As some of you know, I’m seeking full-time employment after my former employer let me go in late May. As part of my job search, I was recently invited to a second interview for a company in my industry. Before that interview, I made an important decision about how I was going to present myself.
If you’ve read any of Bredemarket’s content, there are times when it takes a light tone, in which wildebeests roam the earth while engaging in marketing activities such as elaborating the benefits of crossing the stream.
Some of that DOES NOT fly in the corporate world. (For most companies, anyway.) If you analyze a wide selection of corporate blogs, you won’t see the word “nothingburger.” But you do here.
So as I prepared for this important job interview, I made sure that I was ready to discuss the five factors of authentication, and my deep experience as an identity content marketing expert with many of those factors.
The five factors of authentication, of course, are:
For the purposes of this job interview, there isn’t! I confined myself to the five factors only during the discussion, using examples such as passwords, driver’s licenses, faces, actions, and smartphone geolocation information.
But in the end, my caution was of no avail. I DIDN’T make it to the next stage of interviews.
Maybe I SHOULD have mentioned “Somewhat you why” after all.
Depending upon whom you ask, there are either three or five factors of authentication.
Unless you ask me.
I say that there are six.
Let me explain.
First I’ll discuss what factors of authentication are, then I’ll talk about the three factor and five factor school, then I’ll briefly review my thoughts on the sixth factor—now that I know what I’ll call it.
For example, if Warren Buffett has a bank account, and I claim that I am Warren Buffett and am entitled to take money from that bank account, I must complete an authentication process to determine whether I am entitled to Warren Buffett’s money. (Spoiler alert: I’m not.)
An authentication factor is a special category of security credential that is used to verify the identity and authorization of a user attempting to gain access, send communications, or request data from a secured network, system or application….Each authentication factor represents a category of security controls of the same type.
When considering authentication factors, the whole group/category/type definition is important. For example, while a certain system may require both a 12-character password and a 4-digit personal identification number (PIN), these are pretty much the same type of authentication. It’s just that the password is longer than the PIN. From a security perspective, you don’t gain a lot by requiring both a password and a PIN. You would gain more by choosing a type of authentication that is substantially different from passwords and PIN.
How many factors of authentication are there?
So how do we define the factors of authentication? Different people have different definitions.
Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).
Note that NIST’s three factors are very different from one another. Knowing something (such as a password or a PIN) differs from having something (such as a driver’s license) or being something (a fingerprint or a face).
But some people believe that there are more than three factors of authentication.
Over the months, I struggled through some examples of the “why” factor.
Why is a person using a credit card at a McDonald’s in Atlantic City? (Link) Or, was the credit card stolen, or was it being used legitimately?
Why is a person boarding a bus? (Link) Or, was the bus pass stolen, or was it being used legitimately?
Why is a person standing outside a corporate office with a laptop and monitor? (Link) Or, is there a legitimate reason for an ex-employee to gain access to the corporate office?
As I refined my thinking, I came to the conclusion that “why” is a reasonable factor of authentication, and that this was separate from the other authentication factors (such as “something you do”).
And the sixth factor of authentication is called…
You’ll recall that I wanted to cast this sixth authentication factor into the “some xxx you xxx” format.
So, as of today, here is the official Bredemarket list of the six factors of authentication:
Something you know.
Something you have.
Something you are.
Something you do.
Somewhere you are.
(Drumroll…)
Somewhat you why.
Yes, the name of this factor stands out from the others like a sore thumb (probably a loop).
However, the performance of this factor stands out from the others. If we can develop algorithms that accurately measure the “why” reasonableness of something as a way to authenticate identity, then our authentication capabilities will become much more powerful.
Perhaps you’ve heard people say there are three factors of authentication, or four factors of authentication, or five factors of authentication.
But what if there are six?
I know what you’re thinking, punk. You’re thinking: did he define 6 factors of authentication, or only 5? (Repurposing Dirty Harry, whose sixth bullet must have 404’ed.)
Introduction: what are factors of authentication, anyway?
Authentication is the process of determining whether a person is truly THE person who is associated with a particular account, such as a computer login or a bank account.
Five authentication factors
There are many ways in which you can authenticate yourself, but (as I previously noted before starting the “6fa” series) all of these methods fall into up to five general categories, or “factors.”
Something you know.
Something you have.
Something you are.
Something you do.
Somewhere you are.
By the way, if you provide a password, a PIN, your mother’s maiden name, and the name of your favorite pet, that is not four authentication factors, but four instances of the same authentication factor (something you know). And this is not a recipe for robust security.
Two months later, I was employed in the identity industry, and therefore Bredemarket was pivoting away from identity consulting. But I was still musing about identity topics that had nothing to do with my employment, and decided to test my sixth authentication factor theory on a case in which a person, or possibly multiple persons, were boarding buses.
After I laid out the whole story, which involved capturing the times at which a person (or persons) boarded a bus, I wondered if there were really just five authentication factors after all.
