Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: Cristina & Fernando <frobayo () mac com>
Date: Thu, 16 Aug 2007 09:58:51 -0400
Agreed. Knowing the login/username (another something know) can be the third factor, which is tied to your dynamic token.
Default signature on this phone...its great! Sent from my iPhoneOn Aug 16, 2007, at 9:31 AM, "Mngadi, Simphiwe (SS)" <Simphiwe.Mngadi () sasol com > wrote:
Password is "something you know", factor-1 Key/token is "something you have", factor-2; THEREFORE password and key/token are two separate factors; a password can never be classified as DYNAMIC (contextually speaking) Semantically speaking: More than one factor, can be two = two-factor More than 2 factor = multi-factor But I don't see what the argument is because we are not disagreeing about the facts, but about semantics. PS: you had to brag about your iPhone, envious on my part. -----Original Message----- From: Cristina & Fernando [mailto:frobayo () mac com] Sent: 16 August 2007 15:11 PM To: Mngadi, Simphiwe (SS) Cc: Tep, Tom M. (CDC/CCHP/NCCDPHP); security-basics () securityfocus com Subject: Re: Multi-Factor Authentication Concern I have extremely tough skin and love debates. Instead of focusing on a word, pay attention to the context. It was a simple example of using a combination of factor (1) a static password with another factor (2)DYNAMIC password/key/token or whatever you fancy. More than one factor = multi Sent from my iPhone On Aug 16, 2007, at 6:02 AM, "Mngadi, Simphiwe (SS)" <Simphiwe.Mngadi () sasol comwrote:this issue has been dealt with in great detail, I can write a book already. I won't say anything about your password issue, but password is a single factor, putting multi- does not make it a multi-factor. but I was not creating a debate. please don't skin him alive, it was only semantics. -----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com] On Behalf Of Cristina & Fernando Sent: 15 August 2007 22:05 PM To: Tep, Tom M. (CDC/CCHP/NCCDPHP) Cc: security-basics () securityfocus com Subject: Re: Multi-Factor Authentication Concern Multi-factor authentication simply means a static password along with a dynamic password (i.e.: tokens) tied to a username/id. The multi passwords combined must match the username/id. On Aug 15, 2007, at 9:23 AM, "Tep, Tom M. (CDC/CCHP/NCCDPHP)" <tft3 () cdc govwrote:Based from everyone responses, neither Bob nor Chris are incorrect intheir understanding. It depends on the company security policy. I believe what Bob is referring to is the Limited Access Privilege in Physical Security Policy. It requires multiple parties' involvement in order to grant a person access to a secure room. On the other hand, Chris is talking about the multi-factor authentication in system login which implemented a little differently and require three important things in Authentication: 1. Something you know (i.e Password) 2. Something you have (id badge or cryptographic key) 3. Something you are (a voice print or other biometric) It DEPENDS!!!! Hope I haven't confused anyone. `tom -----Original Message----- From: Mike Lococo [mailto:mike.lococo () nyu edu] Sent: Tuesday, August 14, 2007 2:59 PM To: security-basics () securityfocus com Subject: Re: Multi-Factor Authentication ConcernI looked at all of the suggested links, including the Wikipedia article, and I cannot find anything that explicitly states that thefactors in a multi-factor authentication system must all be from thesame person.Because authentication is, by definition, the process of verifying anasserted identity (that statement is easy to find references for, including the wikipedia article on authentication). An access control system must authenticate _each_ identity separately, even when several identities are involved in a single transaction and even if the process is streamlined to 'feel' as though it's a single action. As you're thinking and speaking about this, remember the difference between identification, authentication, and authorization. 1) Identification: Your identity is your username in the system. You may have to say it, or type it, or it may be inferred from a retinal scan or whatever. As a basic access control principle, every individual must have an identity. Anytime you're accepting credentials from morethan one individual, you are _by_definition_ performing more than oneauthentication. 2) Authentication: An identity is authenticated via password, or voiceprint, or token, or whatever. If only one type is required, it'ssingle factor. If more than one type is required, it's multi- factor. If more than one type is available (you have a token and a password),but either is sufficient (you can log in with your password even if you lost the token), it's still single factor... you just have options. 3) Authorization: Once you are authenticated, you may or may not be _authorized_ to access the resource you're interested in. If a system requires more than one user to authenticate in order authorize an action, it implements split-authentication or split-authorization (often referred to in the context of passwords/pins as split-knowledge). Each identity is still authenticated individually, but more than one is required before any are authorized. You're talking about multi-factor authentication. Your friend is talking about split-knowledge/authentication/authorization. No authoritative source on IDM or access-control is going to talk about whether multi-factor authentication involves multiple identities because it's well-established that all authentication schemes have as their basic goal the verification of a single asserted identity. Authorization schemes exist that require multiple identities to be involved in a single transaction (nukes and expensive safe-deposit boxes work this way), but each is always authenticated individually. Thanks, Mike Lococo--- ------ -------------------------------------------------------------------NOTICE: Please note that this eMail, and the contents thereof, is subject to the standard Sasol eMail legal notice which may be found at: http://www.sasol.com/legalnotices If you cannot access the legal notice through the URL attached and you wish to receive a copy thereof please send an eMail to legalnotice () sasol com --- ------ ---------------------------------------------------------------------- --- ----------------------------------------------------------------------NOTICE: Please note that this eMail, and the contents thereof,is subject to the standard Sasol eMail legal notice which may be found at:http://www.sasol.com/legalnoticesIf you cannot access the legal notice through the URL attached and you wishto receive a copy thereof please send an eMail to legalnotice () sasol com--- --- ----------------------------------------------------------------------
Current thread:
- RE: Multi-Factor Authentication Concern, (continued)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Mike Lococo (Aug 14)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 15)
- RE: Multi-Factor Authentication Concern David Gillett (Aug 15)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 15)
- Re: Multi-Factor Authentication Concern Ryan Chow (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 16)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 16)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 17)
- Re: Multi-Factor Authentication Concern Mark Boots (Aug 17)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 16)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 17)
- Re: Multi-Factor Authentication Concern Kurt Buff (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 17)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)