Identity Assertions, Extending Services and my Cell Phone

When my cell phone rings, I flip open the cover and check the phone number of the caller. If the caller’s number is blocked or is not in my address book, I usually let the call go to voice mail. If the caller leaves a message, I listen to the message and then decide whether or not I will call them back. This is a simple case of Identity Assertion, Checking Access Rights and Extending Service.

It is an interesting example of the basic Authentication / Authorization flow:

1. The Authentication is based on the “something you have” and “something you know” schemes. They have a phone with a phone number and they know my phone number (or they have misdialed).
2. The caller presents an Identifier – their phone number.
3. My phone checks the Identifier against the “known and trusted user” directory – my Address book.
— If the Identifier matches a user the directory, Bio/Demo data is expressed and I grant access or deny based on criteria for service access (if I’m in a meeting, I may not answer a call from my Wife but may answer a call from the CIO). Another way to think of this is that different users have different access levels – the CIO has a high access level during work hours, my nephew has a lower access level during work hours.
— If the Identifier doesn’t match a user in the directory, I may grant access or I may request further Identifiers (e.g. the user’s voice and message of intent in my voice mail)

This example highlights some interesting challenges in Authentication / Authorization schemes: Access based on time (user X can get access services during normal business hours but not after hours), Exertion of further Identifiers (user X is not in our Directory but is in another trusted Directory or can present further credentials to gain access), Requiring additional credentials prior to granting access (user X has successfully logged in with NetID and Password but needs another credential to gain further access).