happened except in my imagination. But would would have occurred if I had presented myself at the corporate office this month?

Let’s start by going through the five authentication factors again.

  • Something you know, have, and are. Without disclosing confidential information, I can simply say that in this instance I would have failed at least one of the three authentication factors. Obviously not the “something you are” factor, since I was still the same person that I was two months previously, but I would have failed at least one of the other two.
  • Something you do. Again, no liveness testing, so “something you do” would not apply.
  • Somewhere you are. Let’s assert that I would have again passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

So I’ve already failed one or two of the five authetication factors, but would I fail the sixth?

Yes, because there was no valid reason for me to enter the corporate office.

Why not?

Because by June 2023 I was no longer an employee, and therefore had no intent or reason to visit the corporate office. I didn’t work there, after all.

(And incidentally, this is why I would have failed one or two of the other authentication factors. Because I was no longer an employee, I no longer knew something and/or had something I needed to enter the office.)

Authentication: FAILED.

Visit number three, June 2023

This visit never happened either, except in my imagionation. Let’s assume all of the facts from visit number two, with one critical exception: I arrived at the corporate office carrying computer equipment.

So how does the authentication process unfold now?

  • Something you know, have, and are. The presence of computer equipment would not have changed these three authentication factors. I still would have passed the “something you are” factor and failed one or both of the other two. (In this instance, computer equipment does not count as “something you have.”)
  • Something you do. Again, no liveness testing, so “something you do” would not apply.
  • Somewhere you are. Let’s assert that I would have again passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.

Now let’s turn to the sixth authentication factor. No, I am not a current employee who is usually entitled to visit the corporate office, but my possession of computing equipment introduces a new variable into the why/intent/reasonableness factor.

Why? Because the computer equipment belonged to the company, and in this instance I would have been visiting the corporate office to return the computer equipment to the company.

Authentication: PASSED.

So I guess there IS a sixth authentication factor

And there you have it.

In visits number two and three, all of the standard five authentication factors provided identical results. In both instances:

  • I passed the something you are test.
  • I failed the something you know and/or the something you have test.
  • Something you do was never tested.
  • I passed the somewhere you are test.

But for visit number two authentication failed, while for visit number three authentication passed, solely on the basis of the sixth authentication factor. I had no valid reason to be at the corporate office…except to return the company’s equipment.

So the sixth authentication factor exists in theory, but it will take some work to make it a reality.

By en:User:Cburnett – This W3C-unspecified vector image was created with Inkscape ., CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1496812

So now how do I make a ton of money by bringing this sixth authentication factor to market?

As I said over a year ago…

Maybe I should speak to a patent attorney.

From https://bredemarket.com/2022/04/12/the-sixth-factor-of-multi-factor-authentication-you-heard-it-here-first/

Testing my sixth authentication factor on Omnitrans bus passes

I know that Bredemarket has pivoted away from full-time identity work in favor of part-time work with local businesses in Ontario, Eastvale, and other cities, but a recent local activity illustrated a possible identity issue that I’d like to explore here. So allow me this tangent; I’ll get back to my Ontario, California content marketing expert content later.

Identities and bus passes

Remember my trip to Eastvale yesterday? I had to use a bus to get there. And to do this, I bought a day pass.

Omnitrans Day Pass, July 23, 2022.

Now this is not the most robust proof of identity. As I recently noted in my JEBredCal blog (one of my other Google identities), it’s extremely easy for multiple people to use this day pass at different times during the day. Even the 7-day and 31-day passes, which must be signed and may be compared against an identity document, are not necessarily free from fraud.

However, this is not critical to Omnitrans, who would rather put up with a small amount of fraud than inconvenience its riders with multiple identity checks.

Identity proofing is more critical in some situations than it is in others.

From https://jebredcal.wordpress.com/2022/07/24/how-important-is-that-identity/.

Of course, if Omnitrans really wanted to, it could achieve the need for fraud prevention by using relatively frictionless forms of identity proofing. Rather than demaning to see a rider’s papers, Omnitrans could use passive methods to authenticate its riders. I won’t go into all the possible methods and their pros and cons here.

However, I would like to explore one possible identity proofing method to see if it would solve the Omnitrans pass use issue.

Returning to my sixth authentication factor

Can my self-proclaimed sixth factor of authentication provide a solution?

You’ll recall that many identity experts recognize five factors of authentication:

  • Something you know.
  • Something you are.
  • Something you have.
  • Something you do.
  • Somewhere you are.

Well, because I felt like it, I proclaimed a sixth factor of authentication.

  • Why?

I said, because I felt like it!

Whoops, “why?” is the sixth authentication factor. I still haven’t rendered it into the “somexxx you xxx” format yet.

Can Omnitrans use the “why?” factor to test the reasonableness that any particular trip is performed by the person who originally bought the pass?

Possibly.

Applying the “why?” question to bus boarding data

Assume the most challenging scenario, in which Omnitrans knows nothing about the person who purchases a 31-day pass. The person pays in cash and is wearing a face mask and sunglasses throughout the entire transaction. Therefore, the only identity information associated with the pass is the location where the pass was purchased, the date/time it was purchased, and some type of pass identification number. For this example, we’ll assume the pass number is 12345.

From https://community.webroot.com/tech-talk-7/world-password-day-movie-password-tier-list-351118

So Omnitrans really doesn’t know anything of importance about the holder of pass 12345…

…other than how it is used.

I’m making the assumption that Omnitrans logs information about every use of a pass. Since you don’t need to use your pass when you leave the bus, the only information available is when you board the bus.

So let’s look at some fake data.

Date and TimeBusLocation
Monday, July 25, 2022, 6:39 am87Euclid & Holt, Ontario
Monday, July 25, 2022, 6:35 pm87Amazon LGB3, Eastvale
Tuesday, July 26, 2022, 6:39 am87Euclid & Holt, Ontario
Tuesday, July 26, 2022, 6:35 pm87Amazon LGB3, Eastvale
Wednesday, July 27, 2022, 8:42 am87Euclid & Holt, Ontario
Wednesday, July 27, 2022, 6:35 pm87Amazon LGB3, Eastvale
Thursday, July 28, 2022, 6:39 am87Euclid & Holt, Ontario
Thursday, July 28, 2022, 6:35 pm87Amazon LGB3, Eastvale
Thursday, July 28, 2022, 7:20 pm61Plum & Holt, Ontario
Thursday July 28, 2022, 9:52 pm61Ontario Mills, Ontario
Friday, July 29, 2022, 6:39 am87Euclid & Holt, Ontario
Friday, July 29, 2022, 8:35 am87Amazon LGB3, Eastvale
Friday, July 29, 2022, 10:00 am66Vineyard & Foothill, Rancho Cucamonga
Friday, July 29, 2022, 11:26 am14Fontana Metrolink
Friday, July 29, 2022, 11:53 am82Fontana Metrolink
Friday, July 29, 2022, 12:08 pm66Fontana Metrolink
Hypothetical logging of trips on Omnitrans Pass 12345.

Even if you are not familiar with California’s Inland Empire, you can probably classify these trips into the following categories:

  • Trips that are probably legitimate.
  • Trips that may or may not be legitimate.
  • Trips that are probably fraudulent.
  • Trips that are definitely fraudulent.

For the most part, you can’t know with certainty about the legitimacy of most of these trips. Here’s a story that fits the facts.

  • Jack Jones starts his new job at Amazon on Monday, and works Monday and Tuesday with no incident. Jack overslept on Wednesday and was written up. He made sure to arrive at work on time Thursday, and at the end of the day he celebrated with a dinner at a restaurant in the Ontario Mills shopping center. After arriving at work on Friday, Sara Smith picked his pocket and took his pass, fleeing the scene an hour later and making her way to Fontana. She creates several clones of the bus pass and sells them at a discount before fleeing herself. Therefore, all trips beginning on Friday at 8:35 am are fraudulent.

But that might not be the true story. This one also fits the facts.

  • Jack Jones starts his new job at Amazon on Monday, and works Monday and Tuesday with no incident. On Wednesday Jack calls in sick, but lets his housemate Bob Brown (who also works at Amazon) use his pass on Wednesday and Thursday. By Thursday evening, Jack is feeling better, retrieves his pass from his housemate, and goes to Ontario Mills for the evening. On Friday Jack goes to work and is fired. He boards the 87, misses his stop in Ontario, and stays on the bus until he reaches Rancho Cucamonga. Despondent, he decides to visit his friend in Fontana. However, his Fontana friend, Sara Smile, secretly created several clones of Jack’s bus pass and sells them at a discount. Therefore, the Wednesday trips, the Thursday day trips, and all Friday trips beginning at 11:26 am are fraudulent.