Now I’ll grant that “why?” might not be a sixth factor of authentication at all, but may fall under the existing “something you do” category. This factor is normally reserved for gestures or touches. For example, some facial liveness detection methods require you to move your head up, down, right, or left on command to prove that you are a real person. But you could probably classify boarding a bus as “something you do.”
So I tried to think of a “why” action that couldn’t be classified as “something you do.” But I didn’t think that hard, because I was busy in my day job, and I didn’t really need 6fa in my non-identity consulting work.
Well, that changed. So I’m revisiting the 6fa issue again, and this time I’ve devised a new test in which I visit two buildings over the course of three months. Can the sixth authentication factor truly confirm or deny my identity?
Why am I visiting a corporate office?
For this test, I will examine three instances—one real, two imagined—in which I visited a corporate office associated with a well-known identity verification firm.
As I consider whether I should be authenticated to enter the facility in question, I will use my proposed “why?” factor to measure whether there is a reasonable intent for me to be present, which could determine whether I pass or fail authentication.
Visit number one, April 2023
This visit really happened. One day I presented myself at a corporate office to be authenticated for entry.
If we use my six factors of authentication, should I be allowed in?
Let’s start with the first five factors:
Something you know, have, and are. Without disclosing confidential information about the corporate office’s security procedures, I can simply say that I satisfied all three of these factors.
Something you do. It is a matter of public record that the corporation that controls this corporate office does not employ active liveness, but instead employs passive liveness. Therefore I can disclose that when visiting this corporate office, I didn’t have to shake my head in one hundred different directions to prove that I was a live person.
Somewhere you are. It sounds silly, but let’s ask the question anyway. If I want to physically enter a corporate office, am I at that corporate office? It is possible to detect that my phone is there (something you have), but does that necessarily mean that I am there (something you are)? To simplify things, let’s assert that I passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.
Now let’s apply the sixth factor, why/intent/reasonableness. Was there a reason why I was standing outside the office door?
In this case, there was a reason why I was there. I was a member of the Marketing Department, and the entire Marketing Department was gathering for a week-long meeting at the corporate office. So my presence there was legitimate.
Authentication: PASSED.
Visit number two, June 2023
This visit never happened except in my imagination. But would would have occurred if I had presented myself at the corporate office this month?
Let’s start by going through the five authentication factors again.
Something you know, have, and are. Without disclosing confidential information, I can simply say that in this instance I would have failed at least one of the three authentication factors. Obviously not the “something you are” factor, since I was still the same person that I was two months previously, but I would have failed at least one of the other two.
Something you do. Again, no liveness testing, so “something you do” would not apply.
Somewhere you are. Let’s assert that I would have again passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.
So I’ve already failed one or two of the five authetication factors, but would I fail the sixth?
Yes, because there was no valid reason for me to enter the corporate office.
Why not?
Because by June 2023 I was no longer an employee, and therefore had no intent or reason to visit the corporate office. I didn’t work there, after all.
(And incidentally, this is why I would have failed one or two of the other authentication factors. Because I was no longer an employee, I no longer knew something and/or had something I needed to enter the office.)
Authentication: FAILED.
Visit number three, June 2023
This visit never happened either, except in my imagionation. Let’s assume all of the facts from visit number two, with one critical exception: I arrived at the corporate office carrying computer equipment.
So how does the authentication process unfold now?
Something you know, have, and are. The presence of computer equipment would not have changed these three authentication factors. I still would have passed the “something you are” factor and failed one or both of the other two. (In this instance, computer equipment does not count as “something you have.”)
Something you do. Again, no liveness testing, so “something you do” would not apply.
Somewhere you are. Let’s assert that I would have again passed the “somewhere you are” test, and that I was truly outside of the corporate office, waiting to get in.
Now let’s turn to the sixth authentication factor. No, I am not a current employee who is usually entitled to visit the corporate office, but my possession of computing equipment introduces a new variable into the why/intent/reasonableness factor.
Why? Because the computer equipment belonged to the company, and in this instance I would have been visiting the corporate office to return the computer equipment to the company.
Authentication: PASSED.
So I guess there IS a sixth authentication factor
And there you have it.
In visits number two and three, all of the standard five authentication factors provided identical results. In both instances:
I passed the something you are test.
I failed the something you know and/or the something you have test.
Something you do was never tested.
I passed the somewhere you are test.
But for visit number two authentication failed, while for visit number three authentication passed, solely on the basis of the sixth authentication factor. I had no valid reason to be at the corporate office…except to return the company’s equipment.
So the sixth authentication factor exists in theory, but it will take some work to make it a reality.
Now this is not the most robust proof of identity. As I recently noted in my JEBredCal blog (one of my other Google identities), it’s extremely easy for multiple people to use this day pass at different times during the day. Even the 7-day and 31-day passes, which must be signed and may be compared against an identity document, are not necessarily free from fraud.
