While I was listening to the Eric Conrad’s podcast, which by the way is another free CISSP resource, I learned something new that I thought was interesting. When I was getting my masters in Information Assurance from ISU, when we talk about multi factor authentications, we always talked about 3 unique factors.
- Something you know (e.g. passwords, passcodes)
- Something you have (e.g. key fobs, ID cards, key cards, tokens)
- Something you are (e.g. biometrics such as finger print, DNA, retina or iris scan)
This is talked about very often in every IA/security text book, but Conrad talked about something that I thought about but not really think it is its own category that is the following.
- Where you are located (e.g. gps location)
This is very interesting because for the first time in human history, we can actually track almost every user with the ubiquitous use of cellular phones by everyone. This means that your location can be an authentication factor.
For example, if there is a location assigned for the computer or a device that you are trying to access and if you are trying to access that device. The device will verify your location to see if you are in proximity of where it is and provide a second factor of authentication. However, this should only be used as a second form of authentication and not as a primary means to authenticate.
What is interesting is that I’ve actually done research on this topic back in 2010. I presented a short IEEE paper in Macau on Secondary User Authentication Based on Mobile Devices Location.
Now, I don’t completely agree that this should be it’s own factor of authentication, I believe it is a subset of “something you have”. The reason is in order for you to have a location, you must have your cellphone or some sort of device that transmit or provides a location ability. In that case it is no different than having a key fob or an ID card.
But it is still interesting to see that Conrad considered location as a factor of authentication.