27

In addition to the authentication techniques that are based on “something you have”, “something you know” and “something you are”, authentication techniques that consider “somewhere you are” are also used. Why? Does it add further security?

psmears
  • 900
  • 7
  • 9
Joe Smith
  • 401
  • 4
  • 6
  • 21
    From a fraud perspective it could help. For example your bank, if you always make payments from country X and all of a sudden they (the bank) see you're making payments from country Y, they could add an extra challenge (SMS code for example) to verify it is most likely you. – Jeroen Sep 22 '20 at 04:26
  • Or from a legal perspective: if you are working with PII (personal identifiable information) it might be important to guarantee (as best as possible) that these information are only processed in the specific countries. – Steffen Ullrich Sep 22 '20 at 04:28
  • I'd never realized that "somewhere you are" doesn't fall into any of the standard factors of authentication (1. something you know, 2. something you have, 3. something you are). Does this mean that those three categories are not enough to describe authentication, and an alternative model should be devised? – reed Sep 22 '20 at 09:25
  • 14
    "somewhere you are" is not an authentication factor, but an authorization factor. – A. Hersean Sep 22 '20 at 09:34
  • 4
    Although probably only useful in certain niche cases, I feel it's worth mentioning the possibility of vicinity-based authentication based on the *speed of light*. E.g., requiring nodes to respond to your requests in less than X ms would authenticate that such nodes are physically located within a radius of Y km. – Will Sep 23 '20 at 03:52
  • @Jeroen as a frequent traveler, this is massively inconvenient. Being in a new country is precisely when an SMS is least likely to get through (unless you have some expensive global roaming plan), and also when you probably need money the most, with fewest backup options. May work fine for people who don't travel. – dbkk Sep 23 '20 at 09:33
  • @Will Surely that is no less trivial to circumvent than IP address based methods of verifying location? – Jon Bentley Sep 23 '20 at 19:39
  • This is probably obvious to everyone here, but this is implicitly used for authorization purposes *all the time*. Is the computer on the LAN/VPN/inside the firewall? Well then it's authorized – thegreatemu Sep 23 '20 at 21:06
  • @JonBentley Not at all: the speed of light is one the few things in this universe that can never be circumvented. Maybe you misunderstood the entailed semantics though: it doesn't establish any lower bound on the distance to a node; just an upper bound. In many cases that's entirely sufficient though. E.g., if you have a grid of multiple authentication servers programmed to simultaneously send unique challenges to the node to be authenticated at predetermined times, you can retroactively establish that node's location simply be means of triangulation. – Will Sep 23 '20 at 22:56
  • @Will Yes, sorry for not being clear - I wasn't challenging the notion of the speed of light. My point is that it can be circumvented by using a proxy node. Or to put it another way, you can't verify the location of the *end user* (which is typically the goal) by verifying the location of the node you are communicating with (which is typically not very interesting information). – Jon Bentley Sep 24 '20 at 07:54
  • @JonBentley In some cases sure, but a proxy would be of limited use when received user locations are tracked over time. An end user can only be physically at one place at a time, so if the proxy location is registered as the initial location, it would have to keep using that same area in the future too (or rather, it can only be expected to move away from that area at a velocity *much* lower than the speed of light). Precision might be insufficient to function as a standal-one means of authentication, but its potential in combination with other authentication factors is non-trivial, I believe. – Will Sep 24 '20 at 09:48
  • 2
    @A.Hersean FALSE. You have the same access rights no matter where you are. But the fact that you are somewhere may be (weak) evidence that you are not actually you. – user253751 Sep 24 '20 at 12:49
  • @thegreatemu You think that being on a VPN says something about your physical location? – Acccumulation Sep 25 '20 at 00:55
  • @Acccumulation Who said anything about *physical* location? We talk about "network location" all the time – thegreatemu Sep 25 '20 at 15:03
  • @thegreatemu The question makes no mention of network location. I see no reason to interpret "where you are" in the question to refer to network location. If there is an account on a network, and you've logged into the network with that account, then you've *already* been authenticated. – Acccumulation Sep 25 '20 at 21:01

9 Answers9

29

“Somewhere you are” is NOT an authentication factor, despite what you might have read elsewhere. It is an authorization factor.

Indeed, it does not answer the question "are you who you claim to be?", but instead it answers "should you be there? / are you authorized to be here?". (The answer to the question "who are you?" being an identification, yet another category.)