However, this is not critical to Omnitrans, who would rather put up with a small amount of fraud than inconvenience its riders with multiple identity checks.
Identity proofing is more critical in some situations than it is in others.
Of course, if Omnitrans really wanted to, it could achieve the need for fraud prevention by using relatively frictionless forms of identity proofing. Rather than demaning to see a rider’s papers, Omnitrans could use passive methods to authenticate its riders. I won’t go into all the possible methods and their pros and cons here.
However, I would like to explore one possible identity proofing method to see if it would solve the Omnitrans pass use issue.
You’ll recall that many identity experts recognize five factors of authentication:
Something you know.
Something you are.
Something you have.
Something you do.
Somewhere you are.
Well, because I felt like it, I proclaimed a sixth factor of authentication.
Why?
I said, because I felt like it!
Whoops, “why?” is the sixth authentication factor. I still haven’t rendered it into the “somexxx you xxx” format yet.
Can Omnitrans use the “why?” factor to test the reasonableness that any particular trip is performed by the person who originally bought the pass?
Possibly.
Applying the “why?” question to bus boarding data
Assume the most challenging scenario, in which Omnitrans knows nothing about the person who purchases a 31-day pass. The person pays in cash and is wearing a face mask and sunglasses throughout the entire transaction. Therefore, the only identity information associated with the pass is the location where the pass was purchased, the date/time it was purchased, and some type of pass identification number. For this example, we’ll assume the pass number is 12345.
So Omnitrans really doesn’t know anything of importance about the holder of pass 12345…
…other than how it is used.
I’m making the assumption that Omnitrans logs information about every use of a pass. Since you don’t need to use your pass when you leave the bus, the only information available is when you board the bus.
So let’s look at some fake data.
Date and Time
Bus
Location
Monday, July 25, 2022, 6:39 am
87
Euclid & Holt, Ontario
Monday, July 25, 2022, 6:35 pm
87
Amazon LGB3, Eastvale
Tuesday, July 26, 2022, 6:39 am
87
Euclid & Holt, Ontario
Tuesday, July 26, 2022, 6:35 pm
87
Amazon LGB3, Eastvale
Wednesday, July 27, 2022, 8:42 am
87
Euclid & Holt, Ontario
Wednesday, July 27, 2022, 6:35 pm
87
Amazon LGB3, Eastvale
Thursday, July 28, 2022, 6:39 am
87
Euclid & Holt, Ontario
Thursday, July 28, 2022, 6:35 pm
87
Amazon LGB3, Eastvale
Thursday, July 28, 2022, 7:20 pm
61
Plum & Holt, Ontario
Thursday July 28, 2022, 9:52 pm
61
Ontario Mills, Ontario
Friday, July 29, 2022, 6:39 am
87
Euclid & Holt, Ontario
Friday, July 29, 2022, 8:35 am
87
Amazon LGB3, Eastvale
Friday, July 29, 2022, 10:00 am
66
Vineyard & Foothill, Rancho Cucamonga
Friday, July 29, 2022, 11:26 am
14
Fontana Metrolink
Friday, July 29, 2022, 11:53 am
82
Fontana Metrolink
Friday, July 29, 2022, 12:08 pm
66
Fontana Metrolink
Hypothetical logging of trips on Omnitrans Pass 12345.
Even if you are not familiar with California’s Inland Empire, you can probably classify these trips into the following categories:
Trips that are probably legitimate.
Trips that may or may not be legitimate.
Trips that are probably fraudulent.
Trips that are definitely fraudulent.
For the most part, you can’t know with certainty about the legitimacy of most of these trips. Here’s a story that fits the facts.
Jack Jones starts his new job at Amazon on Monday, and works Monday and Tuesday with no incident. Jack overslept on Wednesday and was written up. He made sure to arrive at work on time Thursday, and at the end of the day he celebrated with a dinner at a restaurant in the Ontario Mills shopping center. After arriving at work on Friday, Sara Smith picked his pocket and took his pass, fleeing the scene an hour later and making her way to Fontana. She creates several clones of the bus pass and sells them at a discount before fleeing herself. Therefore, all trips beginning on Friday at 8:35 am are fraudulent.
But that might not be the true story. This one also fits the facts.
Jack Jones starts his new job at Amazon on Monday, and works Monday and Tuesday with no incident. On Wednesday Jack calls in sick, but lets his housemate Bob Brown (who also works at Amazon) use his pass on Wednesday and Thursday. By Thursday evening, Jack is feeling better, retrieves his pass from his housemate, and goes to Ontario Mills for the evening. On Friday Jack goes to work and is fired. He boards the 87, misses his stop in Ontario, and stays on the bus until he reaches Rancho Cucamonga. Despondent, he decides to visit his friend in Fontana. However, his Fontana friend, Sara Smile, secretly created several clones of Jack’s bus pass and sells them at a discount. Therefore, the Wednesday trips, the Thursday day trips, and all Friday trips beginning at 11:26 am are fraudulent.
