Geo-Based risk scoring for passwordless authentication: architecting robust security

Threat Model Canvas: Passwordless Authentication and Geo-Risk

A robust passwordless authentication system significantly reduces the attack surface associated with traditional passwords. However, even the strongest passwordless implementations can be vulnerable to geographically motivated attacks. Our threat model focuses on scenarios where an attacker attempts to leverage geographical inconsistencies to bypass or compromise passwordless authentication.

Key components of our threat model include:

• Assets: User accounts, sensitive data, transaction processing systems.
• Threat Agents: Malicious actors attempting account takeover, fraud.
• Threats: Geographical spoofing, man-in-the-middle attacks leveraging different geo-locations, account compromise via stolen device used from a suspicious location.
• Vulnerabilities: Weak geo-location verification, lack of real-time risk assessment based on IP address and location data.
• Impact: Financial loss, data breach, reputational damage.

Assumptions

Our proposed geo-risk scoring approach rests on several key assumptions:

• Location Data Accuracy: We assume that GeoIP data provides a reasonably accurate (but not foolproof) approximation of a user's location. GeoIP databases can be accurate to the city level in many instances but can have limitations, especially with mobile and VPN usage.
• Established User Behavior: A baseline of typical user locations exists. Deviations from this baseline can then be flagged as potential risks. This requires a period of data collection and analysis to establish normal usage patterns.
• Multi-Factor Authentication (MFA) Integration: Geo-risk scoring enhances but does not replace other security mechanisms. It is most effective when integrated with MFA or other adaptive authentication methods.
• Data Logging and Reporting: All risk scores and associated geo-location data are logged for auditing and incident response purposes.

Abuse Paths

Attackers may attempt to exploit the passwordless system through several abuse paths linked to geography:

• Geo-Spoofing: An attacker uses a VPN or proxy server to appear as if they are connecting from a trusted location, bypassing location-based security checks.
• Man-in-the-Middle (MitM) Attacks: Intercepting authentication tokens while the user is in a different geographical area than usual (e.g., user travels unexpectedly, and the tokens are stolen in transit).
• Stolen Device Usage: An attacker gains possession of a user's device and uses it to authenticate from a location significantly different from the user's typical locations.
• Insider Threat: A malicious insider with access to location data modifies records to facilitate unauthorized access.

Mitigation Layers: Implementing Geo-Risk Scoring

To mitigate these abuse paths, implement a multi-layered approach that incorporates geo-risk scoring into the passwordless authentication flow:

1. GeoIP Data Enrichment

Enhance the authentication process by enriching IP addresses with GeoIP data. Key data points to harvest include:

• Country
• Region/State
• City
• Latitude/Longitude
• Connection Type (e.g., residential, business, mobile, VPN)

2. Risk Score Calculation

Calculate a risk score based on the geo-location data, considering factors such as:

• Distance from Known Locations: Calculate the distance (e.g., using the Haversine formula) between the user's current location and their historically observed locations. Larger distances imply higher risk.
• Anonymization Proxy Detection: Increase the risk score if the connection is identified as originating from a VPN or proxy server.
• High-Risk Countries: Assign a higher risk score if the connection originates from a country known for high levels of cybercrime or fraud. Maintain a regularly updated list of high-risk countries.
• Travel History: Compare the current location with the user's recent travel history. Unexpected or rapid location changes can increase the risk score.

The risk score can be a weighted sum of these factors. For example:

RiskScore = (Weight_Distance * DistanceScore) + (Weight_Proxy * ProxyScore) + (Weight_Country * CountryScore) + (Weight_Travel * TravelScore)

Define thresholds for risk scores to trigger different actions (e.g., step-up authentication, account lockout).

3. Adaptive Authentication

Integrate the geo-risk score into an adaptive authentication framework. Based on the risk score, trigger additional authentication steps such as:

• Step-Up Authentication: Require a one-time password (OTP) sent via SMS or email.
• Knowledge-Based Authentication (KBA): Ask security questions to verify the user's identity.
• Biometric Authentication: Request biometric verification (e.g., fingerprint scan, facial recognition).
• Account Lockout: Temporarily lock the account if the risk score exceeds a critical threshold.

Consider integrating adaptive authentication principles to strengthen the passwordless flow. Learn more about it from examples of adaptive auth.

4. Real-Time Monitoring and Alerting

Continuously monitor authentication attempts and flag suspicious activity based on geo-risk scores. Set up alerts to notify security teams of high-risk events. Analyze trends to identify emerging threats and refine risk scoring models.

5. User Education

Educate users about the importance of secure internet connections and the risks associated with using public Wi-Fi or VPNs. Encourage users to report any suspicious activity or unauthorized access attempts.

Implementation Notes

• Data Privacy: Handle geo-location data responsibly and in compliance with privacy regulations (e.g., GDPR, CCPA). Obtain user consent before collecting and processing location data.
• False Positives: Minimize false positives by carefully tuning risk scoring thresholds and incorporating feedback from users. Provide a mechanism for users to easily report false positives and regain access to their accounts.
• Dynamic Adjustment: Regularly review and adjust the risk scoring model based on changes in threat landscape and user behavior using anomaly detection principles.
• Integration with SIEM: Integrate geo-risk scoring data with a Security Information and Event Management (SIEM) system for centralized monitoring and incident response.
• Avoid Blocking Legitimate Users: Ensure that overly aggressive geo-fencing does not inadvertently block legitimate users, especially those who travel frequently.

Conclusion

Geo-risk scoring provides a valuable layer of security for passwordless authentication systems. By incorporating location data into the risk assessment process, you can detect and prevent geographically motivated attacks. Remember to develop a robust threat model, carefully consider assumptions, and implement mitigation strategies that are aligned with your organization's risk tolerance and compliance requirements. Explore fraud detection rules to enhance your application. Implementing and logging this provides useful fraud evidence.

Further enhance security by reviewing threat modeling processes to identify potential threats and improve your system's resilience. You can further explore useful patterns in our examples section.