Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: "Kurt Buff" <kurt.buff () gmail com>
Date: Tue, 14 Aug 2007 17:34:02 -0700
On 8/14/07, Jason Sewell <jsewell () mac com> wrote:
I appreciate all of these responses. The general consensus seems to be: 1) The system that "Bob" has implemented does not reflect multi- factor authentication as it is commonly defined, and 2) there may be some esoteric reason to require different people to provide different authentication factors to protect a single resource, but 3) such a convoluted access control mechanism is not appropriate for protection of our data center, and furthermore 4) accounting and logging are complicated by such a system. However, what I still have not found yet is an authoritative document that I can point to and say "Bob, you're wrong". He's a hard-headed guy and responses from security experts on a mailing list won't convince him. I looked at all of the suggested links, including the Wikipedia article, and I cannot find anything that explicitly states that the factors in a multi-factor authentication system must all be from the same person. So, I'll show him these response, and I'll continue to try to find an authoritative source for my assertion (or perhaps I'll edit the wikipedia article). Thanks again everyone for you help!
Take a look at the wikipedia article again. At the end, it contains this: "The U.S. Government's National Information Assurance Glossary defines strong authentication as: Layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information. " Authentication is all about establishing identity. Unless your interlocutor is dense, it should be easy to point out that identity inheres in individuals, not in groups. It really couldn't be more clear. All you have to do is parse the sentence for him.
Current thread:
- RE: Multi-Factor Authentication Concern, (continued)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 16)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 16)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 17)
- Re: Multi-Factor Authentication Concern Mark Boots (Aug 17)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 16)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 17)
- Re: Multi-Factor Authentication Concern Kurt Buff (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 17)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 16)
- Re: Multi-Factor Authentication Concern Francois Yang (Aug 13)
- RE: Multi-Factor Authentication Concern Webster, William P CTR FNMOC, N661 (Aug 14)
- Re: Multi-Factor Authentication Concern Roch (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 16)