In computer security, when we talk about authentication factors it is usually
the traditional "something you know", "something you have" and "something you
are" (i.e biometrics). There are other things being used as types of factors
more recently.
First up are behavioral factors, which are they way you do something.
This must be something that can be reasonably uniquely attributed to you and
only you. Some examples are your keyboard typing patterns, touch surface swiping
patterns, maybe how you typically interact with some graphical user interface.
The point is that, in theory, no two people use these interfaces exactly the
same way and that means the uniqueness can be used as a form of authentication.
Some systems are even using this as a means of "continuous authentication".
After your initial access to the system, the behavior is tracked throughout
use and if it suddenly doesn't look like you any more, then you could be asked
to reauthenticate. I have to wonder how robust this really is. Unlike a
cryptographically strong hash, we don't have any way to prove anything about it.
I think it's just too new for that yet. But I do agree that it is a promising
approach. The overly paranoid might not like it. It could be seen as yet another
intrusion into their privacy and another way they could be tracked or
identified. The EFF has a project that demonstrates just how unique a
fingerprint your web browser presents regardless of which site or page you are
visiting. If multiple sites started sharing and correlating behavioral
measurements, that is one more way you can be tracked across multiple systems
to build a bigger profile of you.
Another factor is location. This could be a geographical location or a logical
network location (i.e. only from certain IP addresses or networks). These days,
a lot of computers either have GPS or an estimate of position based on knowing
where your general area your IP address is in. I play Blizzard games through
their Battle.net site and if they see me come in from a different IP address
than I usually do (maybe I'm visiting relatives and using their computer),
it will challenge me for extra authentication to make sure someone else has not
hacked my account. Of course, it is possible to spoof these mechanisms if you
can hack your local device to report the expected location or spoof the IP
address.
A slight variation on this is the "remember this device" mechanism.
You go through a full authentication once and then tell the site that this
device is a trusted device. Future logins do not ask for all the authentication
factors. This is a convenience for your home computer, tablet, phone, etc.
You assume the risk by protecting access to your devices in trade for more
convenient access. Once again we see the balance between usability and security.
I have had difficulty with this mechanism over time. The "remembering" tends
to fail under various circumstances like software upgrades, maybe an eventual
timeout and so on. This tends to happen with no notice and after you got used
to the convenience it is a jarring pothole in the usability road.
No comments:
Post a Comment