Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: Mike Lococo <mike.lococo () nyu edu>
Date: Tue, 14 Aug 2007 14:58:40 -0400
I looked at all of the suggested links, including the Wikipedia article, and I cannot find anything that explicitly states that the factors in a multi-factor authentication system must all be from the same person.
Because authentication is, by definition, the process of verifying an asserted identity (that statement is easy to find references for, including the wikipedia article on authentication). An access control system must authenticate _each_ identity separately, even when several identities are involved in a single transaction and even if the process is streamlined to 'feel' as though it's a single action. As you're thinking and speaking about this, remember the difference between identification, authentication, and authorization. 1) Identification: Your identity is your username in the system. You may have to say it, or type it, or it may be inferred from a retinal scan or whatever. As a basic access control principle, every individual must have an identity. Anytime you're accepting credentials from more than one individual, you are _by_definition_ performing more than one authentication. 2) Authentication: An identity is authenticated via password, or voiceprint, or token, or whatever. If only one type is required, it's single factor. If more than one type is required, it's multi-factor. If more than one type is available (you have a token and a password), but either is sufficient (you can log in with your password even if you lost the token), it's still single factor... you just have options. 3) Authorization: Once you are authenticated, you may or may not be _authorized_ to access the resource you're interested in. If a system requires more than one user to authenticate in order authorize an action, it implements split-authentication or split-authorization (often referred to in the context of passwords/pins as split-knowledge). Each identity is still authenticated individually, but more than one is required before any are authorized. You're talking about multi-factor authentication. Your friend is talking about split-knowledge/authentication/authorization. No authoritative source on IDM or access-control is going to talk about whether multi-factor authentication involves multiple identities because it's well-established that all authentication schemes have as their basic goal the verification of a single asserted identity. Authorization schemes exist that require multiple identities to be involved in a single transaction (nukes and expensive safe-deposit boxes work this way), but each is always authenticated individually. Thanks, Mike Lococo
Current thread:
- Re: Multi-Factor Authentication Concern, (continued)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- RE: Multi-Factor Authentication Concern Dave Lewis (Aug 14)
- RE: Multi-Factor Authentication Concern David Harley (Aug 15)
- RE: Multi-Factor Authentication Concern Devin Rambo (Aug 14)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 15)
- Re: Multi-Factor Authentication Concern Roch (Aug 14)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Mike Lococo (Aug 14)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 15)
- RE: Multi-Factor Authentication Concern David Gillett (Aug 15)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 15)
- Re: Multi-Factor Authentication Concern Ryan Chow (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 16)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 16)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 16)