Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: Chad Perrin <perrin () apotheon com>
Date: Tue, 14 Aug 2007 22:21:17 -0600
On Tue, Aug 14, 2007 at 03:11:09PM -0400, Devin Rambo wrote:
I would say that this does not fit the commonly understood definition of multi-factor authentication, per se. There may in fact be multiple factors used to authenticate a person with the nuclear key codes (at least, I would hope so). I don't know if there's an actual common term for adding the requirement of having additional people authenticate in order to gain access to a system, but I would say that this is an example of multi-layered multi-factor authentication. You can require that two people enter their passwords correctly; to me that would be multi-layer, single-factor authentication. Or you can have three people required to correctly enter passwords AND have their retinas scanned, which would be multi-factor, multi-layer. The number of people being authenticated is discrete from the number of factors used, and in the case of the nuclear sub example, layers are being added as a check when the judgement of a human being must be evaluated as part of the authentication process. You wouldn't someone who's had a mental breakdown to have sole access to the nuclear button, just to cite one example.
You're talking about the difference between authentication (determining the authenticity of the identity the person is trying to use to access the system) and authorization (the level of authority the person has assuming he or she has been authenticated). One might refer to a combination of two or more authentication options from among "something you know", "something you have", and "something you are" as multi-factor authentication, whereas needing two or more people of a particular level of authority or greater might be called multi-factor authorization. These are quite distinct concepts, as you pointed out. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Paul Graham: "Real ugliness is not harsh-looking syntax, but having to build programs out of the wrong concepts."
Current thread:
- Re: Multi-Factor Authentication Concern, (continued)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 10)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- Re: Multi-Factor Authentication Concern Jason Sewell (Aug 14)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- RE: Multi-Factor Authentication Concern Dave Lewis (Aug 14)
- RE: Multi-Factor Authentication Concern David Harley (Aug 15)
- RE: Multi-Factor Authentication Concern Devin Rambo (Aug 14)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Roch (Aug 14)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 10)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Mike Lococo (Aug 14)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 15)
- RE: Multi-Factor Authentication Concern David Gillett (Aug 15)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 15)
- Re: Multi-Factor Authentication Concern Ryan Chow (Aug 16)