Location as an identity claim

Here's an interesting piece from Dave Kearns

I was on a teleconference with O'Reilly Group‘s Tim O'Reilly and Nat Torkington discussing the upcoming Where 2.0 Conference which will focus on mapping and location technologies when a thought occurred to me – could location be a factor in a multi-factor authentication scheme?

The “where” of IdM has often referred to the platform or device that someone was using to access a resource, but suppose a GPS was used in order to indicate the physical location of the user?

For a cell-phone user, the GPS might not be needed if the location of the cell tower was “close enough” (i.e., area of a city rather than street address).

I could see this being used in a graded authentication scheme to reduce or deny access based on a possibly adverse location (e.g., someone trying to access a Pentagon database from Uzbekistan).

I don't know if there are any products that do this, if any or planned or if it's even feasible – but it's worth a thought.

This is one of the very scenarios I see us as enabling by moving to “claims based identities”. So yes, I see it as planned at an architectural level.

Once you get your head around expressing identities as sets of claims, you can easily imagine expressing a user's location as one of those claims. In the identity metasystem, the relying party could indicate in its policy that it requires several sets of identity claims– one indicating who the user is, and another indicating where the user is. The claims might come from different authorities (e.g. an enterprise and a trusted location provider). These would be implemented as two Security Token Services (claims transformers). Both sets of claims, taken together, would identify the user from the point of view of the relying party.

I've spoken recently with a number of Europeans for whom location is fast becoming a central issue. Various national and international agreements mean that exposing information across international borders increasingly opens enterprises up to audits by additional (foreign) governments. This problem is particularly accute in banking – and has many ramifications. So the need to ensure that some data is only accessed within national boundaries is fast becoming a real driving issue.

As a side note, this example captures one of the most interesting things about the identity metasystem we are proposing. Independent third parties can innovate and create claims transformers (STS's) of the kind described here and just plug them in to the fabric. People can then consume their outputs just by putting in a URL and deciding to trust them (payment might be a good idea too).

To my mind this is a very significant aspect of the ecosystem. In other words, people can add pieces that really take us towards new capabilities without having in any way to change the way the broader system works.

Published by

Kim Cameron

Work on identity.