The sixth factor of multi factor authentication (you heard it here first!)

As many of my readers know, there are a variety of ways for people to individually identify themselves.

The National Institute of Standards and Technology recognizes three of these authentication factors:

  • The most commonly known authentication factor is “something you know.” This includes such items as passwords, personal identification numbers (PINs), and the name of your childhood pet. This authentication factor is very common and very controversial, to the point where some want to eliminate it altogether. (I don’t.)
  • Another authentication factor that I know very well is “something you are.” Biometrics such as fingerprint identification and facial recognition falls into this category, as well as gait recognition, “behavioral biometrics,” and other biometric identifiers.
  • The third authentication factor that NIST recognizes is “something you have.” This could be a driver’s license, a passport, a key fob, a smartphone, or perhaps a digital identity application.

But those aren’t the only authentication factors. Two others have been identified, as I have previously noted.

  • “Something you do” differs from both gait recognition and behavioral biometrics, because this is not an inherent property of your being, but is a deliberate set of actions on your part. For example, you could gain access to a nuclear facility by putting your left foot in, putting your left foot out, putting your left foot, in and shaking it all about. Note, however, that this particular “something you do” is as common as the password “12345” and should be avoided.
  • And the fifth factor is “somewhere you are.” For example, if I am buying something at a a store in Virginia, but I am physically in California, something appears to be wrong.
GPS network illustration
By Éric Chassaing – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=8876959

OK, that’s it. End of post. Those are the five authentication factors. There aren’t any more, and there never will be any more. Oh sure, you could come up with a sixth authentication factor, but chances are that it would map into one of the five existing authentication factors.

Or maybe not.

Why?

I’d like to propose a sixth authentication factor.

What about the authentication factor “why”?

This proposed factor, separate from the other factors, applies a test of intent or reasonableness to any identification request.

Man smoking a cigarette and stacking hats on a fire hydrant
Why is this man smoking a cigarette outdoors? By Marek Slusarczyk, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=108924712

Let me give you an example. Assume for the moment that I am at a McDonald’s in Atlantic City and want to use my brand new credit card to buy some healthy Irish cuisine.

McDonald's food
Not in Atlantic City. By TeaLaiumens – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=37026979

You could, of course, apply the existing authentication factors to this transaction:

  • I physically have the credit card.
  • I know the PIN that is associated with the credit card.
  • My face matches the face of the person who owns the credit card.
  • I am physically at the McDonald’s where the food is for sale, and I physically have a hotel key associated with a nearby hotel, and I physically have a badge associated with a trade show in the city. (The latter two facts are actually a combination of “something you have” and “somewhere you are,” but I threw them here for the fun of it.)
  • If my credit card company has implemented it, I can perform the super secret finger pattern (or hokey pokey dance) associated with this account.

But even if all of these factors are authenticated, or even if some of them are not, does it make sense that I would be purchasing a meal at a McDonald’s in Atlantic City?

  • Did I recently book a flight and fly from my California home to Atlantic City? This could explain “why” I was there.
  • Is it lunchtime? This could explain “why” I was making this transaction.
  • Is my stomach growling? This could indicate that I am hungry, and could explain “why” I was at such a fine food establishment.

Admittedly, employing data warehousing and artificial intelligence to use the “why” factor to authenticate a small fast food purchase is overkill, just like it’s overkill to require three biometric identifiers and a passport to open a physical mailbox.

But perhaps use of such an authentication factor would be appropriate at a critical infrastructure facility such as a nuclear power plant.

Assume for the moment that I am a double agent, employed the the U.S. Department of Energy but secretly a spy for an enemy country. All of the five authentication factors check out, and I am the person who is authorized to visit a particular nuclear power plant.

But why am I there?

Am I there for some regular U.S. Department of Energy business that is totally above board?

Or am I there for some other unknown reason, such as theft of secrets or even sabotage?

How to implement the “why?” authentication factor

I believe that a “why?” authentication factor could be very powerful, but it would take some effort to implement it.

First, the authentication system would have to access all the relevant data. In the McDonald’s example above, that includes (a) my flight data, (b) the time of day, and (c) my health data (“biometrics” in the broader sense). In the nuclear power plant example, the authentication system would have to know things such as nuclear power plant inspection schedules, trip authorizations from my supervisor, and other data that would indicate a reason for me to be at the plant. That’s a lot of data.

Neural network
By en:User:Cburnett – This W3C-unspecified vector image was created with Inkscape ., CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=1496812

Second, the authentication system would have to process all the relevant data to glean knowledge from it. By itself, the data points “United Flight 123 from Ontario to Atlantic City yesterday,” “1:30 pm,” and “haven’t eaten in six hours” do not allow the system to make an authentication decision.

