Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: Kevin Wilcox <kevin () tux appstate edu>
Date: Tue, 14 Aug 2007 09:26:24 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Wilcox wrote:
Another scenario would be on-line banking. Suppose you and your business partner have access to the same account. You decide to use web-based banking. To access the account information you have to login using a password then enter a PIN. To gain access to the account details you would not login using your password then enter your partner's PIN - you would use *your* password and *your* PIN. Like the data centre scenario, just because more than one person has access to a resource doesn't mean you allow authentication credentials from anyone with access - it destroys the concept of accountability. Instead you require that all of the authentication credentials come from the same person so you know who to hold accountable if something happens (and because it could be the law in your vicinity).
My previous follow-up to this reported as failed so if this comes through twice, my apologies. Yes, I'm aware that using password + PIN *may* qualify as strong authentication but does *NOT* qualify as multi-factor. I was just using that as a quick example. kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGwa1/sKMTOtQ3fKERAp92AKCPPFmN19vY1THdklw4cK9Yx7caBgCghG9l ArWxQKuBUsdwKiKTlcRO98c= =LafE -----END PGP SIGNATURE-----
Current thread:
- RE: Multi-Factor Authentication Concern, (continued)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 16)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 17)
- Re: Multi-Factor Authentication Concern Mark Boots (Aug 17)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 16)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 17)
- Re: Multi-Factor Authentication Concern Kurt Buff (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 17)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 16)
- Re: Multi-Factor Authentication Concern Francois Yang (Aug 13)
- RE: Multi-Factor Authentication Concern Webster, William P CTR FNMOC, N661 (Aug 14)
- Re: Multi-Factor Authentication Concern Roch (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 16)