To further clarify (as asked in comments): Owning a badge, a key or knowing a password (a.k.a. a token) can answer the question "are you who you claim to be?" because the token should unique and should be in its owner possession. Whereas multiple different persons can easily be in front of the door trying to enter.

If in your very specific case, only authenticated persons can be in front of the door, this only means that the authentication has been performed elsewhere beforehand and that you trust this specific location to be a good conveyor of the authentication information. It also implies that you trust this first authentication method. Whether this trust is misplaced or not depends on your threat model.

As a side note: biometrics should only be considered an identification factor (or a most a very weak authentication factor), because you cannot revoke a biometric feature, while you can revoke a stolen authentication factor, by changing the lock or updating the whitelist. End of side note.

This means in practice that you should check the "somewhere you are" factor (IP address, geo-localization, time-locatization (date expiration), etc.) independently of authentication, and preferably after a proper authentication to be able to log the activity and be able to do accountability.

So yes, you can use the “somewhere you are” factor on top of the classical 3 types of authentication factors, but not as another authentication factor, but as an authorization parameter. Whether it's useful depends on the use-cases, and other answers to this question address this point or give examples.

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
  • 22
    How does owning some item answer the question "who you are?" any more than being located in the private flat of that person? There is just some probability distribution linking two different facts to your identity. Maybe one is better, maybe not. – schlenk Sep 22 '20 at 20:57
  • 12
    What prevents it's use as an authentication factor? If I write a login that fails authentication because an IP's geolocation is not what I expect(i.e. the password hash uses a portion of a known range of IPs as a salt), is it not a factor of that authentication? Or are you simply saying it *should not* be used that way, rather than it *cannot* be? – TCooper Sep 22 '20 at 21:23
  • 6
    @schlenk Owing an item to prove something has long tradition in government. In modern times owning your drivers license in some countries prove you are who you are. Same for passport. For electronic usage physically holding your credit card or physically owning a USB crypto token dongle serves the same purpose. – slebetman Sep 22 '20 at 22:50
  • @TCooper Yes, you should read my answer as a recommendation, of something that *should* (or not) be done, in the general case. You of course *can* do many things, and whether they are good ideas depend mainly on your specific threat model. – A. Hersean Sep 23 '20 at 07:46
  • 3
    @slebetman I take exception to this: "Owing an item to prove something [...] owning your drivers license in some countries prove you are who you are" - Driver's licenses and passports are not examples of real-life "bearer tokens" as I think you're saying. A driver's license only "proves" who you are if the biometric information displayed on the card (eyes, height, hair, etc) matches your actual biometrics as far as your challenger (the club bouncer) is concerned. – Dai Sep 23 '20 at 08:37
  • 1
    @TheD The same is true for bearer tokens. You must not accept JUST THE TOKEN to prove identity. You must have 2 out of 3 - who you are, what you have and what you know. For bearer token it must match who you are - your username. The same for passport - it MUST match who you are – slebetman Sep 23 '20 at 10:22
  • 1
    _Side note:_ are there any real life examples of this? I've only ever seen this in films. – SQB Sep 23 '20 at 12:18
  • 14
    This is a misleading answer. While location does not provide proof of who you are, it is widely used to **validate** and check for anomalies. If you were in location A one hour ago and are now in location B, 2000 km away, that is unlikely to be you. Also, other answers list further sources that specifically call location an "authentication factor". Check those sources. – Tom Sep 23 '20 at 13:02
  • 1
    This is simply false. I'm entitled to get money from my bank account no matter where I am. But if I suddenly appeared to be in China, that would be a red flag that "I" am actually not me. It can't be a complete authentication system by itself, but it can be suggestive. – user253751 Sep 23 '20 at 13:40
  • 5
    Location is certainly not an authorization factor, but it can absolutely be an authentication factor (although rarely the only one). Authorization would imply things like file access permissions. Authentication establishes who you are. By itself, location is probably a poor authentication factor, but in 2FA or 3FA setups, it can be immensely useful. For instance, if a login for user "johnsmith" does not come from his office, it would be suspicious. – Kevin Keane Sep 23 '20 at 18:33
  • 3
    @KevinKeane: Location can certainly be an authorization factor. For example, my credit and debit cards are set up in a way that disallows it from making purchases over a specific sum **if it's used outside of the EU**, mainly to avoid it being used too much if stolen. -- at work we also had several services that were only available if the accessing device was connected directly to our network, the same devices couldn't access these services if connected via VPN. No idea the reasoning, though that was removed with the lockdown when most people started working from home. – CGundlach Sep 24 '20 at 13:42
  • The claim that it is "NOT an authentication factor" but an authorization factor is most certainly not always the case. My company's cloud network will refuse to allow me connect from an IP other than my home IP (authorization). With my credit card login though, usually I just need a username/password... but if I log in from an unrecognized location, it triggers a text verification, thus using my location as a single **authentication** factor in the MFA scheme (if location is right, that counts as the second factor; if not, try another one). – Doktor J Sep 25 '20 at 17:23
27

"Where you are" can be defined in many useful ways.

For instance, location can be determined to be within a certain building. This is useful when it is a work account where you should only be logging in from that building. So, if you are logging in from the building's network, then there is a level of trust that the person logging in is, at least, physically present, and the threat of unauthorised access is extremely limited.

It can also be defined at the country level. If you are providing a country-specific service or all employees/users are expected to be logging in from a specific country, then any logins from beyond that country are suspicious.

Many businesses have used "geo-fencing" for years to block access from geographic areas that are not expected, which is an inverse form of geographic authentication. Using location as a positive factor in authentication is just a natural extension of this.

Note that location is not a strong factor, since it is possible to route traffic to different locations in order to log in from an acceptable location.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 4
    Where you are could even be implemented more restrictively, for instance as "must come from the wired network that serves room XYZ" or even "must come from amandajones' desktop computer". – Kevin Keane Sep 23 '20 at 18:34
17

Implied authentication with other factors

One use case of "somewhere you are" is in scenarios where being "somewhere" implies that certain other authentication measures have been applied.

For example, you might have a computer system where you authenticate with a username and password (i.e. only "something you know") but that is only accessible from specific workstations in a secure location where entering that location generally requires ID verification. In that sense, being in that place implies (though not necessarily ensures) that both "something you have" and "something you are" factors have also been verified.

Enforced circumstances of access

In certain situations "somewhere you are" adds extra security by ensuring that the access happens in a specific physical environment.

You might have a confidentiality need to prevent the user from copying certain data that they are authorised to access - for example, taking exams, where you want to prevent people from copying and sharing the exam questions. You can solve that by ensuring that access is possible only from a location where the actions of the user are physically monitored, and the user will be prevented from (for example) using their cell phone to take photo of the screen, or even bringing in such devices to the place from which access is allowed.

For another example, you might want to ensure non-repudiation of access (i.e. false claims of stolen credentials) by video recording the person accessing the system. I have seen such measures used in server colocation facilities - if physical presence is required for certain actions, you can note the person who actually accessed the systems and what systems were accessed.

Deterrence due to risk of being caught

Many authentication systems have low consequences for failed attempts to falsely authenticate, so this allows attackers to try authenticating even if there's a low chance of success. However, if "somewhere you are" is a factor, that place can be chosen to ensure that a failed attempt to present false credentials is likely to result in the attacker being detained. This also reduces the likelihood of attacks since many potential attackers would be deterred by this risk.

Peteris
  • 8,369
  • 1
  • 26
  • 35
  • 2
    This is the best answer in terms of actually answering the question, and gives examples where "somewhere you are" really is somewhere you are, not "point of apparent origination of network activity" which is can be faked by proxy or by attacker having control of the measuement device. – R.. GitHub STOP HELPING ICE Sep 25 '20 at 01:41
  • I like this answer in that it explains how location can be an *authentication* factor (implied authentication section) and/or an *authorization* factor (enforced circumstances section), contrary to A.Hersean's belligerent insistence. – Doktor J Sep 25 '20 at 17:27
11

Answer was posted as comment. I am claiming no reputation score

From a fraud perspective it could help. For example your bank, if you always make payments from country X and all of a sudden they (the bank) see you're making payments from country Y, they could add an extra challenge (SMS code for example) to verify it is most likely you

And here is an extra. When you swipe/touch your credit card, the bank knows where the merchant is. Assuming you use your own card yourself (e.g. never lend to your children/partner, which is not that bad of an idea), and assuming you do have a banking app installed, the bank may either push a geolocation request to your phone, or analyse your location history reported by the app (the second being more privacy-invasive).

Then the bank can compare the approximate distance between POS and mobile device. Precision depends on a number of factors (their mileage may vary), but swiping a card in Bruxelles when the phone is geolocalized in Prague is a red flag!

My bank, for example, asks for the second. To collect 24/7 location information.

The geolocation criteria is only a feature from the point of view of fraud classification, which is normally scored across several parameters (frequency, amount, merchant category, usage of PIN...).

What can realistically happen is that you may get a phone call "Hello Mr. Smith, this is Alice from ABC Bank, your account no. ends with #123 and I am calling to report unusual activity with your card".

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
  • 7
    It is also used between swipes. If your card is being swiped now in Bruxelles, and it was swiped 10 minutes ago in Prague, there's something fishy there. – Ángel Sep 22 '20 at 22:51
  • 2
    even simpler, if you regularly buy something in New York and you do so just now with your card but supposedly five minutes later you buy something in Honolulu with your card, you either invented a teleportation device or at least one usage is fraudulent and not done by you, likely the second in this case. – Frank Hopkins Sep 24 '20 at 02:31
  • 3
    Several years ago, I bought several gift cards (maybe $200 worth) at a grocery store about 25 miles away from my home, using my MasterCard. Didn't buy anything else in the transaction. The transaction was declined, and Citibank called me to ask if that was me, I said yes, the grocery store tried the card again and it worked. – Mark Stewart Sep 24 '20 at 19:33
2

Somewhere you are basically based on the location where the service is authenticated.

One of the most common methods of detecting a user’s location is via Internet Protocol (IP) addresses. For instance, suppose that you use a service that has Geolocation security checks. When you configure your account, you might say that you live in the United States. If someone tries to log in to your account from an IP address located in Germany, the service will probably notify you saying that a login attempt was made from a location different than yours. That is extremely useful to protect your account against hackers.

Sivaram Rasathurai
  • 390
  • 2
  • 4
  • 15
  • 1
    https://security.stackexchange.com/questions/10434/how-many-authentication-factors-are-there?rq=1 – Sivaram Rasathurai Sep 22 '20 at 04:42
  • please check the above's answer also – Sivaram Rasathurai Sep 22 '20 at 04:43
  • 1
    One of most common methods to check location is when you call your security staff "I'm at the back door, please push the button to let me in" is that they look at the camera and see you are there, speaking to a phone. – Vesa Karjalainen Sep 23 '20 at 17:43
  • why, when I worked as an intern in a company, they gave a laptop and with that, laptop only I can access the resource. What I am thinking is, They filter the requests based on mac address so somewhere are you means I am sending the request from an authorized laptop or not in this case – Sivaram Rasathurai Sep 24 '20 at 03:44
  • 1
    That's something very different from "where you are" as an authenitcation/authorisation factor ... And no, they did not check the MAC... – schroeder Sep 24 '20 at 08:41
2

Like any authentication factor, it only "adds further security" when implemented correctly. There are a myriad of uses, but if done incorrectly it can make no difference, or worse, leave your system less secure.

While outdated (2011), this quick overview gives a nice example of location based authentication:

Location Factor
Location-based authentication rarely comes up, but it has been used with dial-up remote access as an additional authentication factor. Imagine that Joe is authorized to work from home using a dial-in remote access connection to connect to work-based resources. The remote access server can be configured so that as soon as Joe calls in and authenticates, the server hangs up and calls Joe’s computer at home.

As long as Joe tries to connect from his home computer, the connection will work. However, if an attacker was trying to impersonate Joe using Joe’s username and password, the attacker could not connect. Instead, when the attacker authenticated with Joe’s credentials, the remote access server would hang up, and try to call Joe’s computer.

There are many other use case examples, many outlined in other answers already so I won't repeat.

This Wikipedia page on location based authentication is also good for additional reading, or this similar page more broadly covering multi-factor authentication. Specifically notice the use of GPS mentioned in the mobile phones section.

I previously mentioned it could make your authentication less secure. As an (over the top, obviously dumb) example, assume you trust location completely and as long as a user has logged in once before, and they're connecting from the same IP address, they don't need to reauthenticate. As IP addresses are trivial to spoof in 99% of cases, this makes targeting anyone's account child's play.