Or perhaps some other set of facts fit the data.
It’s possible that the pass was stolen before it was ever used and all of the trips are fraudulent.
Or perhaps every trip before arriving in Fontana is legitimate, but how can we tell which one (if any) of the three trips from Fontana was undertaken by the true passholder?
But the data that Omnitrans captured provides a way to challenge the pass holder for possibly fraudulent trips.
If Omnitrans is really suspicious for some reason, it may choose to challenge every trip that didn’t take place at the “regular” times of 6:39 am or 6:35 pm. “Why are you boarding the 87 bus at this hour of the morning?” “Why are you boarding the 61 bus?”
Or Omnitrans may assume that all of the trips are reasonable and don’t necessitate a challenge. Yes, someone can go to work late. Yes, someone can go to Ontario Mills for the evening. Well, all of them are reasonable until Friday at 11:53 am, when a passholder boards a bus at the same location where the same passholder supposedly departed at 11:26 am.
Now even if strict identity checks are used with the “why?” statement, the data alone can’t detect all fraud. If Jack Jones and Bob Brown both work the day shift at Amazon, but on alternate days, how can Omnitrans detect the days when Jack Jones leaves Ontario at 6:39 am, vs. the days when Bob Brown leaves Ontario at 6:39 am?
Again, no identity proofing method is 100% foolproof.
But the “why?” question may detect some forms of fraud.
Or are there really only five factors of authentication after all?
Now I’ll grant that “why?” might not be a sixth factor of authentication at all, but may fall under the existing “something you do” category. This factor is normally reserved for gestures or touches. For example, some facial liveness detection methods require you to move your head up, down, right, or left on command to prove that you are a real person. But you could probably classify boarding a bus as “something you do.”
Anyway, thank you for engaging my tangent. If I can think of a “why?” example that doesn’t involve something you do, I’ll post it here. That will help me in my hopeful (?) quest to become the inventor of the sixth factor of authentication.
What about the businesses in cities where my bus trips took place?
But back to the businesses in Ontario, Eastvale, Rancho Cucamonga, Fontana, and other cities: need some content help? I can create esoteric long-winded content like this, or (what you probably want) more concise, customer-focused content that conveys your important message. My regular work includes case studies, white papers, proposal services, and other types of content. If you need someone to help you create this content:
The most commonly known authentication factor is “something you know.” This includes such items as passwords, personal identification numbers (PINs), and the name of your childhood pet. This authentication factor is very common and very controversial, to the point where some want to eliminate it altogether. (I don’t.)
Another authentication factor that I know very well is “something you are.” Biometrics such as fingerprint identification and facial recognition falls into this category, as well as gait recognition, “behavioral biometrics,” and other biometric identifiers.
The third authentication factor that NIST recognizes is “something you have.” This could be a driver’s license, a passport, a key fob, a smartphone, or perhaps a digital identity application.
But those aren’t the only authentication factors. Two others have been identified, as I have previously noted.
“Something you do” differs from both gait recognition and behavioral biometrics, because this is not an inherent property of your being, but is a deliberate set of actions on your part. For example, you could gain access to a nuclear facility by putting your left foot in, putting your left foot out, putting your left foot, in and shaking it all about. Note, however, that this particular “something you do” is as common as the password “12345” and should be avoided.
And the fifth factor is “somewhere you are.” For example, if I am buying something at a a store in Virginia, but I am physically in California, something appears to be wrong.
OK, that’s it. End of post. Those are the five authentication factors. There aren’t any more, and there never will be any more. Oh sure, you could come up with a sixth authentication factor, but chances are that it would map into one of the five existing authentication factors.
Or maybe not.
Why?
I’d like to propose a sixth authentication factor.
What about the authentication factor “why”?
This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.
Let me give you an example. Assume for the moment that I am at a McDonald’s in Atlantic City and want to use my brand new credit card to buy some healthy Irish cuisine.
You could, of course, apply the existing authentication factors to this transaction:
I physically have the credit card.
I know the PIN that is associated with the credit card.
My face matches the face of the person who owns the credit card.
I am physically at the McDonald’s where the food is for sale, and I physically have a hotel key associated with a nearby hotel, and I physically have a badge associated with a trade show in the city. (The latter two facts are actually a combination of “something you have” and “somewhere you are,” but I threw them here for the fun of it.)
If my credit card company has implemented it, I can perform the super secret finger pattern (or hokey pokey dance) associated with this account.
But even if all of these factors are authenticated, or even if some of them are not, does it make sense that I would be purchasing a meal at a McDonald’s in Atlantic City?
Did I recently book a flight and fly from my California home to Atlantic City? This could explain “why” I was there.
Is it lunchtime? This could explain “why” I was making this transaction.
Is my stomach growling? This could indicate that I am hungry, and could explain “why” I was at such a fine food establishment.
Admittedly, employing data warehousing and artificial intelligence to use the “why” factor to authenticate a small fast food purchase is overkill, just like it’s overkill to require three biometric identifiers and a passport to open a physical mailbox.
But perhaps use of such an authentication factor would be appropriate at a critical infrastructure facility such as a nuclear power plant.
Assume for the moment that I am a double agent, employed the the U.S. Department of Energy but secretly a spy for an enemy country. All of the five authentication factors check out, and I am the person who is authorized to visit a particular nuclear power plant.
But why am I there?
Am I there for some regular U.S. Department of Energy business that is totally above board?
Or am I there for some other unknown reason, such as theft of secrets or even sabotage?
How to implement the “why?” authentication factor
I believe that a “why?” authentication factor could be very powerful, but it would take some effort to implement it.
First, the authentication system would have to access all the relevant data. In the McDonald’s example above, that includes (a) my flight data, (b) the time of day, and (c) my health data (“biometrics” in the broader sense). In the nuclear power plant example, the authentication system would have to know things such as nuclear power plant inspection schedules, trip authorizations from my supervisor, and other data that would indicate a reason for me to be at the plant. That’s a lot of data.
Second, the authentication system would have to process all the relevant data to glean knowledge from it. By itself, the data points “United Flight 123 from Ontario to Atlantic City yesterday,” “1:30 pm,” and “haven’t eaten in six hours” do not allow the system to make an authentication decision.
Third, the authentication system would have to collect and protect that mass of data in a way that protects my privacy and the privacy of others. In the United States at present, this is where the whole system would probably fall apart. While a whole bunch of data is collected about us and placed in silos (the TSA-airline silo, for example), putting it all together could be pretty scary to some. Although certain lawyers in Illinois would love the moneymaking opportunities that such a system could provide via Illinois Biometric Information Privacy Act lawsuits.
So a complete implementation of the “why” authentication factor is probably impossible for now, due to both technical and societal constraints.
But is it possible to implement a subset of the “why” authentication factor? For example, since a company presumably has access to employee corporate travel schedules, could the company use the knowledge of an employee’s flight from Chicago to Los Angeles on Sunday to provide the employee with physical access to the firm’s Southern California office on Monday?
Sometimes our mental horizons are limited, and we fail to notice things just outside of our sphere of vision. And when we ignore these things, we may receive nasty surprises.
The first step in competitive analysis is to identify your competitors. Some companies utterly fail at this by declaring, “We have no competitors.” (Voiceover: “You do.”) But even those companies that successfully identify their competitors do not always identify ALL of them.
By Users Omnibus, Uris on en.wikipedia – Uris took this photograph. Originally from en.wikipedia; description page is (was) here22:21, 31 January 2006 Omnibus 1001×745 (223,243 bytes) (Better crop.)02:40, 6 July 2005 Uris 1912×1920 (773,657 bytes) (en:Kodak color reproduction.)03:28, 4 July 2005 Uris 1912×1920 (671,537 bytes) (The famous yellow en:taxicabs of en:New York City. Photograph taken July 3, 2005. {{PD-user|Uris}}), BSD, https://commons.wikimedia.org/w/index.php?curid=965121
For example, if you owned a taxicab company circa 2008, you might count other taxicab companies and buses as competitors, but you might not include the possibility of a competitor raising over $25 billion to create an infrastructure that allowed people to use their own cars to pick up people who needed rides. Of course, Uber and other companies did just that, while at the same time dodging taxicab industry regulations that mandated purchase of medallions. The rideshare companies weren’t always successful at dodging these regulations, but sometimes they were. As a result, by 2015 the taxicab industry was dying.
This is just one of many examples of competitors that seemingly arise out of nowhere and decimate existing businesses.
One biometric modality for authentication
When considering authentication of individuals, we sometimes fail to, um, identify ALL the ways in which individuals can be identified.
When I entered the biometric industry in the mid-1990s, people were individually identified by something they had (such as a credit card), something they knew (such as a personal identification number or PIN associated with the credit card), and with a rudimentary form of something they were (a signature that matched the signature on the back of the credit card).
My employer and two other companies thought that we had a better solution than the rudimentary signature verification check—fingerprints. All three companies proposed solutions in which welfare benefit recipients would use fingerprints to authenticate themselves as the persons entitled to the welfare benefits. (Another ramification: the fingerprints could also be used to confirm that people weren’t receiving benefits under multiple names.) But in those pre-iPhone days signatures were associated with law enforcement, and benefit recipients feared that the benefit agencies would forward their fingerprints to the cops, and the use of fingerprints by welfare benefits agencies decreased.
But many people still felt that fingerprints could be used to identify individuals, and therefore people began to look at the fingerprint industry and identify competitors in that industry. Around 2000, those competitors included Cogent, Morpho, NEC, Printrak, livescan companies such as Digital Biometrics and Identix, and a few others.
