Friday, October 18, 2013

Assurance over time

Consider a traditional authentication event.

The user logs in at a given time t0 and establishes some initial level of assurance. As time goes by, that assurance drops, the rate dependent on the context, ie public kiosk, etc.

 A graph of assurance over time looks something like


To prevent this decline, you can require that the user re-authenticate whenever the assurance hits some threshold at

An alternative to using explicit additional logins (as above) is to maintain assurance above at by monitoring implicit factors such as location, continuous typing, facial recognition, etc

Nb: the 'how' of detecting & monitoring these passive or implicit factors clearly demands some new pieces on the network. Depending on where this functionality sits, we may also need new mechanisms & protocols for communicating the information around.

From the user's PoV, this passive model has advantages - minimizing as it does the pain of explicit logins.

Ultimately, using a combination of explicit & implicit authentication factors appears to be emerging as the optimal balance of security & usability.

No comments: