Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: Chad Perrin <perrin () apotheon com>
Date: Thu, 16 Aug 2007 16:52:17 -0600
On Thu, Aug 16, 2007 at 09:36:48AM -0700, Justin Ross wrote:
I agree. Neither "Bob" nor Chris are wholly incorrect, nor wholly correct. It's semantics, and the definition is in and of itself wholly subjective to the requirements, the people implementing it, or it's use. I also agree that generally speaking, when the INFOSEC community talks about multi-factor authentication they are talking about a single person - I think that is a far cry from saying "it ALWAYS refers to".
The major problem with the disagreement here is that it seems a great many people are not aware of the distinction between "authentication" and "authorization". These are two separate, discrete elements to access control security, and should not be conflated. When you must use two or more distinct methods to authenticate an identity, you are using multi-factor authentication. When you must authenticate two people to gain access, you are using "multi-factor authorization". The fact that there is more than one identity being authenticated does not translate into multi-factor authentication: each individual identity has its own authentication. Multiple authenticated identities can be used to provide authorization, but each authenticated identity is not itself an authentication factor. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Thomas McCauley: "The measure of a man's real character is what he would do if he knew he would never be found out."
Current thread:
- Re: Multi-Factor Authentication Concern, (continued)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 15)
- Re: Multi-Factor Authentication Concern Ryan Chow (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 16)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 16)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 17)
- Re: Multi-Factor Authentication Concern Mark Boots (Aug 17)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 16)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 17)
- Re: Multi-Factor Authentication Concern Kurt Buff (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 17)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 16)
- Re: Multi-Factor Authentication Concern Francois Yang (Aug 13)
- RE: Multi-Factor Authentication Concern Webster, William P CTR FNMOC, N661 (Aug 14)