How does "Somewhere you are" authentication add further security?

“Somewhere you are” is NOT an authentication factor, despite what you might have read elsewhere. It is an authorization factor.

Indeed, it does not answer the question "are you who you claim to be?", but instead it answers "should you be there? / are you authorized to be here?". (The answer to the question "who are you?" being an identification, yet another category.)

To further clarify (as asked in comments): Owning a badge, a key or knowing a password (a.k.a. a token) can answer the question "are you who you claim to be?" because the token should unique and should be in its owner possession. Whereas multiple different persons can easily be in front of the door trying to enter.

If in your very specific case, only authenticated persons can be in front of the door, this only means that the authentication has been performed elsewhere beforehand and that you trust this specific location to be a good conveyor of the authentication information. It also implies that you trust this first authentication method. Whether this trust is misplaced or not depends on your threat model.

As a side note: biometrics should only be considered an identification factor (or a most a very weak authentication factor), because you cannot revoke a biometric feature, while you can revoke a stolen authentication factor, by changing the lock or updating the whitelist. End of side note.

This means in practice that you should check the "somewhere you are" factor (IP address, geo-localization, time-locatization (date expiration), etc.) independently of authentication, and preferably after a proper authentication to be able to log the activity and be able to do accountability.

So yes, you can use the “somewhere you are” factor on top of the classical 3 types of authentication factors, but not as another authentication factor, but as an authorization parameter. Whether it's useful depends on the use-cases, and other answers to this question address this point or give examples.


"Where you are" can be defined in many useful ways.

For instance, location can be determined to be within a certain building. This is useful when it is a work account where you should only be logging in from that building. So, if you are logging in from the building's network, then there is a level of trust that the person logging in is, at least, physically present, and the threat of unauthorised access is extremely limited.

It can also be defined at the country level. If you are providing a country-specific service or all employees/users are expected to be logging in from a specific country, then any logins from beyond that country are suspicious.

Many businesses have used "geo-fencing" for years to block access from geographic areas that are not expected, which is an inverse form of geographic authentication. Using location as a positive factor in authentication is just a natural extension of this.

Note that location is not a strong factor, since it is possible to route traffic to different locations in order to log in from an acceptable location.


Implied authentication with other factors

One use case of "somewhere you are" is in scenarios where being "somewhere" implies that certain other authentication measures have been applied.

For example, you might have a computer system where you authenticate with a username and password (i.e. only "something you know") but that is only accessible from specific workstations in a secure location where entering that location generally requires ID verification. In that sense, being in that place implies (though not necessarily ensures) that both "something you have" and "something you are" factors have also been verified.

Enforced circumstances of access

In certain situations "somewhere you are" adds extra security by ensuring that the access happens in a specific physical environment.

You might have a confidentiality need to prevent the user from copying certain data that they are authorised to access - for example, taking exams, where you want to prevent people from copying and sharing the exam questions. You can solve that by ensuring that access is possible only from a location where the actions of the user are physically monitored, and the user will be prevented from (for example) using their cell phone to take photo of the screen, or even bringing in such devices to the place from which access is allowed.

For another example, you might want to ensure non-repudiation of access (i.e. false claims of stolen credentials) by video recording the person accessing the system. I have seen such measures used in server colocation facilities - if physical presence is required for certain actions, you can note the person who actually accessed the systems and what systems were accessed.

Deterrence due to risk of being caught

Many authentication systems have low consequences for failed attempts to falsely authenticate, so this allows attackers to try authenticating even if there's a low chance of success. However, if "somewhere you are" is a factor, that place can be chosen to ensure that a failed attempt to present false credentials is likely to result in the attacker being detained. This also reduces the likelihood of attacks since many potential attackers would be deterred by this risk.

Tags:

Authentication

Multi Factor

Related

Solution to the ‘Browser Crypto Chicken-and-Egg Problem’? How critical is encryption-at-rest for public cloud hosted systems? Should http basic auth passwords be stored hashed serverside? Is there any security risk in not setting a maximum password length? Should I only let my TV connect to the guest WiFi? Prevent a bot accessing login page with multiple IPs and massive list of username/ passwords Password entry: are "paste from password manager" and "eyeball to view passwords" mutually-exclusive features? New Hires get phishing emails very quickly - Reasoning and how to stop Reply to potentially spoofed email Can ISPs replace a website's HTML/JavaScript/HTTP headers with something else? Why is DNS-over-HTTPS such a big security nightmare compared to DNS-over-TLS? How could I make the results of a yes/no vote inaccessible unless it's unanimous in the affirmative, without a trusted third party?

Recent Posts