Authentication By Location?
Recently my wife & I decided to activate our home security system. We'd lived in our house for more than 2 years without it, but some recent thefts in our area convinced us it was time to bite the bullet. Thanks to this latest addition our home security setup now boasts:
- Handle locks & deadbolts on all the doors
- The aforementioned security system
- Motion lights in the yard
- 1 ferocious Labrador Retriever named Brisco
- The sonic fence from LOST
OK, perhaps #5 was a stretch. But hopefully you get the gist of what I'm saying, which is that layered security methods = greater overall security. If all I did was use handle locks on my doors, this would be the technical equivalent of using '123456' as my password (on second thought, having a weak password might be akin to foregoing locks entirely!).
Earlier this week, Google opted to enhance its own security measures by offering two-factor authentication for certain segments of its Google Apps user base. The logic behind this method is for the user to combine something she individually knows with something she uniquely has, making it significantly more likely that the user is who she says she is. In Google's case what the user has will be her mobile phone, which will receive a randomly generated pin for the user to enter into the web browser in order to complete the authentication process. Seems like a perfectly acceptable solution, right? But for those of us in the security space, it also gets the brain churning about other ways this can be accomplished. What else does a user have that might be useful in confirming their identity?
A recent ZDNet blog post by Joe McKendrick pointed out another thing that everyone has: their location. McKendrick suggests that maybe, just maybe, location could eventually play a role in identity verification. I'm an avid Foursquare user so of course this is a topic that interests me. Furthermore, we've all received those courtesy calls from our credit card companies when we're running up charges from a location that's far enough from home that they suspect them to be fraudulent. Facebook has implemented a similar, automated location-based security check. Last month Finsphere announced PinPoint, "the first location-based fraud monitoring service" for the financial services industry. Today Location Labs announced "a 'Universal Location Service' platform that aggregates locations of phones across carriers for developers and centralizes privacy management for end-users" (via ReadWriteWeb). The old saying "location, location, location" has never been more accurate. But is this approach viable and secure at a time when location spoofing is only an iPhone app away?
This is where I'd like our readers to chime in. Can you see a scenario where location (via a mobile device) becomes part of a reliable authentication scheme? Is it possible to eliminate or minimize the risk of location spoofing? Feel free to leave a comment...