7 Responses to “Four-factor Authentication”

  1. joat Says:

    Unfortunately, “somewhere you are” is not an accepted facet of authentication. The problem lies in that it’s a digital source of information and, therefore, is subject to a number of attacks (spoofing and DoS). Relying on noise background sampling or commercial GPS is also inaccurate enough that it cannot be used to isolate a single person.

    Without having to go into buying cool gadgets to prove it, most “where you are” determinations can be translated to “what network you are in”. Also, approaches which limit “where you are” prevent mobile logins.

    – joat

    • Dustin D. Trammell Says:

      @joat The concept I was going for was not necessarily “where you are” in regard to specific location information such as GPS, but more like where you are within a managed physical security system. For example, if you have already authenticated to the front door of a building, and then further authenticated to your department floor, “where you are” essentially provides indication of your access level based on your location within that system. Authentication to some information systems on that floor may require only that you be there, on that floor, using your location as proof of your access level or group status, without individually identifying you. This factor can be used for pseudo-anonymous access within a managed group.

  2. Travis H. Says:

    I wrote a relatively equivalent piece on this, in my Security Concepts book:


    It’s in section 9.8, Authentication Factors.

    I also mention “somewhere you can be reached”. Your credit card company uses this method of authentication every time it sends something to your home address, and web sites do it every time they email you something.

  3. Ted Bigham Says:

    In fear of repeating what joat said, “where you are” is not a factor of authentication. It fails the first requirement to be factor, which is that it must work as a “single factor” authentication mechanism. Simply knowing the location where someone is accessing a system from is rarely enough to authenticate them.

    For example, if I walk up to a coworker’s computer while they are away, a “where you are” auth mechanism would let me log in by simply entering their login name. This is obviously not secure. Any location can hold more than one person at different times. The type of place that “where you are” authentication would be valid is something like a prison cell, where you know for a fact that only a certain person can be in that place at the time of authentication.

    Another reason most (is not all) forms of “where you are” authentication don’t qualify as factors, is because they tend to depend on one of the other factors. This also disqualifies it. An example would be ordering room service from your hotel room. Although the front desk can tell exactly where the phone call is coming from, the room itself is only secured by a key (something you have). So if someone compromises your room key, they have also compromised your location. The mechanisms need to be independent of each other.

    There are still only “three” factors for authentication. Four is just marketing.

  4. Travis H. Says:

    Re: Ted Bigham and Joat

    Disagree. Nobody says that a factor of authentication has to be foolproof, only identifying one person. In fact, if it did, we would never need two-factor authentication! By the same argument, “something you know” isn’t good because someone could torture it out of you, and “something you have” isn’t sufficient since it could be stolen or duplicated.

    “Where you are” can also be important in situations like IFF devices, since not only do we want to know that the responder is friendly, we want to know that the challenge-response is not being proxied to a friendly at a distant location (though they don’t necessarily use that in IFF devices).

    I’m actually getting a fair number of hits from this site, so I figured I’d share an updated URL:


    Search for “Authentication Factors” to find the section on five-factor authentication; right now it is S11.8.

    I don’t discuss this, but it’s worth noting that some of these authentication factors are only useful in certain circumstances. For example, the biometric authentication isn’t always useful in network security, because the adversary could simply replay a recorded biometric signature; one has no proof that one is actually getting a reading from trusted biometric equipment, unless one engages in what TCPA calls “Remote Attestation”. If one isn’t sure where one is getting the reading from, then it’s just a string of bits, and so it’s effectively “something you know”.

  5. Ted Bigham Says:

    I never said foolproof. If someone tortures your password from you, then that factor is compromised; all the reason for more than one. I also never said the “data” for each factor is self identifying. If your pin number is 1234, that is not unique, but is secret and qualifies as a factor when associated with your id or card number (which is not secret and not a factor). A location is a valid point of reference especially on the fraud prevention realm, but is not a factor of identifying a person. Any person can be at that location claiming to be you, just like any person can say they their pin is 1234 claiming to be you. The differenece is that location is not secret.

  6. Stefany Forni Says:

    Thx for information.

Leave a Reply

%d bloggers like this: