Security Basics mailing list archives
RE: Multi-Factor Authentication Concern
From: "Dave Lewis" <dlewis () security-connect com>
Date: Tue, 14 Aug 2007 14:59:36 -0600
Multi-factor authentication offers two or more "methods" to authenticate a single entity/user accessing a system. For example, a key fob used in tandem with secure login name and password; all provided by the self-same single entity/user. Multi-key authentication offers two or more "entities/users" with complementary keys sharing similar properties to simultaneously access a system where access can't be entrusted to a single entity/user. For example, two people each with a key or each with a code that when used together access sensitive areas or activate "warheads". It really depends on how you choose to access a system and the nature of the system. Don't confuse them as the same. They have different purposes. For most network resources, I "trust" (and monitor) an individual to operate within the confines of their permissions, but I want to authenticate that it is truly that individual operating within the permissions, hence, multi-factor authentication suffices. ~Dave -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Justin Ross Sent: Tuesday, August 14, 2007 12:17 PM To: Jason Sewell; security-basics () securityfocus com Subject: RE: Multi-Factor Authentication Concern I'm sorry, I have to play devil's advocate and disagree. Initially I wanted to agree that Multi-factor authentication did indeed refer to the same person; However, I do not believe it to be the case after I too, took it to the most basic level, reading the actual definition of the words, which I included below as well as the dictionary referred to. I do not believe Multi-factor Authentication necessarily refers to a single user, nor even a living entity. For example, if multiple handwriting experts, and a computer with handwriting analysis algorithm, and a tarot card reader, as well random people on the street, all confirmed the authenticity of a signed document by Abraham Lincoln, would that not be Multiple-factor Authentication of that document? Why do nuclear submarines require multiple people with keys and codes to press the launch button, and approval from the president? Is that not Multi-factor authentication of not even individuals (who also pass authentication checks to even get on the submarine) but a process (or even multiple processes such as chain of command as well)? When you say "as it is commonly defined", please cite where you are getting the definition from? Isn't the point of this thread that you cannot cite one and need help locating such a source? If you said "culturally defined by the INFOSEC community", I would somewhat agree. Really though, I think the answer hinges on the definition of the words themselves, which doesn't necessarily indicate a person is involved (at any point), let alone the single "same" person. Just my 0.02. Justin.Ross Security Engineer American Heritage Stedman's Medical Dictionary multi- Many; much; multiple: multiarticular. More than one: multiparous. More than two: multipolar. American Heritage Dictionary fac*tor One who acts for someone else; an agent. A person or firm that accepts accounts receivable as security for short-term loans. Mathematics One of two or more quantities that divides a given quantity without a remainder. For example, 2 and 3 are factors of 6; a and b are factors of ab. A quantity by which a stated quantity is multiplied or divided, so as to indicate an increase or decrease in a measurement: The rate increased by a factor of ten. American Heritage Dictionary au*then*ti*cate To establish the authenticity of; prove genuine -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jason Sewell Sent: Tuesday, August 14, 2007 7:05 AM To: security-basics () securityfocus com Subject: Re: Multi-Factor Authentication Concern I appreciate all of these responses. The general consensus seems to be: 1) The system that "Bob" has implemented does not reflect multi- factor authentication as it is commonly defined, and 2) there may be some esoteric reason to require different people to provide different authentication factors to protect a single resource, but 3) such a convoluted access control mechanism is not appropriate for protection of our data center, and furthermore 4) accounting and logging are complicated by such a system. However, what I still have not found yet is an authoritative document that I can point to and say "Bob, you're wrong". He's a hard-headed guy and responses from security experts on a mailing list won't convince him. I looked at all of the suggested links, including the Wikipedia article, and I cannot find anything that explicitly states that the factors in a multi-factor authentication system must all be from the same person. So, I'll show him these response, and I'll continue to try to find an authoritative source for my assertion (or perhaps I'll edit the wikipedia article). Thanks again everyone for you help! On Aug 14, 2007, at 8:58 AM, Kevin Wilcox wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mngadi, Simphiwe (SS) wrote:All three are accountable; I don't see the logic in your hypothesis. in anyway authentication should be monitored, and your concern should
have been build-in into the security system.All three *are* accountable and therein lies the problem - only *one* of the individuals actually entered the data centre but it appears as if all three of them entered. Authentication is not only a method for authorization, it is a method of accounting for who accessed what resources. Just because all three of them are authorized to be in the data centre doesn't mean that any one of them should be able to gain entry using the credentials of the other two. One of the things multi-factor authentication attempts to address is the scenario where an individual can pass themselves off as someone else - basically ID theft. Another scenario would be on-line banking. Suppose you and your business partner have access to the same account. You decide to use web-based banking. To access the account information you have to login
using a password then enter a PIN. To gain access to the account details you would not login using your password then enter your partner's PIN - you would use *your* password and *your* PIN. Like the
data centre scenario, just because more than one person has access to a resource doesn't mean you allow authentication credentials from anyone with access - it destroys the concept of accountability. Instead you require that all of the authentication credentials come from the same person so you know who to hold accountable if something happens (and because it could be the law in your vicinity). That said, there *are* times when group level access may be desired and a "piece of the key" from each person is acceptable (or required) - if that is the case then the original question is moot. I hate relying on hypothetical examples but it really does come down to "what are you trying to accomplish with your authentication methods?" and "what are the laws in your area?". If group accountability is your
goal then you can suffice with allowing credentials from anyone at any
stage in the process (just make sure you have other accountability measures in place). If you want granular accountability at the individual level then all of the credentials must come from the same individual. I hope that helps. kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGwab6sKMTOtQ3fKERAsTQAJ4p3VaL48KmMNpOx2T6ZmwdoWfqfACfTltF 5yojC7HzWEujHd5x1OT56xk= =lXuR -----END PGP SIGNATURE-----
-------------------------------------------------------------------- *** NOTICE *** The information in this communication and any attachment may contain confidential and proprietary information of Security Connections, Inc. and/or its affiliates and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any review, reliance, duplication or distribution without express permission is strictly prohibited and may cause liability. If you have received this communication in error, please notify the sender immediately by reply email and delete or destroy all copies of this communication and any attachments. Any views expressed in this communication are those of the individual sender, except where authorized and explicitly stated otherwise.
Current thread:
- Re: Multi-Factor Authentication Concern, (continued)
- Re: Multi-Factor Authentication Concern Roch (Aug 10)
- RE: Multi-Factor Authentication Concern Dan Denton (Aug 10)
- Re: Multi-Factor Authentication Concern Nick Owen (Aug 10)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 10)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- Re: Multi-Factor Authentication Concern Jason Sewell (Aug 14)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- RE: Multi-Factor Authentication Concern Dave Lewis (Aug 14)
- RE: Multi-Factor Authentication Concern David Harley (Aug 15)
- RE: Multi-Factor Authentication Concern Devin Rambo (Aug 14)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Roch (Aug 14)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Mike Lococo (Aug 14)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 15)