Third, the authentication system would have to collect and protect that mass of data in a way that protects my privacy and the privacy of others. In the United States at present, this is where the whole system would probably fall apart. While a whole bunch of data is collected about us and placed in silos (the TSA-airline silo, for example), putting it all together could be pretty scary to some. Although certain lawyers in Illinois would love the moneymaking opportunities that such a system could provide via Illinois Biometric Information Privacy Act lawsuits.

So a complete implementation of the “why” authentication factor is probably impossible for now, due to both technical and societal constraints.

But is it possible to implement a subset of the “why” authentication factor? For example, since a company presumably has access to employee corporate travel schedules, could the company use the knowledge of an employee’s flight from Chicago to Los Angeles on Sunday to provide the employee with physical access to the firm’s Southern California office on Monday?

Something to think about.

Maybe I should speak to a patent attorney.

Remember the newer factors of authentication

Sometimes our mental horizons are limited, and we fail to notice things just outside of our sphere of vision. And when we ignore these things, we may receive nasty surprises.

The first step in competitive analysis is to identify your competitors. Some companies utterly fail at this by declaring, “We have no competitors.” (Voiceover: “You do.”) But even those companies that successfully identify their competitors do not always identify ALL of them.

By Users Omnibus, Uris on en.wikipedia – Uris took this photograph. Originally from en.wikipedia; description page is (was) here22:21, 31 January 2006 Omnibus 1001×745 (223,243 bytes) (Better crop.)02:40, 6 July 2005 Uris 1912×1920 (773,657 bytes) (en:Kodak color reproduction.)03:28, 4 July 2005 Uris 1912×1920 (671,537 bytes) (The famous yellow en:taxicabs of en:New York City. Photograph taken July 3, 2005. {{PD-user|Uris}}), BSD, https://commons.wikimedia.org/w/index.php?curid=965121

For example, if you owned a taxicab company circa 2008, you might count other taxicab companies and buses as competitors, but you might not include the possibility of a competitor raising over $25 billion to create an infrastructure that allowed people to use their own cars to pick up people who needed rides. Of course, Uber and other companies did just that, while at the same time dodging taxicab industry regulations that mandated purchase of medallions. The rideshare companies weren’t always successful at dodging these regulations, but sometimes they were. As a result, by 2015 the taxicab industry was dying.

This is just one of many examples of competitors that seemingly arise out of nowhere and decimate existing businesses.

One biometric modality for authentication

When considering authentication of individuals, we sometimes fail to, um, identify ALL the ways in which individuals can be identified.

When I entered the biometric industry in the mid-1990s, people were individually identified by something they had (such as a credit card), something they knew (such as a personal identification number or PIN associated with the credit card), and with a rudimentary form of something they were (a signature that matched the signature on the back of the credit card).

My employer and two other companies thought that we had a better solution than the rudimentary signature verification check—fingerprints. All three companies proposed solutions in which welfare benefit recipients would use fingerprints to authenticate themselves as the persons entitled to the welfare benefits. (Another ramification: the fingerprints could also be used to confirm that people weren’t receiving benefits under multiple names.) But in those pre-iPhone days signatures were associated with law enforcement, and benefit recipients feared that the benefit agencies would forward their fingerprints to the cops, and the use of fingerprints by welfare benefits agencies decreased.

But many people still felt that fingerprints could be used to identify individuals, and therefore people began to look at the fingerprint industry and identify competitors in that industry. Around 2000, those competitors included Cogent, Morpho, NEC, Printrak, livescan companies such as Digital Biometrics and Identix, and a few others.

But fingerprints aren’t the only biometric modality, and there were other competitors outside of the fingerprint companies.

Multiple biometric modalities for authentication

By the early 2000s, other biometric modalities matured enough to be used for authentication purposes. Faces were tested for identification of people at Super Bowl XXXV. Irises began to be used for authentication at airports in Amsterdam (and elsewhere) in 2001, although they were cumbersome to capture. Individuals could eventually be identified via their voices.

All of these different biometric modalities got people excited. Some people, um, “advanced” the notion that biometrics (something you are) was THE way to identify people, and that passwords were of necessity going to die. Bill Gates predicted the death of the password in 2004, but he wasn’t (and isn’t) the only one to assert this view. Some assert that biometrics are clearly better than passwords. Opponents, however, objected to a reliance on only biometrics because of the ability to spoof biometrics, and because of perceived and actual racial disparities. (See my comments on faulty conclusions, and on the racist methods that people use when they DON’T use computerized facial recognition.)

Multiple factors of authentication

The solution, as many people recognized, was to use multiple factors of authentication, not just “something you are” (biometrics).

Why multiple factors? Because if you use multiple methods to identify an individual, the ability to fraudulently impersonate an individual decreases rapidly.