But fingerprints aren’t the only biometric modality, and there were other competitors outside of the fingerprint companies.
Multiple biometric modalities for authentication
By the early 2000s, other biometric modalities matured enough to be used for authentication purposes. Faces were tested for identification of people at Super Bowl XXXV. Irises began to be used for authentication at airports in Amsterdam (and elsewhere) in 2001, although they were cumbersome to capture. Individuals could eventually be identified via their voices.
The solution, as many people recognized, was to use multiple factors of authentication, not just “something you are” (biometrics).
Why multiple factors? Because if you use multiple methods to identify an individual, the ability to fraudulently impersonate an individual decreases rapidly.
Even if someone spoofed your fingerprint or face, it would be much harder for them to spoof your fingerprint/face and your driver’s license, or your fingerprint/face and your driver’s license and your password.
The National Institute of Standards and Technology (NIST) has helpfully defined the term multi-factor authentication, or MFA, for standardized U.S. government use.
Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). See authenticator. Source(s): CNSSI 4009-2015 under multifactor authentication from NIST SP 800-53 Rev. 4
Sometimes the government moves more slowly than the industry. This is one of those times.
While NIST only discusses the three factors of something you know, have, and are as factors of authentication, other sources identify two additionalfactors. I personally use a model which includes five authentication factors, in which the other two factors are “something you do” and “somewhere you are.”
Let me illustrate how the fifth authentication factor could have helped me out several years ago.
In mid-2009, roughly fifteen years after joining the biometric industry, I had just become an employee of the new company MorphoTrak, but had not yet shifted from product management to proposals. MorphoTrak still operated as two separate divisions, and an opportunity arose for me to demonstrate a product from the Printrak division to customers of the Morpho division.
Description of Motorola (later MorphoTrak) Metro ID system From Motorola brochure BIO-CRMBRO-1. Retrieved from ersdatasolutions.com.
So I, along with a Metro ID demonstration system, flew to Atlantic City, New Jersey to attend a trade show which would have many attendees from New Jersey, a Morpho customer. Theoretically, local New Jersey agencies could buy Metro ID and submit results from that system to the New Jersey MetaMorpho system.
I had just acquired a new credit card for business purposes, which I would use for the first time at the trade show.
When I first tried to use the card, it was declined.
Look at it from the credit card issuer’s perspective:
Someone had just received a credit card, which had never been used.
The first time that someone tried to use the credit card, it was used thousands of miles from the California location where the customer lived and worked.
Sure the transaction was for a low dollar amount (I think I was at a McDonald’s), but there’s always the danger that if that transaction were approved, the user would next walk a few blocks to a casino and withdraw thousands of dollars.
Because this seems suspicious, we’d better check it out before approving any transactions. Maybe the card was stolen.
So the credit card company had to verify that the use in Atlantic City was legitimate. To do so, they called my house in California.
Which ordinarily would be fine, but I was not at my house in California. I was in Atlantic City.
Eventually, everything worked out, but wouldn’t it be nice if the credit card company realized that not only did
the person using John Bredehoft’s credit card actually have possession of the card, and that
the person using John Bredehoft’s credit card knew the PIN associated with the card, but also that
John Bredehoft was physically in Atlantic City, New Jersey, where the card was being used?
Now you can see how “somewhere you are,” or geolocation, could be used as an identifier. Of course this would be very hard to authenticate in 1994, and wasn’t even a common authenticator in 2009, but clearly in 2022 everyone can figure out where you are.
Enter Incognia, a company that states that is offers an identification solution that uses what they call “zero factor authentication.” Tyler Choi of Biometric Update explains why Incognia’s solution is important:
Incognia points to an increase in revenue and activity across apps in financial services, crypto, social networks, and online gaming, which accentuates the need for fraud prevention.
While I have a problem with the “zero authentication factor” / “0FA” semantics Incognia uses (location IS an authentication factor, at least in my model), I can appreciate what the company does.
Incognia’s award-winning location identity technology is highly resistant to location spoofing and offers superior location precision for accurate fraud detection on mobile with very low false-positive rates. Incognia uses network, location, and device intelligence data to silently recognize trusted users based on their unique behavior patterns….
Incognia’s location technology uses data from not only GPS, but also WiFi, cellular and Bluetooth sensors, which makes it highly effective at detecting location spoofing, unlike fraud detection based on IP and GPS alone.
Incognia asserts that the vast majority of transactions can be authenticated based on location alone. For example, if I perform a transaction when at my house, the chance is high that I am truly the person performing the transaction.
But what if I perform a transaction on the other side of the country, in a location that I have never visited before? Then Incognia uses additional factors of authentication to verify my identity.
For example, I could provide the password or a biometric identifier. The very fact that I possess a phone that was previously associated with me is another indicator that I may be who I say I am.
But we’re not really using geolocation yet
However, geolocation is not commonly used as an authentication factor, something that I subsequently discovered several years after my trip to Atlantic City.
