Security Basics mailing list archives
RE: Multi-Factor Authentication Concern
From: "Uber Wannabe" <nucleargeekdown () gmail com>
Date: Thu, 16 Aug 2007 14:37:42 -0500
Just thought I'd throw this in, too... Just because the standard definition of each word in "Multi-factor authentication" could be understood as multiple people and multiple factors, it is the combination of the words that generates its unique meaning. If we were to go by standard definitions, then... Door - noun 1. a movable, usually solid, barrier for opening and closing an entranceway, cupboard, cabinet, or the like, commonly turning on hinges or sliding in grooves. 2. a doorway: to go through the door. 3. the building, house, etc., to which a door belongs: My friend lives two doors down the street. 4. any means of approach, admittance, or access: the doors to learning. 5. any gateway marking an entrance or exit from one place or state to another: at heaven's door. (Source: www.dictionary.com) ...a house would be a door. (See #3) Which shows why logic should not oppose fact. -- N/A -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Justin Ross Sent: Thursday, August 16, 2007 11:37 AM To: Tep, Tom M. (CDC/CCHP/NCCDPHP); security-basics () securityfocus com Subject: RE: Multi-Factor Authentication Concern I agree. Neither "Bob" nor Chris are wholly incorrect, nor wholly correct. It's semantics, and the definition is in and of itself wholly subjective to the requirements, the people implementing it, or it's use. I also agree that generally speaking, when the INFOSEC community talks about multi-factor authentication they are talking about a single person - I think that is a far cry from saying "it ALWAYS refers to". For example here is one of the arguments made: Take a look at the wikipedia article again. At the end, it contains this: "The U.S. Government's National Information Assurance Glossary defines strong authentication as: Layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information. " The originator or receiver of the information, could be a database, it could be a person, it could be a role (for example, the on duty NOC manager), multi-factor authentication does not have to be a single person. That was my point and actually validates "Bob's" argument to some degree. As I also mentioned, multiple people/computers using different verification methodologies of a signature on a document, would also by definition of the words (from a standard dictionary) qualify as "Multi-factor authentication of a signed document", which is also not a single individual person. While from a security perspective you would never really want to authenticate based on a role, it is possible, and it's possible to have it tied to different forms of authentication. Thereby, making it multi-factor authentication of something other then a individual user. A VPN peer, can use a shared secret ("something you know" - like a pin), an IP address ("who you are" like a call-back number on RAS dial-up or a thumbprint), a digital certificate ("something you have" like a debit card) which would therefore count as multiple-factor authentication of a VPN peer, which is a device not a person. While I did enjoy reading the responses, including the one that which relates the responder's experience, I have to say if there is one thing that I have learned in my extensive experience in INFOSEC is that rarely (if ever) is anything black or white.
So I've scoured the net and books for something that describes
multi-factor authentication as requiring that all factors identify the same person. So far, I can't find anything. > > I do believe multiple-factor authentication means (even in the dictionary sense of the wording): multiple methods of authenticating a single "entity" (person, government, company, device, et al.); it does not necessarily have to be a (same or single) person. I stand by that belief, even though I am clearly outnumbered hah ;) Regards, Justin.Ross Security Engineer -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tep, Tom M. (CDC/CCHP/NCCDPHP) Sent: Wednesday, August 15, 2007 6:23 AM To: security-basics () securityfocus com Subject: RE: Multi-Factor Authentication Concern Based from everyone responses, neither Bob nor Chris are incorrect in their understanding. It depends on the company security policy. I believe what Bob is referring to is the Limited Access Privilege in Physical Security Policy. It requires multiple parties' involvement in order to grant a person access to a secure room. On the other hand, Chris is talking about the multi-factor authentication in system login which implemented a little differently and require three important things in Authentication: 1. Something you know (i.e Password) 2. Something you have (id badge or cryptographic key) 3. Something you are (a voice print or other biometric) It DEPENDS!!!! Hope I haven't confused anyone. `tom -----Original Message----- From: Mike Lococo [mailto:mike.lococo () nyu edu] Sent: Tuesday, August 14, 2007 2:59 PM To: security-basics () securityfocus com Subject: Re: Multi-Factor Authentication Concern
I looked at all of the suggested links, including the Wikipedia article, and I cannot find anything that explicitly states that the factors in a multi-factor authentication system must all be from the same person.
Because authentication is, by definition, the process of verifying an asserted identity (that statement is easy to find references for, including the wikipedia article on authentication). An access control system must authenticate _each_ identity separately, even when several identities are involved in a single transaction and even if the process is streamlined to 'feel' as though it's a single action. As you're thinking and speaking about this, remember the difference between identification, authentication, and authorization. 1) Identification: Your identity is your username in the system. You may have to say it, or type it, or it may be inferred from a retinal scan or whatever. As a basic access control principle, every individual must have an identity. Anytime you're accepting credentials from more than one individual, you are _by_definition_ performing more than one authentication. 2) Authentication: An identity is authenticated via password, or voiceprint, or token, or whatever. If only one type is required, it's single factor. If more than one type is required, it's multi-factor. If more than one type is available (you have a token and a password), but either is sufficient (you can log in with your password even if you lost the token), it's still single factor... you just have options. 3) Authorization: Once you are authenticated, you may or may not be _authorized_ to access the resource you're interested in. If a system requires more than one user to authenticate in order authorize an action, it implements split-authentication or split-authorization (often referred to in the context of passwords/pins as split-knowledge). Each identity is still authenticated individually, but more than one is required before any are authorized. You're talking about multi-factor authentication. Your friend is talking about split-knowledge/authentication/authorization. No authoritative source on IDM or access-control is going to talk about whether multi-factor authentication involves multiple identities because it's well-established that all authentication schemes have as their basic goal the verification of a single asserted identity. Authorization schemes exist that require multiple identities to be involved in a single transaction (nukes and expensive safe-deposit boxes work this way), but each is always authenticated individually. Thanks, Mike Lococo
Current thread:
- Re: Multi-Factor Authentication Concern, (continued)
- Re: Multi-Factor Authentication Concern Mike Lococo (Aug 14)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 15)
- RE: Multi-Factor Authentication Concern David Gillett (Aug 15)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 15)
- Re: Multi-Factor Authentication Concern Ryan Chow (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 16)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 16)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 17)
- Re: Multi-Factor Authentication Concern Mark Boots (Aug 17)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 16)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 17)
- Re: Multi-Factor Authentication Concern Kurt Buff (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 17)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 16)