Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: "Francois Yang" <francois.y () gmail com>
Date: Mon, 13 Aug 2007 13:44:41 -0500
I think there's a confusion in the way the term is used. Multi-factor meaning multiple factors to authenticate ONE person. Not multiple ways to authenticate multiple people. A factor could be regarded as password, id card, retina scan, fingerprint, etc.... So a multi-factor authentication system would require one person to use two or more factors to authenticate. So bob would have to use a password and finger print to authenticate. Also most of those systems are set to what it can do. So you can't have all the options and pick and choose which one you want to do. Like, you won't see a system with password, retina scan, finger print, id card, etc..and say I want to only use these two authentication out of the 10 to authenticate the users. Unless I'm wrong. Hope that makes sense. On 8/13/07, Chris Barber <cmbarber () gmail com> wrote:
OK, lets take this down to the very basics. single factor authentication..... If Bob were to think about it just a bit harder it would be obvious to him as well. If Sally new Mike's Username and used her password she would not get in, even though both were values in the authentication database. Now we expand the Database to hold more fields (Identity, Password, Retina Print, Badge number, etc.). All feilds must match one record in the database or no access is allowed. Secure Programming 101... My thoughts, simple as they are. Chris. On 10 Aug 2007 15:21:32 -0000, jsewell () jsewell com <jsewell () jsewell com> wrote:I'm having an argument with someone at work about multi-factor authentication. We'll call him Bob. Bob claims that in a multi-factor authentication system, the factors don't need to identify the same person. In other words, Bob thinks it's perfectly OK for the door to the data-center to open when Jim badges in, Mike scans his retina, and Sally enters a her PIN. This is obviously wrong. Bob says "prove it". So I've scoured the net and books for something that describes multi-factor authentication as requiring that all factors identify the same person. So far, I can't find anything. Is it so obvious that nobody has bothered to write it down, or am I wrong in my thinking? Thanks!
-- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. — White House Cybersecurity Advisor, Richard Clarke
Current thread:
- Re: Multi-Factor Authentication Concern, (continued)
- Re: Multi-Factor Authentication Concern Mark Boots (Aug 17)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 16)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 17)
- Re: Multi-Factor Authentication Concern Kurt Buff (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 17)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 16)
- Re: Multi-Factor Authentication Concern Francois Yang (Aug 13)
- RE: Multi-Factor Authentication Concern Webster, William P CTR FNMOC, N661 (Aug 14)
- Re: Multi-Factor Authentication Concern Roch (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 16)