By this time I had acquired another credit card for business purposes, and my credit card provider noticed some strange behavior. Not a single attempt to purchase food across the country at a restaurant in New Jersey, but multiple repeated purchases across the country at a store in Virginia.
The credit card provider got suspicious when the person made repeated small balance purchases at the same store, and froze the account until it could check with me to see if those purchases were legitimate. This time I was home in California and was able to confirm that the purchases were fraudulent.
Of course, the credit card provider could have detected this much more quickly if it knew that I was not in Virginia, but California.
So when you perform competitive analysis on authentication companies, don’t forget about competitors that use geolocation.
For my long-time readers, here’s a quiz. Read the four statements below and take a guess as to which one of these statements best reflects my views.
With recent accuracy improvements, facial identification is the only identification method that you will ever need in the future.
Possession of a driver’s license is sufficient to prove identity.
Fingerprints are the tried and true authentication method; you don’t need anything else.
Passwords are dead.
Readers, this was a trick question. I don’t agree with ANY of these statements. It is possible to subvert facial identification methods. Your twin can steal your driver’s license. Fingerprints can be subverted also. And passwords have their place.
If you’ve read my writings for any length of time, you know that I believe that any single authentication factor is not a reliable method of authenticating someone. Multifactor authentication, in which you use more than one of the five authentication factors, is a much stronger method. It’s possible to spoof any single authentication factor (a gummi fingerprint, a fake driver’s license, etc.), but it’s much harder to spoof multiple factors.
Please note that I am referring to multiple FACTORS, not multiple TYPES OF BIOMETRICS (for example, authenticating finger and face and declaring victory). All biometrics fit within the “something you are” category, and it’s much better to combine this factor with one or more of the other four: something you know, something you have, something you do, and somewhere you are. Or perhaps use two factors other than biometrics. The important thing is that you use multiple factors.
What of the vendor that only offers one type of biometric authentication? Or the vendor that only offers biometric authentication? Or the vendor that only processes secure documents? Or the one with really strong password protection schemes? Well, in my humble opinion these vendors need to partner with other vendors who support other authentication factors, to ensure delivery of a robust solution.
Julie Pattison-Gordon made many of these points in a recent GovTech article, “Cyber Refresher: Understanding Multifactor Authentication.” But she made two additional points that are worth mentioning.
Friction and authentication
The first point that Pattison-Gordon makes is the following:
Agencies may need to consider how their selection of authentication methods creates or avoids friction for employees.
Friction, in which a task becomes hard to perform, is bad.
Some authentication methods have, or can have, more friction than others. For example, some password implementations require use of characters from the Roman, Greek, and Cyrillic alphabets and require you to change your password daily. (I exaggerate only slightly.) Older iris readers required you to put your head directly against the reader, like if you were at an opthamologist’s office. Even today, most fingerprint readers require you to touch your finger against a platen. (There are exceptions.)
But why worry about friction? After all, if someone’s required to perform some type of authentication, they’re going to do it regardless of how hard it is.
Speaking during a panel last month, Delaware Chief Security Officer Solomon Adote said that workers who find MFA processes too cumbersome may adopt unsafe workarounds, such as storing official files on personal devices to let them skip login procedures entirely.
This is worse than an abandoned shopping cart, since it’s the abandonment of an entire security infrastructure. When security is too cumbersome, the result is little or no security at all.
It is possible to improve all authentication methods to reduce friction. Strong yet easy passwords that you don’t have to change all the time. “On the move” capture of all sorts of biometrics, including fingerprints, faces, and irises. The ability to read information on secure documents without sliding them through a card reader (yet incorporating protections against unauthorized reading of the data).
Trust me – frictionless will make people happier and will cause them to use your security methods without objection.
Organizations must also weigh the cyber threats facing each type of authentication, as malicious actors continue evolving their strategies.
No authentication method is foolproof, and every authentication method attracts one or more threats. I’ve mentioned some in passing in this post, such as “gummi fingerprints” in which someone creates a fake fingerprint with the ridge detail from a true fingerprint. Pattison-Gordon mentions another threat, SIM swapping.
There are ways to deal with these two threats. For example, if a gummi fingerprint is literally a piece of non-organic material, there are various methods of liveness detection (tempreature, heartbeat detection, skin features) that can identify the fingerprint as fake.
However, this does not solve the problem, since some day some fraudster will create a fake fingerprint that appears to have human skin, a temperature, a detectable heartbeat, and everything else that a real fingerprint will have.
Security is a constant war between the fraudsters who develop a hack, the cybersecurity folks who develop a block to the hack, and the fraudsters that develop a new hack that avoids the block to the previous hack. No authentication method is foolproof.
This is one of the benefits of multifactor authentication. When this is used, then the fraudster needs to hack something you are AND something you know AND something you have AND something you do AND somewhere you are. MFA hacking is not impossible, but it is much, much more difficult than hacking a single factor.
