Wednesday, November 15, 2006

Distributed Transaction Authentication

An interesting discussion of transaction authentication:
Transaction authentication is software residing on the enterprise security servers that monitors, in addition to the successful use of user id and password the:
  • IP address the user is coming in from
  • Users geolocation
  • Computer hardware the user is using
  • Time of day
  • Previous user pattern of behaviour
What if the scope of the 'transaction' were broadened, i.e. to include behaviours performed at an SP after the user SSO'd in from an IDP?

If the user's behaviour at the SP didn't fit previous transactional patterns (such as those listed above), should the SP alert the IDP as to that fact? There are, AFAIK, no protocols that would support such a call.

Or would the SP simply send the user back to the IDP with a request for an new authentication - this time with a mechanism that would better serve to erase the doubt in the SP's mind.

The semantics seem different, a simple request for authentication doesn't allow the SP to express it's reasons for concern and flag these to the IDP - this potentially important if the IDP has to decide to alert other SPs to which it has recently asserted the user's identity.

No comments: