Picture this situation. You live in United States and are currently traveling in Europe when you get a reminder that your home insurance policy is about to expire. You open your computer and try to log in to your insurance provider to make the payment, but instead get an “access denied” message: you are not allowed to log in from your current location.
That’s a type of geofencing-based authentication, possibly implemented so the insurance company doesn’t have to deal with GDPR regulations. They probably don’t serve the European market and want to avoid having to deal with privacy regulations, as well as reduce exposure from unfamiliar access regions. It’s likely that they have a security rule in place where if you are in the United States, you can access your policy. If you are outside the U.S., access is denied.
I’m using this situational example to explain geofencing policies, a logical fence that is built up based on geographical location that can be an effective method to help improve security related to authentication. Incorporating geofencing into your authentication policies can increase your security and mitigate risks.
Here are a couple of use cases to help identify when companies should want to consider using geofencing to reduce exposure for either attacks, data and privacy regulations, or internal employee security controls:
A service which is provided only for customers within a specific country or region. For example, my insurance.
Servers or applications that should be only accessed by teams from specific countries. For example, a server with engineering resources available to distributed engineering teams.
Three Common Geofencing Methods
Common options include…
1. Based on IP Address:That’s the less secure method since it relies solely on the IP address from the source connection. The source IP address can be masqueraded through a VPN, so it should only be used if you want to take off responsibility over the use from other countries
2. Based on Geolocation:You connect to a website, and it says: “target_url wants to know your location. Allow or Block”. This is because the website wants to get your precise location, not just one based on IP address. The use of HTML5 geolocation APIs can pinpoint your geolocation quite precisely! You might wonder if you have a GPS on your laptop, and you didn’t know it. No, it can get information in multiple ways, including the Wi-Fi hotspots around you, even if you are not connected to them.
Geolocation is not only available for browsers. For example, in Windows 10 you can search for “Location” and configure if it will be available for apps running in your computer. And if you are using your mobile phone, even better, it will try to use your embedded GPS and get a precise location. The benefit of Geolocation is that even if you connect through a VPN, your real location will be used. There are obviously tools for GPS spoofing, but Geolocation takes care of most cases.
3. Based on Geolocation Tracking and Correlation:Geofencing based on location tracking can be very effective against attacks. For example, impossible transitions, geokinetics, and geovelocity are common terms used when you track authentication from different locations in a short period of time. You authenticate from London, and 10 minutes later, from Paris. There is no way you will get there in 10 minutes, that would be an impossible transition, and should light up a red flag. Another interesting method would be to correlate locations. For example, someone connects to a service from Lisbon, but when you use your mobile phone to authenticate, it shows you are physically in New York. Red flag.
“Tracking” is a word that freaks out anyone. Is the company trying to see where you are? Maybe check out if you are at the office or at the bar during business hours? The company needs to be very clear about the policies, and that the tracking is used just for the user’s protection. A geocorrelation, for example, would prevent someone getting access to a user’s account using social engineering, mitigating human errors.
Multi-factor and risk-based authentication should now work hand in hand. The U.S. White House Executive Order from May 12, 2021, for example, requires that software supply chain for government agencies should include actions, in their own words, “establishing multi-factor, risk-based authentication and conditional access across the enterprise.” A CISA (U.S. Cyber Security & Infrastructure Security Agency) alert from December 17, 2020, warned about the need to detect “impossible logins” or “impossible travel,” determining the time between two authentications within two different geolocations.
There are several risk-based authentication methods that can help improve user experience and security, and geofence is a method worth considering to move your identity security strategies to a more advanced level. It will reduce your risks and privacy regulations exposure, while strengthening your risk-based authentication policy framework.