Difference between revisions of "Presence"

From MgmtWiki
Jump to: navigation, search
(Context)
(Problems)
Line 11: Line 11:
 
==Problems==
 
==Problems==
 
*From the time of the authentication with the agent forward, the user's Presence is seldom verified unless some individual action requires reconfirmation of the user's Presence.
 
*From the time of the authentication with the agent forward, the user's Presence is seldom verified unless some individual action requires reconfirmation of the user's Presence.
 +
* Following the recommendation from 63.3B above, long-lived session should be treated with special care and either require some sort of liveness test or just degrade the level of assurance of a session after some empirically derived length of time.
  
 
==Solutions==
 
==Solutions==

Revision as of 12:38, 4 January 2020

Full Title or Meme

For Identity Management Presence typically refers to the human user acting through an agent to access a Web Site.

Context

  • When discussing the use of the internet by a user, what is really meant is the Presence of the user operating an agent on an internet connection during some sort of Authentication process.
  • NIST Special Publication 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management implicitly means to include Presence, but does not really discuss it beyond the following two extracts from Section 7 Session Management (which is labeled normative).
    • 7.1.2 Access Tokens - An access token — such as found in OAuth — is used to allow an application to access a set of services on a subscriber’s behalf following an authentication event. The presence of an OAuth access token SHALL NOT be interpreted by the RP as presence of the subscriber, in the absence of other signals.
    • 7.2 Reauthentication - Periodic reauthentication of sessions SHALL be performed to confirm the continued presence of the subscriber at an authenticated session (i.e., that the subscriber has not walked away without logging out).
  • The original Presence test for messaging apps in the 1990's was keyboard entry which could be passed to the correspondent device to show that the user was present.

Problems

  • From the time of the authentication with the agent forward, the user's Presence is seldom verified unless some individual action requires reconfirmation of the user's Presence.
  • Following the recommendation from 63.3B above, long-lived session should be treated with special care and either require some sort of liveness test or just degrade the level of assurance of a session after some empirically derived length of time.

Solutions

  • User's physical gesture (touch, swipe, etc) on an input sensor of the device.
  • Measurement of some biological feature (fingerprint, face scan) of the user.
  • Sending some message to an alternate communications path (SMS phone message, etc).
  • Some sort of Turing test (CAPTCHA, etc.)

Proof of Presence

The process of using one of the above methods to verify the presence of the user, or at least of some human being.

Reference

Other Material

  • An alternate use of the word Presence is to refer to all of the user's attributes spread across the internet.
Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Presence&oldid=7104"