Difference between revisions of "Presence"
From MgmtWiki
(→Context) |
(→Problems) |
||
Line 10: | Line 10: | ||
==Problems== | ==Problems== | ||
− | *From the time of the authentication with the agent forward, the user's Presence is | + | *From the time of the authentication with the agent forward, the user's Presence is typically not re-verified unless some individual action requires reconfirmation of the user's Presence. |
* Following the recommendation from 63.3B above, long-lived session should be treated with special care and either require some sort of liveness test or just degrade the level of assurance of a session after some empirically derived length of time. | * Following the recommendation from 63.3B above, long-lived session should be treated with special care and either require some sort of liveness test or just degrade the level of assurance of a session after some empirically derived length of time. | ||
Revision as of 12:16, 4 January 2020
Contents
Full Title or Meme
For Identity Management Presence typically refers to the human user acting through an agent to access a Web Site.
Context
- When discussing the use of the internet by a user, what is really meant is the Presence of the user operating an agent on an internet connection at the time that the use makes a request with significant consequences.
- NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management implicitly means to include Presence, but does not really discuss it beyond the following two extracts from Section 7 Session Management (which is labeled normative).
- 7.1.2 Access Tokens - An access token — such as found in OAuth — is used to allow an application to access a set of services on a subscriber’s behalf following an authentication event. The presence of an OAuth access token SHALL NOT be interpreted by the RP as presence of the subscriber, in the absence of other signals.
- 7.2 Reauthentication - Periodic reauthentication of sessions SHALL be performed to confirm the continued presence of the subscriber at an authenticated session (i.e., that the subscriber has not walked away without logging out).
- The original Presence test for messaging apps in the 1990's was keyboard entry which could be passed to the correspondent device to show that the user was present.
Problems
- From the time of the authentication with the agent forward, the user's Presence is typically not re-verified unless some individual action requires reconfirmation of the user's Presence.
- Following the recommendation from 63.3B above, long-lived session should be treated with special care and either require some sort of liveness test or just degrade the level of assurance of a session after some empirically derived length of time.
Solutions
These could be applied at the initial authentication as well as at specified periods based on length of the session connection, or lack of input from the user (liveness test).
- User's physical gesture (touch, swipe, etc) on an input sensor of the device.
- Measurement of some biological feature (fingerprint, face scan) of the user.
- Sending some message to an alternate communications path (SMS phone message, etc).
- Some sort of Turing test (CAPTCHA, etc.)
- Strong validation of the user device, the current state of the operating system on the device and the exact provenance and status of the user agent software the presents the evidence of user presence.
Proof of Presence
The process of using one of the above methods to verify the presence of the user, or at least of some human being.
Reference
Other Material
- An alternate use of the word Presence is to refer to all of the user's attributes spread across the internet.