Or perhaps some other set of facts fit the data.

  • It’s possible that the pass was stolen before it was ever used and all of the trips are fraudulent.
  • Or perhaps every trip before arriving in Fontana is legitimate, but how can we tell which one (if any) of the three trips from Fontana was undertaken by the true passholder?

But the data that Omnitrans captured provides a way to challenge the pass holder for possibly fraudulent trips.

  • If Omnitrans is really suspicious for some reason, it may choose to challenge every trip that didn’t take place at the “regular” times of 6:39 am or 6:35 pm. “Why are you boarding the 87 bus at this hour of the morning?” “Why are you boarding the 61 bus?”
  • Or Omnitrans may assume that all of the trips are reasonable and don’t necessitate a challenge. Yes, someone can go to work late. Yes, someone can go to Ontario Mills for the evening. Well, all of them are reasonable until Friday at 11:53 am, when a passholder boards a bus at the same location where the same passholder supposedly departed at 11:26 am.

Now even if strict identity checks are used with the “why?” statement, the data alone can’t detect all fraud. If Jack Jones and Bob Brown both work the day shift at Amazon, but on alternate days, how can Omnitrans detect the days when Jack Jones leaves Ontario at 6:39 am, vs. the days when Bob Brown leaves Ontario at 6:39 am?

Again, no identity proofing method is 100% foolproof.

But the “why?” question may detect some forms of fraud.

Or are there really only five factors of authentication after all?

Now I’ll grant that “why?” might not be a sixth factor of authentication at all, but may fall under the existing “something you do” category. This factor is normally reserved for gestures or touches. For example, some facial liveness detection methods require you to move your head up, down, right, or left on command to prove that you are a real person. But you could probably classify boarding a bus as “something you do.”

Anyway, thank you for engaging my tangent. If I can think of a “why?” example that doesn’t involve something you do, I’ll post it here. That will help me in my hopeful (?) quest to become the inventor of the sixth factor of authentication.

What about the businesses in cities where my bus trips took place?

But back to the businesses in Ontario, Eastvale, Rancho Cucamonga, Fontana, and other cities: need some content help? I can create esoteric long-winded content like this, or (what you probably want) more concise, customer-focused content that conveys your important message. My regular work includes case studies, white papers, proposal services, and other types of content. If you need someone to help you create this content:

The sixth factor of multi factor authentication (you heard it here first!)

As many of my readers know, there are a variety of ways for people to individually identify themselves.

The National Institute of Standards and Technology recognizes three of these authentication factors:

Password generator software screen
By Dominik Reichl – http://keepass.info/screenshots.html, GPL, https://commons.wikimedia.org/w/index.php?curid=1635930
  • The most commonly known authentication factor is “something you know.” This includes such items as passwords, personal identification numbers (PINs), and the name of your childhood pet. This authentication factor is very common and very controversial, to the point where some want to eliminate it altogether. (I don’t.)
  • Another authentication factor that I know very well is “something you are.” Biometrics such as fingerprint identification and facial recognition falls into this category, as well as gait recognition, “behavioral biometrics,” and other biometric identifiers.
  • The third authentication factor that NIST recognizes is “something you have.” This could be a driver’s license, a passport, a key fob, a smartphone, or perhaps a digital identity application.
Maryland driver's license of Kirk Noble Bloodsworth.
By State of Maryland – https://www.youtube.com/watch?v=fVVh-wt1FH0, Public Domain, https://commons.wikimedia.org/w/index.php?curid=93876613

But those aren’t the only authentication factors. Two others have been identified, as I have previously noted.

  • “Something you do” differs from both gait recognition and behavioral biometrics, because this is not an inherent property of your being, but is a deliberate set of actions on your part. For example, you could gain access to a nuclear facility by putting your left foot in, putting your left foot out, putting your left foot, in and shaking it all about. Note, however, that this particular “something you do” is as common as the password “12345” and should be avoided.
  • And the fifth factor is “somewhere you are.” For example, if I am buying something at a a store in Virginia, but I am physically in California, something appears to be wrong.
GPS network illustration
By Éric Chassaing – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=8876959

OK, that’s it. End of post. Those are the five authentication factors. There aren’t any more, and there never will be any more. Oh sure, you could come up with a sixth authentication factor, but chances are that it would map into one of the five existing authentication factors.

