Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: Kevin Wilcox <kevin () tux appstate edu>
Date: Fri, 10 Aug 2007 13:11:59 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 jsewell () jsewell com wrote:
I'm having an argument with someone at work about multi-factor authentication. We'll call him Bob. Bob claims that in a multi-factor authentication system, the factors don't need to identify the same person. In other words, Bob thinks it's perfectly OK for the door to the data-center to open when Jim badges in, Mike scans his retina, and Sally enters a her PIN. This is obviously wrong. Bob says "prove it". So I've scoured the net and books for something that describes multi-factor authentication as requiring that all factors identify the same person. So far, I can't find anything. Is it so obvious that nobody has bothered to write it down, or am I wrong in my thinking?
Yes, it is so obvious that nobody has bothered to write it down. Using your names, let's say all of those people are authorized to get into the data centre. Mike watches Sally enter her PIN as they all go in together one day. A few days later, he decides he wants to do something horrid and blame it on Jim and Sally (childish hypothetical situation but surprisingly not uncommon). Mike, being the nefarious individual that he is, pockets Jim's badge and proceeds to the data centre. He swipes Jim's badge, lets his retina get scanned then enters Sally's PIN. That completely defeats the purpose of multi-factor authentication because it appears as if all three individuals are attempting to gain entry into the data centre versus authenticating a single person (note I didn't say it defeated the authentication, just the purpose). To *properly* authenticate Mike the system should require *he* scan his badge, *his* retina be scanned and *his* PIN be entered. Just my $0.02. kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGvJxbsKMTOtQ3fKERAvbdAJ94KdBz8tJePLX4SEx2df9/fSHTZwCfc0LR JIcPFoRNcm+62qTKNwH3uSc= =jno+ -----END PGP SIGNATURE-----
Current thread:
- Multi-Factor Authentication Concern jsewell (Aug 10)
- RE: Multi-Factor Authentication Concern Dutton, Larry (Aug 10)
- Re: Multi-Factor Authentication Concern Roch (Aug 10)
- RE: Multi-Factor Authentication Concern Dan Denton (Aug 10)
- Re: Multi-Factor Authentication Concern Nick Owen (Aug 10)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 10)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- Re: Multi-Factor Authentication Concern Jason Sewell (Aug 14)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- RE: Multi-Factor Authentication Concern Dave Lewis (Aug 14)
- RE: Multi-Factor Authentication Concern David Harley (Aug 15)
- RE: Multi-Factor Authentication Concern Devin Rambo (Aug 14)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- RE: Multi-Factor Authentication Concern Dutton, Larry (Aug 10)