Fingerprints on the Cookie Jar
One of the emerging challenges with UC is user authentication. With desktop activities, we tie the authentication to the desktop login. Enterprise security practices effectively get applied to the UC application(s). But it gets harder with standalone websites, desktop phones, and mobile phones as they often require a separate login.
A common solution regarding websites is the browser cookie. This is a piece of code that a website stores in the browser to help identify the user. The website could, for example, require a new login if the cookie is old. The longer the period of time from the login, the higher the risk that the current user is not the authenticated user.
Cookies are tried and true, but the Internet itself is beginning to move toward fingerprinting. A fingerprint looks at more of the available information provided to determine the user. Computers are surprisingly unique when numerous factors are considered as a group such as timezone, installed plugins, screen size, installed software, fonts, etc. It is estimated that 94 percent of computers can be uniquely identified by fingerprinting. A similar concept is used with CDDB – the database that recognizes an audio CD based on parameters such as the number and length of tracks on a disc.
I spoke with an engineer at Blackberry that indicated mobile phones have many additional options to authenticate the user. In the labs at Blackberry, programs can verify/authenticate a user based on voice, earlobe, or gait. Yes, many of us have a distinct walk. It does sound a bit creepy, but the goal of providing passive authentication makes a lot of sense. The mobile phone also knows its orientation, so a person laying down at the office could indicate a medical emergency.
The desktop phone is a prime target for passive authentication. Unlike a computer on a desktop, it is reasonable to expect usage by someone other than the primary user. A UC/IP phone contains personalized information such as call logs, calendar events, and personal contacts. Keeping this information away from strangers, yet handy for the intended primary user is a challenge. The solution, which doesn’t seem to exist yet, is some form of passive endpoint authentication. Perhaps a real fingerprint sensor on the dialpad would suffice.
Fingerprinting web browsers is effective, yet highly controversial. It is typically used by advertisers to better understand web programs, but could be used as a form of authentication. These various practices could personalize UC, and make routing a passive function. In the future, the technology could even involve external factors such as family member locations. For example, route business calls to the home only when the primary user is home alone.