Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multi-Factor Authentication Concern

From: Yves Bourdic <yvesbourdic () wanadoo fr>
Date: Wed, 15 Aug 2007 11:26:51 -0400
Hi,

May be this will help.
Access control objective is to provide:
1) Identification - How to identify an entity? (userid,...)
2) Authentication - How to make sure the entity is the proper one? (passwords,...) 
3) Accounting - How to keep a trace of who access the system? (logs,..)

There are three known ways to provide an authentication based on:
1) Something you know (a password, a passphrase, a cultural secret,...)
2) Something you have (a key, a smartcard,...)
3) Something you are (any biometric system)
What we call a multi-factor authentication is a system that provides more than one way of authentication based on the list above. 
e.g.:
A) "After being identified with a userid I provide to connect to a system, I provide a password to authenticate myself'. The password is something I know then this is a one factor authentication system. B) "After being identified with an ID card I provide to enter a room, I provide my fingerprint to authenticate myself'. The fingerprint represent something I am then this is a one factor authentication system.
If I do B) followed by A) this is considered a dual authentication system (1 & 1) because I identify myself twice and I authenticate myself each time.
C) "After being identified with a userid I provide to connect to a system, I provide a password I generate with a card and a PIN code". The PIN code is something I know, the card is something I have then this is a two factor authentication system.
The last example is a multi-factor (more than one) authentication system. I identify myself once and provide two ways to authenticate myself.
To answer to bob: In access control we separate Identification and Authentication. The access control bob describes is a mixture of multi-identification and multi-authentication. 

Hope this will help.

YB

On 10-Aug-07, at 11:21 AM, jsewell () jsewell com wrote:
I'm having an argument with someone at work about multi-factor authentication. We'll call him Bob.
Bob claims that in a multi-factor authentication system, the factors don't need to identify the same person. In other words, Bob thinks it's perfectly OK for the door to the data-center to open when Jim badges in, Mike scans his retina, and Sally enters a her PIN.
This is obviously wrong. Bob says "prove it". So I've scoured the net and books for something that describes multi-factor authentication as requiring that all factors identify the same person. So far, I can't find anything.
Is it so obvious that nobody has bothered to write it down, or am I wrong in my thinking? 

Thanks!
Previous By Date Next
Previous By Thread Next

Current thread: