Gartner Blog Network


AuthN TNG: Many Factors, Confidence, and Risk Scoring

by Ben Tomhave  |  September 12, 2013  |  6 Comments

Caveat: I’m part of the Security and Risk Management Strategies (SRMS) team, and not part of Identity and Privacy Strategies (IdPS). Also, fair warning… this is an incomplete thought and a bit rambling…

I’ve been mulling over authentication (and, to a degree, privacy) a bit the last couple weeks and wanted to toss a couple thoughts out there; especially in light of Apple’s iPhone announcements this week that included revealing their Touch ID fingerprint scanner for authentication. All of this further combines with my reading Aaron Pogue’s Ghost Targets series, in which he imagines a future where humanity has opted into low-privacy, high-assurance total surveillance society for the up-sides (I’ll leave the privacy side of this debate for another date;). But enough caveat and preamble… let’s get to the good stuff!

It seems to me that in the not-too-distant future, we will be able to realize the next generation of authentication. This future will be one in which we’ll be able to establish what I call “strong positive ID.” Such a feat will be accomplished, not through some magically super-strong single factor, but by shifting toward a risk-based analysis (confidence score) of the many factors that are simultaneously available, considering as many as possible (or as are appropriate) to fix ID within reason to meet the sensitivity of the interaction or transaction.

Tying this into both the iPhone and Pogue’s vision of a voluntarily accepted total surveillance society, consider this: with the fingerprint scanner, the iPhone can now potentially authenticate you based on fingerprint, facial recognition (potentially both visible and non-visible light spectrums), iris scan, voice print, GPS-based location, usage patterns, and the good old fashioned password/PIN options. With a couple small additions, it’s conceivable that other factors could also be included, too, such as the recently revealed heartbeat-based authentication from Bionym. Also, let’s not forget that the quantified self movement has already led many people to voluntarily track (and share) a LOT of this information, too.

Having all these authentication options is intriguing to me because it opens the door to many-factor authentication and risk scoring. Instead of just relying on 1, or maybe 2, factors and hoping they’ll be enough, we can now shift toward weighted confidences. Any one of those factors may (nay, do) have a less than 100% degree of confidence that the person using it truly is who they say they are. False positive and false negative rates, especially with biometrics, can be a particular pain. But now consider the picture in aggregate. Maybe I combine fingerprint with facial recognition with a PIN or trace pattern. Maybe the fingerprint doesn’t serve so much as an authentication factor, but as a signature (handwriting is already a dying art, no? just don’t tell my kids!:). Also, maybe I’m using wearable tech, or I always have the phone on me, and the phone can determine when it has left my possession, such that the device has a strong fix on who I am and can help represent that dynamically and transparently to other systems (including if I’m suddenly not alone, or if it senses I’m under duress based on monitoring audio, heart rate, etc.).

If you start from the assumption that you can now, with a reasonably high confidence, fix an identity, then everything else having to do with access and authorization, quickly falls into place. Moreover, this then allows us to make better risk-based decisions. If I’m buying a cup of coffee, then the required confidence level for the transaction is fairly low, and even more so if the transaction occurs at the same place every (week) day around the same time, and my trip originated from my known place of residence.

On the flip side, if I’m trying to make a large purchase or get access to a sensitive system at work, then the confidence level that I am who I assert to being must be commensurately higher. The beauty of this “many factor” future, though, is that simply having the device on or near you can help lock your identity with a very high level of confidence. And, even if the confidence level slips, it will soon be trivial to refresh at a higher confidence level, such as by picking the phone up and looking into the camera while holding your thumb over the fingerprint scanner.

BTW, as luck would have it, MasterCard has been thinking about risk-based authentication already, based on their “Three Domain (3-D) Secure protocol.” In the cited document, they talk about evaluating transactions given a variety of factors and then making a snap risk decision about whether or not the transaction has been adequately authenticated, or if additional authentication steps will be required, based on a contextual risk assessment. I expect this sort of practice to become more engrained and automatic, just as I think strong positive identification will also become implicit, transparent, and automatic. That is, quite literally, to say that it might start happening and you might not even realize it at first, aside from the occasional self-enrollment prompt when you get a new device or service.

