Friday, June 03, 2005

The WHERE in IdM

I was on a teleconference with O'Reilly Group's Tim O'Reilly and Nat Torkington discussing the upcoming Where 2.0 Conference which will focus on mapping and location technologies when a thought occurred to me - could location be a factor in a multi-factor authentication scheme?

The "where" of IdM has often referred to the platform or device that someone was using to access a resource, but suppose a GPS was used in order to indicate the physical location of the user?

For a cell-phone user, the GPS might not be needed if the location of the cell tower was "close enough" (i.e., area of a city rather than street address).

I could see this being used in a graded authentication scheme to reduce or deny access based on a possibly adverse location (e.g., someone trying to access a Pentagon database from Uzbekistan).

I don't know if there are any products that do this, if any or planned or if it's even feasible - but it's worth a thought.

Even without cell towers, you can pinpoint a cellphone pretty accurately. A phone is typically within range of more than one tower, so you can use signal strength to triangulate and obtain the phone's location to (iirc) within a few metres. Not as few as GPS, but less than 100m.

True story: I met an Italian engineer who was working with a cellphone company there and had his phone stolen. Even though the thief had replaced the SIM, the engineer was able to go into the system (unofficially!), lookup his phone via its unique identity - the IMEI, obtain the location, track the thief for a few minutes, call his phone and tell the thief his location to within one block and the route he took to get there. The thief was very spooked, needless to say, and mailed the phone to the phone company immediately, as requested!
This comment has been removed by a blog administrator.
I recently did some work with a client that was looking at this approach. We knew the identity of the user, the identity of the device, and considered using the location of the user as another level of authorization for information.

For example, they may not want to deliver the same data to someone in China as they would in the UK. Interesting stuff, but still too easy to spoof location to be effective.

The cellphone example is quite real however.
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]