It’s common understanding these days that the more factors of identification that a user has to provide to an authentication system, the more trustworthy and secure it likely is. Single-factor authentication is usually accomplished by providing something you know, like a password or PIN number.
As two-factor authentication became more and more mainstream, the two factors involved have usually been something you know, and something you have, like a credit card, crypto-key USB device, a code generated every so often by a electronic card you keep in your wallet, a smart-card that can respond directly to cryptographic challenges, or an RFID or other radio device. The most common use of two-factor authentication is how bank customers authenticate to an ATM machine; they must provide something they have, their bank card, and something they know, it’s PIN.
As cheap ways to collect biometrics have begun to emerge, these two factors have begun to shift from something you know and something you have, to something you know and something you are. This notion of something you are, generally referred to as biometrics, include things like your finger or palm print, iris pattern, voice print, or even your DNA. Using something you are to authenticate is obviously more inexpensive than providing users with something they need to have, however some more advanced authentication systems now require all three-factors for authentication.
Enter the fourth factor of authentication: somewhere you are.
But how do you reliably prove where you are if you’re not authenticating physically in person? And how strong of an identifier is your location anyway?
Some authentication systems such as those used in online banking and other web applications, where the number of users being authenticated makes providing all of them with a hardware device or crypto-card cost prohibitive, have already begun to require a kind of hybrid factor between the second and fourth factors mentioned above. If you have previously been properly authenticated, the web application may create a cookie or some other indentifier in your computer system that it can retrieve, essentially turning your computer or web browser into both something you have and somewhere you are. The cookie itself is the something you have, and these are now being generally tied to the network source address of your computer, which is somewhere you are. If this cookie no longer exists, or no longer matches your network source address, the authentication system may ask for additional identifying information to further validate your identity. While not flawless, this type of thing is a step in the right direction.
As GPS devices continue to become smaller and cheaper, the something you have may also begin to double as the somewhere you are, or more specifically, somewhere it is. It stands to reason that if you are authenticating, and you have the something you have there with you, then the somewhere it is is equivalent to the somewhere you are. If after authenticating to your bank from your home, perhaps via three-factor authentication, you have this device transmit where it is to use as a fourth-factor of identification, further strengthening your provable identity. Authentication systems could also potentially be programmed with the geographical boundaries of a secured area, like a military base or campus, and only allow authentication from wireless devices if they are located within the geographical boundaries.
While a user’s location cannot difinitively identify a single user, it can however prove both context information and relationship information, similar to the concept of authentication groups used in user and password systems. If a user is authenticating from a physically secured area within a military base that only officers with a certain clearence are allowed to access, the location can contextually provde group association, but not who the individual user is.
Thus far, I have only found one company claiming to provide a four-factor authentication system, Priva Technologies. Their Cleared Security Platform however do not use somewhere you are as the fourth factor, but rather some proprietary challenge response between the ClearedKey hardware device (something you have) and the authentication system. Without any detail published about how this works, it is hard to tell if this is truly a fourth factor, or if it falls under the second factor in that it is a property of the hardware device and thus a more robust something you have.
It is also my opinion that the Cleared Security Platform does not even use true three-factor authentication. When authenticating, you really only provide the primary authentication system with something you have, the ClearedKey, and something you know, your passowrd. The third-factor, something you are is actually provided to a seperate, secondary authentication system in the ClearedKey itself, presumably preventing the ClearedKey from operating and being used to authenticate to the primary authentication system if the user didn’t biometrically authenticate to it first. Priva markets this behavior as a way to prevent the expense and complexity of maintaining a centralized biometrics database connected to the primary authentication system, which is a fine argument and attractive goal, however this technically splits the authentication in two turning it into a single-factor authentication to the ClearedKey, then a two-factor authentication to the Cleared Security Platform since it doesn’t actually send the biometrics data.
It is important to note that for an authentication system to truly be multi-factor, it has to require at least one of each of the identification factors described above; something you know, something you have, something you are, and somewhere you are. An authentication system requiring two seperate passwords or two seperate crypto keys is not employing two-factor authentication.