Much, much, much more can and should be said about this… from a SRMS perspective, this means that now is the time to start thinking about how to apply risk-based scoring around authentication and authorization to your environment. It means you should also probably start talking to the good folks in IdPS to get a feel for current and emerging technologies. This also puts an interesting highlight on BYOD. Consider, if you will, that BYOD may in fact be the gateway to strong positive ID, and that you’ll no longer have to worry about authenticating people yourself, but simply gauging the confidence in the asserted ID and linking that into your environment. It probably means that federation will quickly become incredibly important. And then there are the privacy concerns… which may or may not be significant issues over time, depending on how technologies evolve along with cultural values.

What do you think? Are you ready for a world where you’re always positively identified and tracked? How much control should you be able to assert over that data, or will you even have a choice in the end? 🙂

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: scifi-musing  

Tags: authentication  confidence  factors  future  identity  many  privacy  risk  scoring  strategy  technology  

Ben Tomhave
Research Director
1 years at Gartner
19 years IT Industry

Ben is conducting research within the Security and Risk Management Strategies team under Gartner for Technical Professionals.


Thoughts on AuthN TNG: Many Factors, Confidence, and Risk Scoring


  1. […] AuthN TNG: Many Factors, Confidence, and Risk Scoring […]

  2. Nick Owen says:

    I agree that additional information from authentication systems will be of value, but I don’t think they need to be “authentication factors”. For example, our PC tokens can send a hash consisting of bits of information from that PC such as the CPU identifier. It’s not bullet-proof but adds a layer that companies that invest in NAC appreciate. Smart phone tokens can provide similar data without user interaction, such as location.

    I maintain that biometrics are very poor authenticators because they cannot be changed. (And other reasons: http://www.wikidsystems.com/WiKIDBlog/busting-the-biometric-myth-once-and-for-all.)

    As you note, much of this has already been mastered by the credit card companies. They do risk management on transactions and have managed fraud well. Yet their authenticator is purposely shared, in the open, with people! Clearly, their focus is not on authentication.

    Authentication servers have no knowledge of sessions. They don’t know if your VPN connection is coming from a different location than your OTP request. They don’t know if you are accessing a server you shouldn’t.

    Instead of seeking biometric data, which is of dubious value and invasive by nature, seek more information without impacting usability. I hope we can provide such data.

  3. Ben Tomhave says:

    I would submit that everything you’ve described is an “authenticating factor.” The key here is to not look at the fingerprint scanner in isolation, but to look at it as one more data point used in making a risk-based decision. The confidence in the quality, anti-circumventability, etc, etc, etc, of the factor should weight it up or down when calculating the risk.

    From an enterprise perspective, I would argue that you can know more about the sessions and states. In fact, we already see this with some NAC solutions, and expect that trend and capability to continue to expand.

    Blakely wrote about this a couple years back when he was still with Gartner:
    “Maverick* Research: The Death of Authentication”
    http://www.gartner.com/document/1818025

    Trent Henry has also touched on this topic more recently:
    “When Identity, Risk and Context Come Together-Adaptive Access Control”
    http://www.gartner.com/document/2578515

    cheers,

    -ben

  4. Nick Owen says:

    NAC != Authentication. That’s authz, in my book. If you are looking to aggregate data, analyze that data and then potentially kill a connection or prompt for more authentication data, that’s access control. I can see feeding it more data, but I do not see knowing more about what the user is doing on the network.

  5. Ben Tomhave says:

    Actually, increasingly NAC == authentication AND authorization, especially if you consider 802.1X where the *device* has to authenticate before being allowed onto the network (pre-connect). But, sure, NAC overall is largely authZ once authN has occurred, granted. The lines are getting muddier between the two, however, with the authN happening at the time of authZ. This is even truer with context-based authN, which is essentially authZ looking at context information before granting access, all of which becomes formative to the asserted ID and a risk-based confidence in the “truthiness” of the asserted ID.

  6. […] based on analysis of many factors (akin to what I described in my September 2013 post “AuthN TNG: Many Factors, Confidence, and Risk Scoring”). There are now several kits available for mobile devices that allow for built-in continuous […]



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.