And you also have to keep up with the latest hacks and continue to research. Don’t quit researching an authentication method just because it seems great now.
Well, until they come to the third paragraph of the article.
The attack is quite elaborate and would require planning, including being able to acquire an infrared (IR) image of the target’s face and building a custom USB device, such as a USB web camera, that will work with Windows Hello. The attack exploits how Windows 10 treats these USB devices and would require the attacker to have gained physical access to the target PC.
Of course, if the target is a really important target such as a world leader, it might be worth it to go to all of that effort to execute the attack.
However, the difficult attack would be much more difficult to execute if the authentication system required multiple biometrics, rather than just one.
And the attack would be even more difficult still if the authentication system employed multiple authentication factors, rather than the single “something you are” factor. If you have to spoof the fingerprint AND the face AND the driver’s license AND the five digit PIN AND the geolocation, and you don’t know in advance WHICH factors will be requested, it’s still possible to gain access, but it’s not easy.
I’ve previously commented on the “passwords are dead” movement, and why I don’t agree that passwords are dead. But I recently realized that the “logic” behind the “passwords are dead” movement could endanger ALL forms of multi-factor authentication.
If I may summarize the argument, the “passwords are dead” movement is based upon the realization that passwords are an imperfect authentication method. People use obvious passwords, people re-use passwords, individuals don’t guard their passwords, and even companies don’t guard the passwords that they store. Because of these flaws, many passwords have been compromised over the years.
From this indisputable fact, the “passwords are dead” advocates have concluded that the best thing to do is to refrain from using passwords entirely, and to use some other authentication method instead (choosing from the five authentication factors).
But wait a minute. Isn’t it possible to spoof biometrics? And when a biometric is compromised, you can’t change your finger or your face like you can with a compromised password. And the Internet tells me that biometrics is racist anyway.
So I guess “biometrics are dead” too, using the “passwords are dead” rationale.
And we obviously can’t use secure documents or other “something you have” modalities either, because “something you have” is “something that can be stolen.” And you can’t vet the secure document with biometrics because we already know that biometrics are spoofable and racist and all that.
So I guess “secure documents are dead” too.
Somewhere you are? Yeah, right. There are entire legitimate industries based upon allowing someone to represent that they are in one place when in fact they are in another place.
So I guess “geolocation is dead” too.
You see where this leads.
NO authentication method is perfect.
But just because an authentication method has imperfections doesn’t mean that it should be banned entirely. If you open the Pandora’s Box of declaring imperfect authentication methods “dead,” there will be NO authentication methods left.
Epimetheus opening Pandora’s Box. By Giulio Bonasone – This file was donated to Wikimedia Commons as part of a project by the Metropolitan Museum of Art. See the Image and Data Resources Open Access Policy, CC0, https://commons.wikimedia.org/w/index.php?curid=60859836
And before talking about multi-factor authentication, remember that it isn’t perfect either. With enough effort, a criminal could spoof multiple factors to make it look like someone with a spoofed face and a spoofed driver’s license is physically present at a spoofed location. Of course it takes more effort to spoof multiple factors of authentication…
“I don’t want to say multi-factor is terrible. All things considered, it is generally better than single-factor and we should strive to use it wherever it makes sense and is possible. However, if someone tells you something is unhackable, they’re either lying to you or dumb.”
And heck, be wild and throw a strong password in as ONE of the factors. Even weak passwords of sufficient length can take a long time to crack, provided they haven’t been compromised elsewhere.
Feel free to share the images and interactive found on this page freely. When doing so, please attribute the authors by providing a link back to this page and Better Buys, so your readers can learn more about this project and the related research.
Luckily, my experience extends beyond biometrics to other authentication methods, most notably secure documents and digital identity. And I’m familiar with multi-factor authentication methods that employ…well, multiple factors of authentication in various ways. Including semi-random presentation of authentication factors; if you don’t know which authentication factors will be requested, it’s that much harder to hack the authentication process.
Do you want to know more? Do you need help in communicating the benefits of YOUR authentication mechanism? Contact me.
I thought I had blogged about the five factors of authentication, either here or at jebredcal, but I guess I haven’t explicitly written a post just on this topic. (You’d expect an identity content marketing expert to do that.)
However, for those like me who get a little befuddled after authentication factor 3, I’m going to list all five authentication factors.
Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.
Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.
Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.
Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.
Now when these factors are combined via multi-factor authentication, there is a higher probability that the person is who they claim to be. If I enter the password “12345” AND I provide a picture of my driver’s license AND I provide a picture of my face AND I demonstrate the secret finger move AND I am within 25 feet of my documented address, then there is a pretty good likelihood that I am me, despite the fact that I used an extremely poor password.
I don’t know if anyone has come up with a sixth authentication factor yet. But I’m sure someone will if it hasn’t already been done. And then I’ll update to update this post in the same way I’ve been updating my Bredemarket 2021 goals.
Bredemarket 
