• United States



Fourth Factor (De-)Authentication

Jan 16, 20073 mins
Data and Information SecurityPhysical Security

We all know that there are three basic ways to authenticate somebody: something you know, something you have, and something you are. I’ve wondered recently though where habits and behavior fit in. For example, I’m writing this post from India. I don’t usually go to India and I’ve just used my credit card here a few times. Sure enough my card got red flagged and not long after blocked. The card company got “concerned” when they saw charges from somewhere new; somewhere outside of my typical charging radius. This happened to me a couple of times in Europe but a quick call, a mother’s maiden name, a birtdate, a social security number, and a DNA sample later and the card was back in action. 

This “behavioral” monitoring wasn’t an authentication mechanism so much as a “de-authentication” trigger. That out-of-the-ordinary behavior sparked suspicion despite all standard authentication mechanisms being in place (meaning that the clerks in India processed my card in the standard way). This profiling/“look for weird stuff” philosophy has been used in Intrusion Detection Systems (IDS) forever but is now moving to watching employees on their desktops in hopes of preempting insider attacks. It’s even being used as a method for authentication as one company ( has a tool to observe the cadence with which a password is typed to guard against the inevitable employee with a bad memory and an inviting yellow sickynote pad.

Measuring behavior “post authentication” brings a whole new dimension to trust but verify. It basically makes the statement “We trust that this person is who the say they are because they just *proved* it…but we’ll keep checking to see what they do just incase.” It can automatically tune security controls. Right now, if you’re making a bigger-than-normal transfer on many banking sites they may ask you for some additional information like your mothers maiden name. What if this was taken a step further? If my browsing behavior on a site was “different” is some meaningful way maybe a series of safeguards kick in even if the transaction that I made was “normal.” 

Initially it seems shocking and intolerable from a privacy perspective that sites would keep track of enough historical information to realize what “abnormal” is but most web sites do this already; except the data is used for marketing. always tweaks their landing page based on personal browsing history (either that or books on Reverse Engineering are truly more popular than the works of Dr. Phil) and we accept that this data is aggregated. If that behavioral data is laying around anyway – be it in user profiles, logs, server access records, whatever – it seems like a natural (and, if done right, user transparent) fit to throttle security controls up when risk is afoot.

 Like anything else though there can be false positives and hiccups – like having to switch to cash in India till I could get to Skype to call my credit card company. Still, I’m glad I’m not funding somebody else’s shopping spree.

Dr. Herbert H. Thompson is chief security strategist at People Security ( and a world-renowned expert in application security. He has co-authored five books on the topic, including How to Break Software Security: Effective Techniques for Security Testing (with Dr. James Whittaker, Addison-Wesley, 2003), and the upcoming Protecting the Business: Software Security Compliance (to be published by John Wiley & Sons, 2007). In 2006, he was named one of the "Top 5 Most Influential Thinkers in IT Security" by SC Magazine. Dr. Thompson has written more than 60 academic and industrial articles and has delivered award-winning presentations and keynotes on software security throughout the world at conferences such as STAR, SD, RSA and Gartner. Email him at