Or maybe not.

Why?

I’d like to propose a sixth authentication factor.

What about the authentication factor “why”?

This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.

Man smoking a cigarette and stacking hats on a fire hydrant
Why is this man smoking a cigarette outdoors? By Marek Slusarczyk, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=108924712

Let me give you an example. Assume for the moment that I am at a McDonald’s in Atlantic City and want to use my brand new credit card to buy some healthy Irish cuisine.

McDonald's food
Not in Atlantic City. By TeaLaiumens – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=37026979

You could, of course, apply the existing authentication factors to this transaction:

  • I physically have the credit card.
  • I know the PIN that is associated with the credit card.
  • My face matches the face of the person who owns the credit card.
  • I am physically at the McDonald’s where the food is for sale, and I physically have a hotel key associated with a nearby hotel, and I physically have a badge associated with a trade show in the city. (The latter two facts are actually a combination of “something you have” and “somewhere you are,” but I threw them here for the fun of it.)
  • If my credit card company has implemented it, I can perform the super secret finger pattern (or hokey pokey dance) associated with this account.

But even if all of these factors are authenticated, or even if some of them are not, does it make sense that I would be purchasing a meal at a McDonald’s in Atlantic City?

  • Did I recently book a flight and fly from my California home to Atlantic City? This could explain “why” I was there.
  • Is it lunchtime? This could explain “why” I was making this transaction.
  • Is my stomach growling? This could indicate that I am hungry, and could explain “why” I was at such a fine food establishment.

Admittedly, employing data warehousing and artificial intelligence to use the “why” factor to authenticate a small fast food purchase is overkill, just like it’s overkill to require three biometric identifiers and a passport to open a physical mailbox.

But perhaps use of such an authentication factor would be appropriate at a critical infrastructure facility such as a nuclear power plant.

nuclear power plant
By Avda – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=26894741

Assume for the moment that I am a double agent, employed the the U.S. Department of Energy but secretly a spy for an enemy country. All of the five authentication factors check out, and I am the person who is authorized to visit a particular nuclear power plant.

But why am I there?

Am I there for some regular U.S. Department of Energy business that is totally above board?

Or am I there for some other unknown reason, such as theft of secrets or even sabotage?

How to implement the “why?” authentication factor

I believe that a “why?” authentication factor could be very powerful, but it would take some effort to implement it.

First, the authentication system would have to access all the relevant data. In the McDonald’s example above, that includes (a) my flight data, (b) the time of day, and (c) my health data (“biometrics” in the broader sense). In the nuclear power plant example, the authentication system would have to know things such as nuclear power plant inspection schedules, trip authorizations from my supervisor, and other data that would indicate a reason for me to be at the plant. That’s a lot of data.

Neural network
By en:User:Cburnett – This W3C-unspecified vector image was created with Inkscape ., CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1496812

Second, the authentication system would have to process all the relevant data to glean knowledge from it. By itself, the data points “United Flight 123 from Ontario to Atlantic City yesterday,” “1:30 pm,” and “haven’t eaten in six hours” do not allow the system to make an authentication decision.

Third, the authentication system would have to collect and protect that mass of data in a way that protects my privacy and the privacy of others. In the United States at present, this is where the whole system would probably fall apart. While a whole bunch of data is collected about us and placed in silos (the TSA-airline silo, for example), putting it all together could be pretty scary to some. Although certain lawyers in Illinois would love the moneymaking opportunities that such a system could provide via Illinois Biometric Information Privacy Act lawsuits.

So a complete implementation of the “why” authentication factor is probably impossible for now, due to both technical and societal constraints.

But is it possible to implement a subset of the “why” authentication factor? For example, since a company presumably has access to employee corporate travel schedules, could the company use the knowledge of an employee’s flight from Chicago to Los Angeles on Sunday to provide the employee with physical access to the firm’s Southern California office on Monday?

Something to think about.

Maybe I should speak to a patent attorney.