RE: Multi-Factor Authentication Concern

["Mngadi, Simphiwe (SS)" <Simphiwe.Mngadi () sasol com>]

All three are accountable; I don't see the logic in your hypothesis. in
anyway authentication should be monitored, and your concern should have
been build-in into the security system.

my R0.21 worth.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Kevin Wilcox
Sent: 10 August 2007 19:12 PM
To: jsewell () jsewell com
Cc: security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

jsewell () jsewell com wrote:
> I'm having an argument with someone at work about multi-factor
> authentication. We'll call him Bob.
>
> Bob claims that in a multi-factor authentication system, the factors
> don't need to identify the same person. In other words, Bob thinks
> it's perfectly OK for the door to the data-center to open when Jim
> badges in, Mike scans his retina, and Sally enters a her PIN.
>
> This is obviously wrong. Bob says "prove it". So I've scoured the net
> and books for something that describes multi-factor authentication as
> requiring that all factors identify the same person. So far, I can't
> find anything.
>
> Is it so obvious that nobody has bothered to write it down, or am I
> wrong in my thinking?

Yes, it is so obvious that nobody has bothered to write it down.

Using your names, let's say all of those people are authorized to
get into the data centre. Mike watches Sally enter her PIN as they all
go in together one day. A few days later, he decides he wants to do
something horrid and blame it on Jim and Sally (childish hypothetical
situation but surprisingly not uncommon). Mike, being the nefarious
individual that he is, pockets Jim's badge and proceeds to the data
centre. He swipes Jim's badge, lets his retina get scanned then enters
Sally's PIN. That completely defeats the purpose of multi-factor
authentication because it appears as if all three individuals are
attempting to gain entry into the data centre versus authenticating a
single person (note I didn't say it defeated the authentication, just
the purpose). To *properly* authenticate Mike the system should require
*he* scan his badge, *his* retina be scanned and *his* PIN be entered.

Just my $0.02.

kmw


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGvJxbsKMTOtQ3fKERAvbdAJ94KdBz8tJePLX4SEx2df9/fSHTZwCfc0LR
JIcPFoRNcm+62qTKNwH3uSc=
=jno+
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
NOTICE: Please note that this eMail, and the contents thereof, 
is subject to the standard Sasol eMail legal notice which may be found at: 
http://www.sasol.com/legalnotices                                                                                       
                   

If you cannot access the legal notice through the URL attached and you wish 
to receive a copy thereof please send an eMail to 
legalnotice () sasol com
----------------------------------------------------------------------------