RE: Multi-Factor Authentication Concern

["Mngadi, Simphiwe (SS)" <Simphiwe.Mngadi () sasol com>]

Multi-factor authentication
Multi-factor authentication functionality is an extension of step-up
authentication functionality that allows you to specify a protected
object policy (POP) that forces the user to authenticate using all
authentication mechanisms with a level lower than the configured POP
authentication level. That is, the user is required to have
authenticated at all levels up to, and including, the required level
before access is granted. Multi-factor authentication can also be used
in conjunction with re-authentication to force a multi-factor
re-authentication.

Standard authentication-level based authentication allows a Policy to be
associated with an object that sets a minimum required authentication
level that must be achieved before access is granted. The supported
authentication mechanisms are given an ordering in the configuration
that specifies which mechanisms are considered stronger than others.
When a user first authenticates in order to access an object they are
offered the choice of all authentication methods that meet the required
level for that object. It is up to the user to choose which method they
will use.

To achieve multi-factor authentication, step-up authentication needs to
be configured as discussed in Authentication-strength Protected Object
Policy (Step-up). Once step-up authentication is configured, you will
need to add the extended attribute, MULTI-FACTOR-AUTH, to a protected
object policy (POP) for a Tivoli Access Manager Plug-in for Web Servers
object or objects.

When the MULTI-FACTOR-AUTH attribute is set, all authentication levels
up to the specified POP authentication level are required before access
to the resource is granted.

As an example, assume the following configuration is set in the
configuration file: 

[authentication-levels]
1 = cert
2 = forms
With the above configuration, when a POP attached to a resource which
requires an authentication level of 2 and the new MULTI-FACTOR-AUTH
attribute is set to true, the user must first supply a valid client
certificate before entering a forms-based logon. If the POP attached to
the resource does not have the MULTI-FACTOR-AUTH attribute enabled, then
only form-based authentication is used.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Justin Ross
Sent: 14 August 2007 20:17 PM
To: Jason Sewell; security-basics () securityfocus com
Subject: RE: Multi-Factor Authentication Concern

I'm sorry, I have to play devil's advocate and disagree.

Initially I wanted to agree that Multi-factor authentication did indeed
refer to the same person; However, I do not believe it to be the case
after I too, took it to the most basic level, reading the actual
definition of the words, which I included below as well as the
dictionary referred to. 

I do not believe Multi-factor Authentication necessarily refers to a
single user, nor even a living entity. For example, if multiple
handwriting experts, and a computer with handwriting analysis algorithm,
and a tarot card reader, as well random people on the street, all
confirmed the authenticity of a signed document by Abraham Lincoln,
would that not be Multiple-factor Authentication of that document? 

Why do nuclear submarines require multiple people with keys and codes to
press the launch button, and approval from the president? Is that not
Multi-factor authentication of not even individuals (who also pass
authentication checks to even get on the submarine) but a process (or
even multiple processes such as chain of command as well)? When you say
"as it is commonly defined", please cite where you are getting the
definition from? Isn't the point of this thread that you cannot cite one
and need help locating such a source? If you said "culturally defined by
the INFOSEC community", I would somewhat agree.

Really though, I think the answer hinges on the definition of the words
themselves, which doesn't necessarily indicate a person is involved (at
any point), let alone the single "same" person.

Just my 0.02.

Justin.Ross
Security Engineer


American Heritage Stedman's Medical Dictionary  
multi-
Many; much; multiple: multiarticular. 
More than one: multiparous. 
More than two: multipolar.


American Heritage Dictionary 
fac*tor     
One who acts for someone else; an agent. 
A person or firm that accepts accounts receivable as security for
short-term loans. 
Mathematics One of two or more quantities that divides a given quantity
without a remainder. For example, 2 and 3 are factors of 6; a and b are
factors of ab. 
A quantity by which a stated quantity is multiplied or divided, so as to
indicate an increase or decrease in a measurement: The rate increased by
a factor of ten.  


American Heritage Dictionary 
au*then*ti*cate 
To establish the authenticity of; prove genuine




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jason Sewell
Sent: Tuesday, August 14, 2007 7:05 AM
To: security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

I appreciate all of these responses.

The general consensus seems to be:

1) The system that "Bob" has implemented does not reflect multi- factor
authentication as it is commonly defined, and
2) there may be some esoteric reason to require different people to
provide different authentication factors to protect a single resource,
but
3) such a convoluted access control mechanism is not appropriate for
protection of our data center, and furthermore
4) accounting and logging are complicated by such a system.

However, what I still have not found yet is an authoritative document
that I can point to and say "Bob, you're wrong". He's a hard-headed guy
and responses from security experts on a mailing list won't convince
him. I looked at all of the suggested links, including the Wikipedia
article, and I cannot find anything that explicitly states that the
factors in a multi-factor authentication system must all be from the
same person.

So, I'll show him these response, and I'll continue to try to find an
authoritative source for my assertion (or perhaps I'll edit the
wikipedia article).

Thanks again everyone for you help!


On Aug 14, 2007, at 8:58 AM, Kevin Wilcox wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mngadi, Simphiwe (SS) wrote:
>
> > All three are accountable; I don't see the logic in your hypothesis. 
> > in anyway authentication should be monitored, and your concern should

> > have been build-in into the security system.
>
> All three *are* accountable and therein lies the problem - only
> *one* of
> the individuals actually entered the data centre but it appears as if 
> all three of them entered. Authentication is not only a method for 
> authorization, it is a method of accounting for who accessed what 
> resources. Just because all three of them are authorized to be in the 
> data centre doesn't mean that any one of them should be able to gain 
> entry using the credentials of the other two. One of the things 
> multi-factor authentication attempts to address is the scenario where 
> an individual can pass themselves off as someone else - basically ID 
> theft.
>
> Another scenario would be on-line banking. Suppose you and your 
> business partner have access to the same account. You decide to use 
> web-based banking. To access the account information you have to login

> using a password then enter a PIN. To gain access to the account 
> details you would not login using your password then enter your 
> partner's PIN - you would use *your* password and *your* PIN. Like the

> data centre scenario, just because more than one person has access to 
> a resource doesn't mean you allow authentication credentials from 
> anyone with access - it destroys the concept of accountability. 
> Instead you require that all of the authentication credentials come 
> from the same person so you know who to hold accountable if something 
> happens (and because it could be the law in your vicinity).
>
> That said, there *are* times when group level access may be desired 
> and a "piece of the key" from each person is acceptable (or required) 
> - if that is the case then the original question is moot.
>
> I hate relying on hypothetical examples but it really does come down 
> to "what are you trying to accomplish with your authentication 
> methods?"
> and "what are the laws in your area?". If group accountability is your

> goal then you can suffice with allowing credentials from anyone at any

> stage in the process (just make sure you have other accountability 
> measures in place). If you want granular accountability at the 
> individual level then all of the credentials must come from the same 
> individual.
>
> I hope that helps.
>
> kmw
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
>
> iD8DBQFGwab6sKMTOtQ3fKERAsTQAJ4p3VaL48KmMNpOx2T6ZmwdoWfqfACfTltF
> 5yojC7HzWEujHd5x1OT56xk=
> =lXuR
> -----END PGP SIGNATURE-----



----------------------------------------------------------------------------
NOTICE: Please note that this eMail, and the contents thereof, 
is subject to the standard Sasol eMail legal notice which may be found at: 
http://www.sasol.com/legalnotices                                                                                       
                   

If you cannot access the legal notice through the URL attached and you wish 
to receive a copy thereof please send an eMail to 
legalnotice () sasol com
----------------------------------------------------------------------------