Poor computers. Validating a person’s identity has never been easy for them. Conversely, humans have numerous tactics for identifying other people including some that have evolved over tens of thousands of years. In person, this could range from how that individual looks and sounds to more subtle things like mannerisms, odor, or how they answer questions about shared prior experiences or knowledge.
To better understand a computer’s disadvantages, let’s start eliminating the advantages you have as a human. Put a black screen between you and the other person, and you immediately lose the ability to see the individual and how they move. Maybe, you’re speaking to them over the phone. You can still hear them and ask them any questions you like. Now encase yourself in a sound-proof booth – all the information you gain from speech intonation, cadence, and patterns is stripped away. Answers are instead typed and printed, nothing handwritten. Are you feeling uneasy yet?
Maybe they can slide their driver’s license under the screen. Would you consider mere possession of a plastic card sufficient evidence? Before you answer, consider precision as the main factor. We expect computers to never make an incorrect determination. Making a single mistake every 5th time, 100th time or even every 10,000th time is simply not acceptable when the data at stake is considered. Clearly a driver’s license handed to us by an otherwise faceless person is inadequate.
So hopefully, you see how handicapped computers are when it comes to proving someone’s identity. They have a dearth of information or inputs upon which they can base their decision. This truly is a limitation of how users interact with computers and web-based services. Humans are reduced to proving their identity in ways that comply with a computer’s capabilities. Passwords are simply shared secrets between a person and the computer, and their efficacy is being increasingly marginalized as general password habits are studied in more depth. This leads to our conversation on Contextual Authentication.
Contextual authentication has been around for years, but is finally starting to gain traction. It seeks to leverage extra information the computer can use to make more informed decisions. It is critical that this information be trustworthy. As an example, HTML5 now makes it much easier for applications to get the GPS coordinates of a client, but this information originates on the client machine, so it could be modified before being sent to the server.
Certain absolutes that cannot be spoofed include the current time and client IP address. IP-based geolocation can be determined by a server to provide at least the user’s country, but there are no guarantees the IP isn’t from an intermediate proxy server which reduces its credibility. A better model is treating workstations with a controlled client app installed as inherently more trustworthy than those that do not. The client app requires a one-time installation and registration. At that point, the data it produces can be sufficiently protected and thus trusted. It could potentially perform a survey of nearby Wi-Fi access points which provides much more accurate location information that approaches the GPS coordinates of mobile devices. It could also include the encryption algorithm of the wireless connection which could be of interest if the user is attempting to access sensitive data that could be sniffed over the air.
These extra attributes can be used to create a profile of the user’s activity over time allowing the computer to quickly identify outlying conditions that may be cause for requiring additional methods of authentication (requiring an OTP in addition to name & password). Some conditions, such as an unencrypted wireless connection, may completely block the user’s access due to security concerns.
The playing field is far from level, but this outside-the-box thinking on getting authoritative data from the end-point device is an important step to alleviating the requirements placed on legitimate users and requiring more from others. Explicit barriers based on data that only client-side apps can provide credibly is an implicit ally that gives a server more control and context that can be utilized to inform its security decisions.
Learn more about Contextual Authentication.