Return to User Scenario: Identity

Return to Top

Nancy is a USA citizen and plans a month-long European vacation with 4 major legs all within the Schengen Agreement Zone¹⁾.

Many companies have adopted Multifactor Authentication (MFA) to help avoid fraudulent activities. MFA relies on three main factors in determining the authenticity of a user²⁾:

• Knowledge Factor include all things users must know in order to log in to gain access to a system. This includes Usernames, IDs (i.e., Passport or Driver's license numbers), passwords, and personal identification numbers (PINs), answers to security questions(i.e., your favorite sport), or information derived from Personal Identifiable Information (PII) (i.e., mother's maiden name, oldest child's middle name). See CyberSecurity Culture (CSC)
• Possession Factor consist of things users must have in their possession in order to log in. This includes One-Time PIN (OTP) tokens, key fobs, smartphone apps, and employee ID using Smart Cards and Europay, MasterCard® and Visa (EMV). These all work well until those things go missing as a result of negligence, lost baggage, direct or indirect theft. Direct theft is when the Possession Factor is taken directly (i.e., the intent of the theft), indirect is when the Possession Factor is taken collaterally (i.e., handbag theft). Additionally, any changes in computers, networks due to upgrades, etc. would change the Possession profile for the individual. See Physical Security.
• Inherence Factor include characteristics inherent to individuals confirming their identity. This includes the scope of biometrics, such as retina scans, fingerprint scans, facial recognition, and voice authentication.

MFA can use other attributes in combination with the other authentication factors about any transaction:

• Location Factor include using the user's current geographic location as determined by Global Positioning System (GPS) or using mobile device radio tower triangulation. Location Factors are generally not used as a sole source of identification but are used in combination with other identifying factors such as Knowledge, Possession, or Inherence. For example, an attempt is made to sign-on to a site using the user's user id and Password but is doing so from a different location. The server rejects the sign-on because it uses the combination of the user/password and location to confirm the identity of the user.
• Time Factor includes using the time of a transaction to help verify the identity of the user. Time, as with Location, is not by itself to determine the identity of a user, but adding it with location is a powerful tool. For example, two transactions are requested about an hour about and in geographic locations that would take more than an hour to travel between the two locations. Also, it is known based on a person's history, they never perform transactions during normal working hours or after 11:00 pm local time. Another use of time is the notification by the user of travel schedule including date, times, and location. Transactions requested outside the schedule are rejected.

While Nancy is at home, in the USA using her own network and computer (i.e., Possession Factors and Location Factors), the likelihood of any issues is small. However, as Nancy travels MFA can prohibit her from being able to access or update her information because of Locations Factors and Time Factors. This is why it is essential for Nancy to notify her Credit Card companies and banking institutions about her proposed itinerary.

Nancy needs to identify herself while planning for the trip and during the trip, potentially exposing a lot of Personal Identifiable Information (PII), Digital Signature as well as financial information (i.e., Credit Cards, Debit Cards, etc.) to numerous people in numerous countries from the beginning to the end. In addition to the exposure of her PII to the corporations, businesses, and individuals that she has direct business with, she also has to worry about her PII being processed by partner organizations working with businesses she is working with. As a result of poor Data Residency requirements, her PII might be processed and stored across the world thus limiting her ability for recourse if there are compromises. See 4.3.4.1 Confidentiality.

Return to Top

An overview of the trip is:

1. A river cruise along the Rhine River visiting some major cities, villages, and historic sites
2. A Paris getaway with cultural, shopping, eating, and clubbing activities
3. A mountain resort adventure with hiking, skydiving, paddleboarding, water skiing, and kayaking
4. A casino experience with shows, clubbing, and gambling
5. Nancy does all the bookings in advance for:

   1. Airplane
   2. Cruise ships
   3. Trains
   4. Hotel In Paris

      1. Museum visits
      2. Historical Sights
      3. Restaurants
      4. Discotheque
   5. Resort with some activities such as a

      1. Hiking
      2. Sky Diving
      3. Paddle Boarding
      4. Water Skiing
      5. Kayaking
   6. Casino

      1. Discotheque
      2. Cabaret shows
   7. Long Term Parking