Re: Multi-Factor Authentication Concern

[Chad Perrin <perrin () apotheon com>]

On Thu, Aug 16, 2007 at 09:36:48AM -0700, Justin Ross wrote:
> I agree. Neither "Bob" nor Chris are wholly incorrect, nor wholly
> correct. It's semantics, and the definition is in and of itself wholly
> subjective to the requirements, the people implementing it, or it's use.
>
> I also agree that generally speaking, when the INFOSEC community talks
> about multi-factor authentication they are talking about a single person
> - I think that is a far cry from saying "it ALWAYS refers to".

The major problem with the disagreement here is that it seems a great
many people are not aware of the distinction between "authentication" and
"authorization".  These are two separate, discrete elements to access
control security, and should not be conflated.

When you must use two or more distinct methods to authenticate an
identity, you are using multi-factor authentication.

When you must authenticate two people to gain access, you are using
"multi-factor authorization".

The fact that there is more than one identity being authenticated does
not translate into multi-factor authentication: each individual identity
has its own authentication.  Multiple authenticated identities can be
used to provide authorization, but each authenticated identity is not
itself an authentication factor.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Thomas McCauley: "The measure of a man's real character is what he would do
if he knew he would never be found out."