I include the example to stress that the answer to your question of "How “Somewhere you are” authentication adds further security?" is "Differently depending on how you use it, and only if you implement it correctly".

as @DanChase points out, a simple thing to keep in mind during implementation is to only ever exclude access based on location as an additional factor, never use location as a reason to grant access.

TCooper
  • 336
  • 1
  • 8
  • I feel like to exclude based on location is (more) correct, versus bypassing other factors due to location. – Dan Chase Sep 23 '20 at 04:19
  • 1
    @DanChase I agree, I think the example from 2011 (using dial-up!) should be seen as a basic analogy / to begin thinking about how location based systems can be implemented. Definitely not a good idea. Like a comment I made yesterday to talk theory involved using a part of an IP as a salt for a password hash. Sounds fun, don't think I will never implement that or anything close. The other example is what not to do. That being said, I'm going to add a little snippet to the answer as your comment concisely makes a very good point about *how* to properly implement. – TCooper Sep 23 '20 at 16:56
2

Where you are not, is just as important of a concept as where you are. If I login from Romania, what are the odds that it's me? I could be on vacation, could be using a proxy, but the last 500 logins came from Ohio, so is there a reason to think it may not be me? How often do you reject phone calls, because you don't recognize the phone number? What are the odds that 1-800 number is your buddy down the street, if someone calls from an 800 number and says they are your grandson and asks you to wire them some money, does the 800 number play a part? My brain tells me yes. Academia tells me possibly no. Philosophy tells me it shouldn't.. but this is survival so the brain wins.

Dan Chase
  • 121
  • 3
1

As noted in A. Heresen's answer, location isn't an authentication factor but instead an authorisation factor.

For me, it's important in several ways in the modern, mobile thing we all have now - firstly if you're simply not expecting a login to occur for User A outside of your country then you can highlight such an occurrence as a high-risk login and take different steps.

You can also look at location vs. time. What I call "time travel". If I log in from an external IP at 13:00 UTC in London and 13:05 UTC from an external IP in New York then at least one of those logins is possibly compromised. That's an obvious "red alert" factor that could be used to mark my account as probably compromised right? Even if I actually have traveled from New York to London, a login that occurs in New York while I'm not there is of some concern.

More than that, you could be a bit more subtle and record location history and require more stringent login if I'm logging in from an untrusted location or one that I don't normally log in from. For example, you might say you don't require MFA for login attempts coming from inside your corporate network, "occasional" MFA for login attempts coming from networks I commonly use, and MFA for every login coming from an untrusted network I don't normally use.

You could combine that with other factors. If I login from my "normal" phone that I normally use that you've fingerprinted but from a coffee shop geographically near where I normally work from home, the chances are that I've probably just nipped out for a coffee and maybe got a call to check something. We'll say that's a medium risk login for argument's sake.

If a new device uses my credentials from a place halfway across the country then that connection attempt sounds like a high risk login.

Now if you can profile all these factors and route me through different authentication requirements based on risk then you've put stuff like location data to good use I'd say.

Rob Moir
  • 399
  • 1
  • 10
1

Another issue not yet mentioned is that "where you are" checks may impede certain forms of man-in-the-middle attacks, especially with things like self-activating security tokens. If e.g. a phone is supposed to automatically grant access to something in a room X if it is within range, without the operator having to manually operate the phone, but attackers set up radio repeaters between room X and room Y, then attackers might wait in room X for the victim to visit room Y. If the phone encrypts its location as part of its transmission, a device in room X could reject any access requests from a phone whose reported location would be too far away from the device to see anyone who might be trying to access it.

In such a scenario, what's being confirmed wouldn't be so much authentication nor authorization, but rather intention. Does the fact that the user has placed the phone within range of a radio repeater that in room Y imply an intention to unlock something in room X? Probably not.

Note that unless the communications medium either securely encrypts parameters necessary for proper reception and retransmission of the raw data (as would be the case for some spread spectrum radios, but wouldn't be the case for many others), or the software imposes sufficiently tight round-trip timing constraints that a message-forwarding system would be unable to meet them, normal methods of man-in-the-middle prevention would be ineffective since the attack doesn't involve eavesdropping or message tampering, but instead simply involves accurate conveyance of messages between the victim and the device.

supercat
  • 2,029
  • 10
  • 10