Commentary by Mark Wahl, CISA
Recent publications on network authentication, or how can you be in two places at once? (20081003)
I saw that US patent application 20080222714 was recently published, which describes an approach for leveraging the identity metasystem in authentication upon (wired or wireless) network attachment.
In this approach, an identity selector associated with the supplicant is permitted by the relying party (network service provider) to communicate during an 802.1X authentication exchange with the identity selector's chosen identity provider, by tunneling the interactions between the identity selector and identity provider within an EAP exchange. Upon completion, the sealed token generated by the identity provider is forwarded in an EAP message from the selector to the relying party, which can extract the user's identity.
Also, another component to risk-based authentication within the enterprise is being able to determine whether a request is originating from a part of the enterprise network where the user is likely to be located, which can be problematic for highly mobile users. The recently published US patent application 20080228721 describes an approach in which a user's calendar entries can be read to determine the site or sites where a user is likely to be connecting from at a particular time.
