Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: Kevin Wilcox <kevin () tux appstate edu>
Date: Tue, 14 Aug 2007 08:58:37 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mngadi, Simphiwe (SS) wrote:
All three are accountable; I don't see the logic in your hypothesis. in anyway authentication should be monitored, and your concern should have been build-in into the security system.
All three *are* accountable and therein lies the problem - only *one* of the individuals actually entered the data centre but it appears as if all three of them entered. Authentication is not only a method for authorization, it is a method of accounting for who accessed what resources. Just because all three of them are authorized to be in the data centre doesn't mean that any one of them should be able to gain entry using the credentials of the other two. One of the things multi-factor authentication attempts to address is the scenario where an individual can pass themselves off as someone else - basically ID theft. Another scenario would be on-line banking. Suppose you and your business partner have access to the same account. You decide to use web-based banking. To access the account information you have to login using a password then enter a PIN. To gain access to the account details you would not login using your password then enter your partner's PIN - you would use *your* password and *your* PIN. Like the data centre scenario, just because more than one person has access to a resource doesn't mean you allow authentication credentials from anyone with access - it destroys the concept of accountability. Instead you require that all of the authentication credentials come from the same person so you know who to hold accountable if something happens (and because it could be the law in your vicinity). That said, there *are* times when group level access may be desired and a "piece of the key" from each person is acceptable (or required) - if that is the case then the original question is moot. I hate relying on hypothetical examples but it really does come down to "what are you trying to accomplish with your authentication methods?" and "what are the laws in your area?". If group accountability is your goal then you can suffice with allowing credentials from anyone at any stage in the process (just make sure you have other accountability measures in place). If you want granular accountability at the individual level then all of the credentials must come from the same individual. I hope that helps. kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGwab6sKMTOtQ3fKERAsTQAJ4p3VaL48KmMNpOx2T6ZmwdoWfqfACfTltF 5yojC7HzWEujHd5x1OT56xk= =lXuR -----END PGP SIGNATURE-----
Current thread:
- Multi-Factor Authentication Concern jsewell (Aug 10)
- RE: Multi-Factor Authentication Concern Dutton, Larry (Aug 10)
- Re: Multi-Factor Authentication Concern Roch (Aug 10)
- RE: Multi-Factor Authentication Concern Dan Denton (Aug 10)
- Re: Multi-Factor Authentication Concern Nick Owen (Aug 10)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 10)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- Re: Multi-Factor Authentication Concern Jason Sewell (Aug 14)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- RE: Multi-Factor Authentication Concern Dave Lewis (Aug 14)
- RE: Multi-Factor Authentication Concern David Harley (Aug 15)
- RE: Multi-Factor Authentication Concern Devin Rambo (Aug 14)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Roch (Aug 14)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 15)
- RE: Multi-Factor Authentication Concern Dutton, Larry (Aug 10)