Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: Yves Bourdic <yvesbourdic () wanadoo fr>
Date: Wed, 15 Aug 2007 11:26:51 -0400
Hi, May be this will help. Access control objective is to provide: 1) Identification - How to identify an entity? (userid,...)2) Authentication - How to make sure the entity is the proper one? (passwords,...)
3) Accounting - How to keep a trace of who access the system? (logs,..) There are three known ways to provide an authentication based on: 1) Something you know (a password, a passphrase, a cultural secret,...) 2) Something you have (a key, a smartcard,...) 3) Something you are (any biometric system)What we call a multi-factor authentication is a system that provides more than one way of authentication based on the list above.
e.g.:A) "After being identified with a userid I provide to connect to a system, I provide a password to authenticate myself'. The password is something I know then this is a one factor authentication system. B) "After being identified with an ID card I provide to enter a room, I provide my fingerprint to authenticate myself'. The fingerprint represent something I am then this is a one factor authentication system.
If I do B) followed by A) this is considered a dual authentication system (1 & 1) because I identify myself twice and I authenticate myself each time.
C) "After being identified with a userid I provide to connect to a system, I provide a password I generate with a card and a PIN code". The PIN code is something I know, the card is something I have then this is a two factor authentication system.
The last example is a multi-factor (more than one) authentication system. I identify myself once and provide two ways to authenticate myself.
To answer to bob: In access control we separate Identification and Authentication. The access control bob describes is a mixture of multi-identification and multi-authentication.
Hope this will help. YB On 10-Aug-07, at 11:21 AM, jsewell () jsewell com wrote:
I'm having an argument with someone at work about multi-factor authentication. We'll call him Bob.Bob claims that in a multi-factor authentication system, the factors don't need to identify the same person. In other words, Bob thinks it's perfectly OK for the door to the data-center to open when Jim badges in, Mike scans his retina, and Sally enters a her PIN.This is obviously wrong. Bob says "prove it". So I've scoured the net and books for something that describes multi-factor authentication as requiring that all factors identify the same person. So far, I can't find anything.Is it so obvious that nobody has bothered to write it down, or am I wrong in my thinking?Thanks!
Current thread:
- RE: Multi-Factor Authentication Concern, (continued)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 17)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 16)
- RE: Multi-Factor Authentication Concern Kandala, Nham (Aug 10)
- Re: Multi-Factor Authentication Concern Chris Barber (Aug 13)
- Re: Multi-Factor Authentication Concern Francois Yang (Aug 13)
- RE: Multi-Factor Authentication Concern Webster, William P CTR FNMOC, N661 (Aug 14)
- Re: Multi-Factor Authentication Concern Roch (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 16)
- Re: Multi-Factor Authentication Concern Francois Yang (Aug 13)