In addition to the traditional methods of authentcation (”something you know, something you have, something you are), we should add the one aspect of authentication that we almost always forget about: “Somewhere you are.”

Consider methods of authenticating yourself for access to your Local Area Network:

• VPN Access: Generally two Factors, something you know (username/password) + something you have (number-generating key or client certificate, usually on some sort of mobile device*)
• Remote Business Partner: Either VPN Access; Private line connection (somewhere you are); or LAN-to-LAN tunnel: When built with client certificates, becomes the preshared secret (something you know) + somewhere you are (a specific remote IP address or subnet at the far end of the tunnel).
• 802.1x: Take your pick of smart cards, crypto certificates, PKI, one-time passwords, usually associated with a specific device. Becomes a mix of something you know munged into something you have*
• Walk up to a port and plug in: The only thing you need to be is in (or, in the case of unsecured wireless, near) the building (somewhere you are). This may or may not involve some level of pre-authentication (i.e presenting a keycard to a guard and/or electronic reader), depending on time-of-day, physical structure of the network, diligence (or lack of) regarding physical security measures, etc. This probably describes 99.9%+ of the network access security in use in the corporate world today.
• Dial-back modems: Most have either forgotten about them or never used one, but once upon a time, I could only get remote network access by dialing into a modem bank, authenticating myself (something I knew), then hanging up and the system would call me back at a pre-determined number (Somewhere I was). That number could only be changed by going to the security department in person, and filling out a form, which they would then process. That place was pretty paranoid, but it was not without reason–there was a lot of really valuable intellectual property contained there and lot of people actually trying to get their hands on it.

Just something to think about…

* We tend to rationalize cryptographic certificates as “something you have,” but it’s really a “something you know” which is too hard to remember so the device it’s stored on becomes its proxy and thus “something you have.”

Where you are as an authentication factor

Not Bad for a Cubicle has posted about location as an authentication factor. We have also
thought about that. The WiKID Strong Authentication token comes in two basic flavors: wired
for the Mac, Windows and *nix and wireless for J2ME, Blackberry, Palwe…