About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Panic buying | Main | Moving to Privacy 3.0 »

“Location-based” login protection

By Dave Petch posted Feb 19 2010 at 11:03 PM

[Dave Petch] It’s not often the case that eBay users find cause to congratulate the internet giant, in fact quite the opposite is usually the case.  Whether it’s seller rebellion against fee hikes, anger at seller policy changes, lawsuits against the selling of counterfeit goods or password vulnerabilities in the developer program, eBay are never far away from controversy of some kind.

So I was therefore pleasantly surprised to discover that eBay (in the UK at least) have implemented location-based login checks, something which would surely assist in the ongoing fight against phishing attacks were it implemented more widely at other online merchants / communities. It was also another great but simple example of the utility of the mobile phone as an authentication channel.

I discovered this through the somewhat suspect process of using my friend’s eBay login details to help him sort out an item listing issue that he had.  He’s one of those illiterate computer users who doesn’t know one end of the web from the other, so he didn’t hesitate in telling me his login and password over the phone.

My friend lives 20 miles away from me.  When I tried to log in using his valid credentials, eBay took me to a page stating it had been noticed I was logging in from a “location” that was not my usual one.  I presume this was detected using my IP address, although whether it was able to trace me to a spot in Guildford or just to the location of my ISP is not clear (a whois of my IP address at home tells me that I live in Hull, East Yorkshire, which is at least 230 miles from my house but unsurprisingly not very far from my ISP).  However, for the security mechanism in question, this was more than enough information for eBay to detect the disparity from my friend’s usual network access data.

I was then asked if I wished to be authenticated using either a phone call (instant) or an email (short delay).  I selected authentication by phone call (it uses the existing registered number and does not allow you to enter a different one), my friend’s mobile rang almost instantly, after which an electronic voice announced, “Hello, this is eBay, are you expecting this call? If so, press #”.   My friend pressed # and an access code was read out to him.  He reported the code to me, I entered it at the website and in I went.

The specifics of the situation were obviously beyond that for which the protection mechanism was strictly designed, but the process worked very smoothly and was close to real time, it presented the user with alternative options for added convenience and, above all, it was simple.  Sure, it slowed me down for a minute, but my initial thought was that such a simple mechanism would surely assist in the fight against the use of phished credentials.  If you cannot stop the consumer from continuing to fall for what is fast becoming one of the oldest tricks in the book, then stopping the use of those captured credentials using simple location checking seems to be a worthwhile next step, at least until such time that the highly flawed method of user authentication that we call “passwords” is replaced by something better.

There was a flaw in the process, however.  Having completed my login to the website using my friend’s credentials, I then asked him to log in at the same time so that he could see the effect of the changes I was making to his item listing.  eBay allowed him straight in, although it should have been clear at this point that it was not possible for him to be in two different locations at the same time, at least not without considerable mind power.


TrackBack URL for this entry:

Listed below are links to weblogs that reference “Location-based” login protection:


The comments to this entry are closed.