Fourth Factor (De-)Authentication

We all know that there are three basic ways to authenticate somebody: something you know, something you have, and something you are. I’ve wondered recently though where habits and behavior fit in. For example, I’m writing this post from India. I don’t usually go to India and I’ve just used my credit card here a few times. Sure enough my card got red flagged and not long after blocked. The card company got “concerned” when they saw charges from somewhere new; somewhere outside of my typical charging radius. This happened to me a couple of times in Europe but a quick call, a mother’s maiden name, a birtdate, a social security number, and a DNA sample later and the card was back in action. 

This “behavioral” monitoring wasn’t an authentication mechanism so much as a “de-authentication” trigger. That out-of-the-ordinary behavior sparked suspicion despite all standard authentication mechanisms being in place (meaning that the clerks in India processed my card in the standard way). This profiling/“look for weird stuff” philosophy has been used in Intrusion Detection Systems (IDS) forever but is now moving to watching employees on their desktops in hopes of preempting insider attacks. It’s even being used as a method for authentication as one company (https://www.biopassword.com) has a tool to observe the cadence with which a password is typed to guard against the inevitable employee with a bad memory and an inviting yellow sickynote pad.

Measuring behavior “post authentication” brings a whole new dimension to trust but verify. It basically makes the statement “We trust that this person is who the say they are because they just *proved* it…but we’ll keep checking to see what they do just incase.” It can automatically tune security controls. Right now, if you’re making a bigger-than-normal transfer on many banking sites they may ask you for some additional information like your mothers maiden name. What if this was taken a step further? If my browsing behavior on a site was “different” is some meaningful way maybe a series of safeguards kick in even if the transaction that I made was “normal.” 

Initially it seems shocking and intolerable from a privacy perspective that sites would keep track of enough historical information to realize what “abnormal” is but most web sites do this already; except the data is used for marketing. Amazon.com always tweaks their landing page based on personal browsing history (either that or books on Reverse Engineering are truly more popular than the works of Dr. Phil) and we accept that this data is aggregated. If that behavioral data is laying around anyway – be it in user profiles, logs, server access records, whatever – it seems like a natural (and, if done right, user transparent) fit to throttle security controls up when risk is afoot.

 Like anything else though there can be false positives and hiccups – like having to switch to cash in India till I could get to Skype to call my credit card company. Still, I’m glad I’m not funding somebody else’s shopping spree.