Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multi-Factor Authentication Concern

From: Kevin Wilcox <kevin () tux appstate edu>
Date: Tue, 14 Aug 2007 09:22:46 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Wilcox wrote:


Another scenario would be on-line banking. Suppose you and your business
partner have access to the same account. You decide to use web-based
banking. To access the account information you have to login using a
password then enter a PIN. To gain access to the account details you
would not login using your password then enter your partner's PIN - you
would use *your* password and *your* PIN. Like the data centre scenario,
just because more than one person has access to a resource doesn't mean
you allow authentication credentials from anyone with access - it
destroys the concept of accountability. Instead you require that all of
the authentication credentials come from the same person so you know who
to hold accountable if something happens (and because it could be the
law in your vicinity).


As a quick follow-up to my own post, aye, I'm aware that password + PIN
is not two-factor, I was just using it as a "quick and dirty" example.

kmw
- --
Kevin Wilcox
Network Support Services
http://www.nss.appstate.edu
Office: 828.262.6259
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGwayksKMTOtQ3fKERAmhBAJ9Mujzy8+rwyCUZHQspBjsq4bodkwCfUmeP
ltqRmL23sGNs6W2chAFb3NM=
=r2Bl
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: