User Tools

Site Tools


dido:public:s_cli:05_contents:02_prt:identity:01_problem:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
dido:public:s_cli:05_contents:02_prt:identity:01_problem:start [2021/06/24 13:09]
nick
dido:public:s_cli:05_contents:02_prt:identity:01_problem:start [2021/08/17 13:41] (current)
murphy
Line 1: Line 1:
 ====== 1.0 Problem Statement ====== ====== 1.0 Problem Statement ======
 [[dido:​public:​s_cli:​05_contents:​02_prt:​identity:​start | Return to User Scenario: Identity]] [[dido:​public:​s_cli:​05_contents:​02_prt:​identity:​start | Return to User Scenario: Identity]]
 +
 +===== 1.1 Background =====
 +[[dido:​public:​s_cli:​05_contents:​02_prt:​identity:​01_problem:​start | Return to Top]]
  
 Nancy is a USA citizen and plans a month-long European vacation with 4 major legs all within the Schengen Agreement Zone(( Nancy is a USA citizen and plans a month-long European vacation with 4 major legs all within the Schengen Agreement Zone((
Line 6: Line 9:
 )).  )). 
  
-Many companies have adopted [[dido:​public:​ra:​xapend:​xapend.a_glossary:​m:​mfa]] to help avoid fraudulent ​acitivies+Many companies have adopted [[dido:​public:​ra:​xapend:​xapend.a_glossary:​m:​mfa]] to help avoid fraudulent ​activities. MFA relies on three main factors in determining the authenticity of a user(( 
 +Mary E. Shacklett,​ 
 +TechTarget,​ 
 +__Multifaactor Authrtication__,​ 
 +Accessed: 24 June 2021, 
 +[[https://​searchsecurity.techtarget.com/​definition/​multifactor-authentication-MFA]] 
 +)): 
 + 
 +  * **[[dido:​public:​ra:​xapend:​xapend.a_glossary:​k:​knowledge_factor]]** include all things users must know in order to log in to gain access to a system. This includes Usernames, IDs (i.e., Passport or Driver'​s license numbers), [[dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​password | passwords]],​ and personal identification numbers (PINs), answers to security questions(i.e.,​ your favorite sport), or information derived from [[dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​pii]] (i.e., mother'​s maiden name, oldest child'​s middle name). See [[dido:​public:​ra:​xapend:​xapend.a_glossary:​c:​securityculture]] 
 +  * **[[dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​possession_factor]]** consist of things users must have in their possession in order to log in. This includes [[dido:​public:​ra:​xapend:​xapend.a_glossary:​o:​otp]] tokens, key fobs, smartphone apps, and employee ID using [[dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​smart_card | Smart Cards]] and [[dido:​public:​ra:​xapend:​xapend.a_glossary:​e:​emv]]. These all work well until those things go missing as a result of negligence, lost baggage, direct or indirect theft. Direct theft is when the Possession Factor is taken directly (i.e., the intent of the theft), indirect is when the Possession Factor is taken collaterally (i.e., handbag theft). Additionally,​ any changes in computers, networks due to upgrades, etc. would change the Possession profile for the individual. See [[dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​physicalsecurity]]. 
 +  * **[[dido:​public:​ra:​xapend:​xapend.a_glossary:​i:​inherence_factors]]** include characteristics inherent to individuals confirming their identity. This includes the scope of biometrics, such as retina scans, fingerprint scans, facial recognition,​ and voice authentication. 
 + 
 +MFA can use other attributes in combination with the other [[dido:​public:​ra:​xapend:​xapend.a_glossary:​a:​authentication|authentication]] factors about any transaction:​ 
 + 
 +  * **[[dido:​public:​ra:​xapend:​xapend.a_glossary:​l:​location_factor]]** include using the user's current geographic location as determined by Global Positioning System (GPS) or using mobile device radio tower triangulation. Location Factors are generally not used as a sole source of [[dido:​public:​ra:​xapend:​xapend.a_glossary:​i:​identification|identification]] but are used in combination with other identifying factors such as Knowledge, Possession, or Inherence. For example, an attempt is made to sign-on to a site using the user's user id and [[dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​password]] but is doing so from a different location. The [[dido:​public:​ra:​xapend:​xapend.a_glossary:​s:​server|server]] rejects the sign-on because it uses the combination of the user/​password and location to confirm the identity of the user.  
 +  * **[[dido:​public:​ra:​xapend:​xapend.a_glossary:​t:​time_factor]]** includes using the time of a transaction to help verify the identity of the user. Time, as with Location, is not by itself to determine the identity of a user, but adding it with location is a powerful tool. For example, two transactions are requested about an hour about and in geographic locations that would take more than an hour to travel between the two locations. Also, it is known based on a person'​s history, they never perform transactions during normal working hours or after 11:00 pm local time.  Another use of time is the notification by the user of travel schedule including date, times, and location. Transactions requested outside the schedule are rejected. 
 + 
 + 
 +While Nancy is at home, in the USA using her own network and computer (i.e., **Possession Factors** and **Location Factors**), the likelihood of any issues is small. However, as Nancy travels MFA can prohibit her from being able to access or update her information because of **Locations Factors** and **Time Factors**. This is why it is essential for Nancy to notify her Credit Card companies and banking institutions about her proposed itinerary
  
  
 Nancy needs to identify herself while planning for the trip and during the trip, potentially exposing a lot of [[dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​pii]],​ [[dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​digital_signature]] as well as financial information (i.e., Credit Cards, Debit Cards, etc.) to numerous people in numerous countries from the beginning to the end. In addition to the exposure of her PII to the corporations,​ businesses, and individuals that she has direct business with, she also has to worry about her PII being processed by partner organizations working with businesses she is working with. As a result of poor [[dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​data_residency]] requirements,​ her PII might be processed and stored across the world thus limiting her ability for recourse if there are compromises. See [[dido:​public:​ra:​1.4_req:​2_nonfunc:​25_security:​confidentiality]]. Nancy needs to identify herself while planning for the trip and during the trip, potentially exposing a lot of [[dido:​public:​ra:​xapend:​xapend.a_glossary:​p:​pii]],​ [[dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​digital_signature]] as well as financial information (i.e., Credit Cards, Debit Cards, etc.) to numerous people in numerous countries from the beginning to the end. In addition to the exposure of her PII to the corporations,​ businesses, and individuals that she has direct business with, she also has to worry about her PII being processed by partner organizations working with businesses she is working with. As a result of poor [[dido:​public:​ra:​xapend:​xapend.a_glossary:​d:​data_residency]] requirements,​ her PII might be processed and stored across the world thus limiting her ability for recourse if there are compromises. See [[dido:​public:​ra:​1.4_req:​2_nonfunc:​25_security:​confidentiality]].
 +
 +===== 1.2 Overview of Scenario =====
 +[[dido:​public:​s_cli:​05_contents:​02_prt:​identity:​01_problem:​start | Return to Top]]
  
 An overview of the trip is: An overview of the trip is:
dido/public/s_cli/05_contents/02_prt/identity/01_problem/start.1624554574.txt.gz · Last modified: 2021/06/24 13:09 by nick