Even if someone spoofed your fingerprint or face, it would be much harder for them to spoof your fingerprint/face and your driver’s license, or your fingerprint/face and your driver’s license and your password.

The National Institute of Standards and Technology (NIST) has helpfully defined the term multi-factor authentication, or MFA, for standardized U.S. government use.

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). See authenticator.
Source(s):
CNSSI 4009-2015 under multifactor authentication from NIST SP 800-53 Rev. 4

From https://csrc.nist.gov/glossary/term/Multi_Factor_Authentication

But are three factors of authentication enough?

Sometimes the government moves more slowly than the industry. This is one of those times.

While NIST only discusses the three factors of something you know, have, and are as factors of authentication, other sources identify two additional factors. I personally use a model which includes five authentication factors, in which the other two factors are “something you do” and “somewhere you are.”

Let me illustrate how the fifth authentication factor could have helped me out several years ago.

In mid-2009, roughly fifteen years after joining the biometric industry, I had just become an employee of the new company MorphoTrak, but had not yet shifted from product management to proposals. MorphoTrak still operated as two separate divisions, and an opportunity arose for me to demonstrate a product from the Printrak division to customers of the Morpho division.

Description of Motorola (later MorphoTrak) Metro ID system From Motorola brochure BIO-CRMBRO-1. Retrieved from ersdatasolutions.com.

So I, along with a Metro ID demonstration system, flew to Atlantic City, New Jersey to attend a trade show which would have many attendees from New Jersey, a Morpho customer. Theoretically, local New Jersey agencies could buy Metro ID and submit results from that system to the New Jersey MetaMorpho system.

By Dough4872 – Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=24102903

I had just acquired a new credit card for business purposes, which I would use for the first time at the trade show.

When I first tried to use the card, it was declined.

Look at it from the credit card issuer’s perspective:

  • Someone had just received a credit card, which had never been used.
  • The first time that someone tried to use the credit card, it was used thousands of miles from the California location where the customer lived and worked.
  • Sure the transaction was for a low dollar amount (I think I was at a McDonald’s), but there’s always the danger that if that transaction were approved, the user would next walk a few blocks to a casino and withdraw thousands of dollars.
  • Because this seems suspicious, we’d better check it out before approving any transactions. Maybe the card was stolen.

So the credit card company had to verify that the use in Atlantic City was legitimate. To do so, they called my house in California.

Which ordinarily would be fine, but I was not at my house in California. I was in Atlantic City.

Eventually, everything worked out, but wouldn’t it be nice if the credit card company realized that not only did

  • the person using John Bredehoft’s credit card actually have possession of the card, and that
  • the person using John Bredehoft’s credit card knew the PIN associated with the card, but also that
  • John Bredehoft was physically in Atlantic City, New Jersey, where the card was being used?

Now you can see how “somewhere you are,” or geolocation, could be used as an identifier. Of course this would be very hard to authenticate in 1994, and wasn’t even a common authenticator in 2009, but clearly in 2022 everyone can figure out where you are.

Incognia and (not) zero factor authentication

Enter Incognia, a company that states that is offers an identification solution that uses what they call “zero factor authentication.” Tyler Choi of Biometric Update explains why Incognia’s solution is important:

Incognia points to an increase in revenue and activity across apps in financial services, crypto, social networks, and online gaming, which accentuates the need for fraud prevention.

From https://www.biometricupdate.com/202203/incognia-adds-location-fraud-detection-to-mobile-onboarding-and-authentication

While I have a problem with the “zero authentication factor” / “0FA” semantics Incognia uses (location IS an authentication factor, at least in my model), I can appreciate what the company does.

Incognia’s award-winning location identity technology is highly resistant to location spoofing and offers superior location precision for accurate fraud detection on mobile with very low false-positive rates. Incognia uses network, location, and device intelligence data to silently recognize trusted users based on their unique behavior patterns….

Incognia’s location technology uses data from not only GPS, but also WiFi, cellular and Bluetooth sensors, which makes it highly effective at detecting location spoofing, unlike fraud detection based on IP and GPS alone.

From https://www.incognia.com/location-behavioral-analytics?hsLang=en

Incognia asserts that the vast majority of transactions can be authenticated based on location alone. For example, if I perform a transaction when at my house, the chance is high that I am truly the person performing the transaction.

But what if I perform a transaction on the other side of the country, in a location that I have never visited before? Then Incognia uses additional factors of authentication to verify my identity.

For example, I could provide the password or a biometric identifier. The very fact that I possess a phone that was previously associated with me is another indicator that I may be who I say I am.

But we’re not really using geolocation yet

However, geolocation is not commonly used as an authentication factor, something that I subsequently discovered several years after my trip to Atlantic City.

By this time I had acquired another credit card for business purposes, and my credit card provider noticed some strange behavior. Not a single attempt to purchase food across the country at a restaurant in New Jersey, but multiple repeated purchases across the country at a store in Virginia.

The credit card provider got suspicious when the person made repeated small balance purchases at the same store, and froze the account until it could check with me to see if those purchases were legitimate. This time I was home in California and was able to confirm that the purchases were fraudulent.

Of course, the credit card provider could have detected this much more quickly if it knew that I was not in Virginia, but California.

So when you perform competitive analysis on authentication companies, don’t forget about competitors that use geolocation.

After nearly a quarter century, I finally (virtually) attended an ESRI User Conference #EsriUC

Although I’ve never worked with the company directly, I have a long history with ESRI.

  • When Printrak acquired portions of SCC back in 1997, Printrak became the company of record for SCC’s computer aided dispatch product, which used ESRI technology for its mapping.
  • When I rejoined the Proposals organization about a decade ago, the (then) Southern California Chapter of the (then) Association of Proposal Management Professionals arranged for satellite locations for its chapter meetings. Initially I would go to Redlands and attend the meetings at ESRI’s corporate headquarters. (Very nice facility, by the way.) Eventually I arranged to host satellite meetings at MorphoTrak’s Anaheim headquarters on Tustin Avenue, so my visits to ESRI in Redlands ceased. Now most meetings (other than Training Day) are online-only.

Add my interest in mapping to the mix, and you would think that I would be a prime target to attend ESRI’s annual User Conference in San Diego. However, as I mentioned, I wasn’t working with the company directly, and so I could never justify attending the ESRI User Conference in the same way that I could justify attending Oracle OpenWorld, the International Association for Identification, or IDEMIA/MorphoTrak/Motorola/Printrak’s own User Conference.

Then this pandemic thing happened, I became a free agent, bla bla bla. And so I found myself watching the Monday plenary session for the virtual 2021 ESRI User Conference.

For those who know ESRI, it’s no surprise that the speaker for much of the 3 1/2 hour plenary session was Jack Dangermond. This was the first time that I heard Dangermond speak at any length, and he provided a helpful overview of the company and its offerings, supported by a slew of ESRI product managers and outside partners.

For those who know ESRI, it’s no surprise that ESRI’s offerings have expanded since the late 1990s, with mobile and cloud options that could barely be envisioned in the last millennium.

And (like Oracle) ESRI has expanded from its base product into various verticals, such as ArcGIS Business Analyst for location-based market intelligence. The case studies illustrate how this product can benefit its users.

And I am certainly a fan of case studies

The five authentication factors

I thought I had blogged about the five factors of authentication, either here or at jebredcal, but I guess I haven’t explicitly written a post just on this topic.

And I’m not going to do that today either (at least in any detail), because The Cybersecurity Man already did a good job at that (as have many others).

However, for those like me who get a little befuddled after authentication factor 3, I’m going to list all five authentication factors.

  • Something You Know. Think “password.” And no, passwords aren’t dead. But the use of your mother’s maiden name as an authentication factor is hopefully decreasing.
  • Something You Have. I’ve spent much of the last ten years working with this factor, primarily in the form of driver’s licenses. (Yes, MorphoTrak proposed driver’s license systems. No, they eventually stopped doing so. But obviously IDEMIA North America, the former MorphoTrust, has implemented a number of driver’s license systems.) But there are other examples, such as hardware or software tokens.
  • Something You Are. I’ve spent…a long time with this factor, since this is the factor that includes biometrics modalities (finger, face, iris, DNA, voice, vein, etc.). It also includes behavioral biometrics, provided that they are truly behavioral and relatively static.
  • Something You Do. The Cybersecurity Man chose to explain this in a non-behavioral fashion, such as using swiping patterns to unlock a device. This is different from something such as gait recognition, which supposedly remains constant and is thus classified as behavioral biometrics.
  • Somewhere You Are. This is an emerging factor, as smartphones become more and more prevalent and locations are therefore easier to capture. Even then, however, precision isn’t always as good as we want it to be. For example, when you and a few hundred of your closest friends have illegally entered the U.S. Capitol, you can’t use geolocation alone to determine who exactly is in Speaker Pelosi’s office.

Now when these factors are combined via multi-factor authentication, there is a higher probability that the person is who they claim to be. If I enter the password “12345” AND I provide a picture of my driver’s license AND I provide a picture of my face AND I demonstrate the secret finger move AND I am within 25 feet of my documented address, then there is a pretty good likelihood that I am me, despite the fact that I used an extremely poor password.

I don’t know if anyone has come up with a sixth authentication factor yet. But I’m sure someone will if it hasn’t already been done. And then I’ll update to update this post in the same way I’ve been updating my Bredemarket 2021 goals.