The Impossible Journey Authentication Action

The Curity Identity Server 5.1 adds several geolocation features. This article aims to cover the details of the Impossible Journey action. There are additional Authentication Actions available that leverages geolocation data covered in this article, New Country vs. Changed Country, whats the difference?

Authentication Actions

Authentication Actions are configurations that can be added to the Authentication flow to enrich and enhance the authentication. There are several actions available in the Curity Identity Server out-of-the-box and its also quick and easy to leverage the Curity SDK to write custom actions.

Authentication Actions can be configured to trigger after the actual Authenticator and can also be chained. Its even possible to define a chain of actions that can be applied to multiple different Authenticators and thus no need for duplicated configurations.

Examples of actions are time based actions, password reset, scripting, Multi Factor condition, account linking, attribute lookup from various sources and more.

The Impossible Journey

The Impossible Journey action is easy to configure in the Curity Identity Server. A data source is needed in order to store the geolocation information from an authentication session. An attribute name needs to be defined. This is a boolean subject attribute that will be set to True if an impossible journey was identified. And lastly the speed for the impossible journey calculations is defined.

Note that the geolocation data is not detailed enough to identify an individual user. In the case of the Impossible Journey action it will capture the longitude and latitude of a user at authentication time and this is derived from the clients IP-address. The database used is internal to the Curity Identity Server and no external requests are made in order to determine the location.

How does it work?

The Impossible Journey Authentication Action will determine the latitude/longitude based on the clients IP-address when triggered. This is information is captured (Point A) and stored in the configured data source. When the same user authenticates next the procedure runs again (Point B) and the action will calculate the speed that it would take to travel from Point A to Point B. If this speed is less than the configured speed for the action a boolean subject attribute will be set to False. If not, its deemed an Impossible Journey based on the configuration and the attribute will be set to True and subsequent actions can be triggered to further verify the user, using MFA for example.

Caveats

The default speed configured for the action is 250 km/h (155 mph). The setting for this will impact the outcome of the action and should be aligned with how the user base using this given authentication action in their authentication flow travels. Things to consider would be train travel and how fast trains typically move where the user is active. Airplanes obviously move at speeds that are greater than 250 km/h so maybe if the user base travel by air a lot this value needs to be increased.

Its possible to define multiple instances of the action with different settings that are applied to different groups of users in order to cover various travel patterns in the best possible way.

Important to note is that the user would not necessary be fully denied access (although that is also possible) but instead extra verification of the user is more typical.

Conclusion

Authentication Actions are very powerful additions to the Authentication flow. With the addition of geolocation data in the Curity Identity Server its possible to enable further controls and verifications in scenarios that might be suspicious and would otherwise be unknown.