Risk-based authN

Domingues, Michael D michael-domingues at uiowa.edu
Tue May 9 10:51:15 EDT 2017

Rich Graves (when he's wearing his Carleton College hat as opposed to his St. Olaf College hat) is doing something along these lines. He presented at Internet2 TechEx last year about it, the slide deck [1] and blog post [2] have more information.

[1] https://docs.google.com/presentation/d/1shl6OUCUqH70_H7cFsc_q_K-YbgIIBLxeuOMzI_2vw8/edit#slide=id.g17666f3b03_0_0

[2] http://blogs.carleton.edu/rgraves/2016/07/15/tracking-your-own-location-to-improve-your-account-security/

From: users <users-bounces at shibboleth.net> on behalf of Philip Brusten <philip.brusten at kuleuven.be>
Sent: Tuesday, May 9, 2017 9:39:57 AM
To: users at shibboleth.net
Subject: Risk-based authN


we are thinking about making a service which collects information from
trusted sources with information like: timestamp, application, userid,
user-agent, browser-fingerprint, IP (+geo-ip), etc. We could then ask
that service during a login to calculate the risk involved for that
login (e.g. geo-distance, same browser, etc). If the IdP decides the
risk is too high it could enforce multi-factor-authentication.

If we could get enough assurance that the IdP session comes from the
same user/browser, we could perhaps disable the consistentAddress-check,
and elevate the authentication level when necessary.

Is anyone doing the same thing?
Are there any existing services out there which we could use?

Kind regards,


To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170509/4df33207/attachment.html>

More information about the users mailing list