Re: Multi-Factor Authentication Concern

["Kurt Buff" <kurt.buff () gmail com>]

On 8/14/07, Jason Sewell <jsewell () mac com> wrote:
> I appreciate all of these responses.
>
> The general consensus seems to be:
>
> 1) The system that "Bob" has implemented does not reflect multi-
> factor authentication as it is commonly defined, and
> 2) there may be some esoteric reason to require different people to
> provide different authentication factors to protect a single
> resource, but
> 3) such a convoluted access control mechanism is not appropriate for
> protection of our data center, and furthermore
> 4) accounting and logging are complicated by such a system.
>
> However, what I still have not found yet is an authoritative document
> that I can point to and say "Bob, you're wrong". He's a hard-headed
> guy and responses from security experts on a mailing list won't
> convince him. I looked at all of the suggested links, including the
> Wikipedia article, and I cannot find anything that explicitly states
> that the factors in a multi-factor authentication system must all be
> from the same person.
>
> So, I'll show him these response, and I'll continue to try to find an
> authoritative source for my assertion (or perhaps I'll edit the
> wikipedia article).
>
> Thanks again everyone for you help!

Take a look at the wikipedia article again. At the end, it contains this:

"The U.S. Government's National Information Assurance Glossary defines
strong authentication as:

    Layered authentication approach relying on two or more
authenticators to establish the identity of an originator or receiver
of information. "

Authentication is all about establishing identity. Unless your
interlocutor is dense, it should be easy to point out that identity
inheres in individuals, not in groups. It really couldn't be more
clear. All you have to do is parse the sentence for him.