Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: Nick Owen <nickowen () mindspring com>
Date: Fri, 10 Aug 2007 13:21:43 -0400
jsewell () jsewell com wrote:
I'm having an argument with someone at work about multi-factor authentication. We'll call him Bob. Bob claims that in a multi-factor authentication system, the factors don't need to identify the same person. In other words, Bob thinks it's perfectly OK for the door to the data-center to open when Jim badges in, Mike scans his retina, and Sally enters a her PIN. This is obviously wrong. Bob says "prove it". So I've scoured the net and books for something that describes multi-factor authentication as requiring that all factors identify the same person. So far, I can't find anything. Is it so obvious that nobody has bothered to write it down, or am I wrong in my thinking? Thanks!
The question here is what is the definition of authentication. I suggest the Free online Dictionary of computing: http://foldoc.org/index.cgi?query=authentication&action=Search "<security> The verification of the identity of a person or process. In a communication system, authentication verifies that messages really come from their stated source, like the signature on a (paper) letter. The most common form of authentication is typing a user name (which may be widely known or easily guessable) and a corresponding password that is presumed to be known only to the individual being authenticated. " By using more than one person's factor of authentication, Jim, Mike and Sally are defeating the authentication mechanism, not changing the definition. HTH, Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication irc.freenode.net: #wikid
Current thread:
- Multi-Factor Authentication Concern jsewell (Aug 10)
- RE: Multi-Factor Authentication Concern Dutton, Larry (Aug 10)
- Re: Multi-Factor Authentication Concern Roch (Aug 10)
- RE: Multi-Factor Authentication Concern Dan Denton (Aug 10)
- Re: Multi-Factor Authentication Concern Nick Owen (Aug 10)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 10)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- Re: Multi-Factor Authentication Concern Jason Sewell (Aug 14)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- RE: Multi-Factor Authentication Concern Dave Lewis (Aug 14)
- RE: Multi-Factor Authentication Concern David Harley (Aug 15)
- RE: Multi-Factor Authentication Concern Devin Rambo (Aug 14)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- RE: Multi-Factor Authentication Concern Dutton, Larry (Aug 10)