Login Insecurity: IP Address Can't be Trusted to Authenticate Users
Have you ever tried to login to a web application from a different location or different computer on the worldwide web and been challenged to authenticate your identity? More than likely the host relied on your IP address to determine your identity. Whenever I encounter a challenge to my credentials as a result of my location (IP address) it’s an annoyance that doesn’t make me feel any more secure.
The idea of using data from the machine/connection is sound, but an IP address isn’t reliable as a source of information to authenticate your identity. More and more web sites like banks—where the risk at login is extremely high—rely on this method as a security feature to protect the login page. Some SaaS applications like Salesforce.com also use this method as a way to confirm your identity. Salesforce.com describes this security feature this way:
“Our goal is to minimize the impact of the Identity Confirmation features by allowing established patterns of usage to continue unchallenged, so that users who log in from a known, trusted IP address are not affected. To exempt your users from having to take additional steps to log in, you can define a list of trusted IP ranges in the application.”
Given how easy it is to spoof an IP address I don’t see any circumstances when a “trusted IP address” can truly be trusted. And besides the spoofing issue, using IP for authentication is not very convenient for the mobile worker on a laptop who frequently logs in to a SaaS application while on the road. On the other hand, a device fingerprint (done right) would make a highly reliable factor to authenticate an identity—and once you have established the device’s identity you can cross-reference it to more data to get a complete risk profile that helps you decide whether to let the website visitor in, challenge them, or turn them away.
On the other side of login security there’s the dilemma of how to keep logins both safe and convenient. Ease of use is critical, as explained in this article by Usability Sciences Corporation Making Login Security Friendly. They point out that “users don’t want to ‘feel’ the complexity of the security measures being activated upon login; they just want to login at any time and enjoy effortless transactions. If a user cannot login, the visit is over, or at the very least, cut short.”
Two of the big advantages that device identification as a factor to authenticate a user offers are 1) its transparency; authentication takes place in a second or two without placing any burden on the web site visitor and 2) the authentication takes place in real-time so you can decide instantly whether to expedite entry of a known customer or stop the fraudster from ever gaining entry.
- Tom
