/home/gimpf/on-topic

Trivial Idea - Probability of Identity

In practice, we have problems with authentication and authorization. Some issues are mitigated by n-factor authentication, more and more popular for web-applications. Additionally many web-applications know how to deal with different levels of “probablity of identity”, and explicitly ask for the password again before allowing access to more sensitive operations. I think that an extended approach might work well for mobile devices, and also for classic workstations.

Different tasks, performed on different data, require different security-levels: making a phone-call with your smartphone might require almost none, wheras accessing your Google Authenticator app should require some additional protection (it currently doesn’t).

We might want to start exploring the idea of using many factors continuously, on the devices themselves. Plain-old passwords, PINs, swipe-gestures and picture passwords, fingerprints, face recognition, typing/tapping/movements on keyboard, touchscreen and mouse, device movement patterns, some touchscreen-based metrics with regard to finger and skin characteristics, etc. Considerations w.r.t. to privacy could be handled storage of such data only on the device, or a selectable trusted external storage (my own server, for instance) – everything open source, and using a suitable one-way function whereever possible. Dreams.

Together these metrics should make it possible to “open” your phone, give it to an acquaintance, who then can message or phone somebody, play a game – but would find that access to your authenticator or e-banking app is blocked. Without manual selection of guest profiles etc. Stuff like taking a picture does not take any authentication at all, viewing the gallery – some. Posting to Facebook – some more.

Many unreliable heuristics might become sufficient if used together, at least for medium security operations. And it seems to me that there are quite a lot of medium security operations which should have more protection than a single swipe on the phone, but do not have any margin for bothersome authentication or restricted profile selection. I’d also be interested in the upper limits of such authentication – it might be better than expected.

The technology is nothing new, and all of that stuff is already in use – somewhere. Combining several metrics is also common today. Maybe it’s time to make it pervasive.