Security Basics mailing list archives
Re: Multi-Factor Authentication Concern
From: Kevin Wilcox <kevin () tux appstate edu>
Date: Tue, 14 Aug 2007 15:46:08 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Justin Ross wrote:
I'm sorry, I have to play devil's advocate and disagree.
No need to apologize, Justin - we have public discussion so that folks can disagree and present opposing sides.
I do not believe Multi-factor Authentication necessarily refers to a single user, nor even a living entity. For example, if multiple handwriting experts, and a computer with handwriting analysis algorithm, and a tarot card reader, as well random people on the street, all confirmed the authenticity of a signed document by Abraham Lincoln, would that not be Multiple-factor Authentication of that document?
It is entirely possible that a separation of authentication processes can be a requirement. You indicate a very good example of that below with the procedure necessary to fire nuclear missiles.
Why do nuclear submarines require multiple people with keys and codes to press the launch button, and approval from the president? Is that not Multi-factor authentication of not even individuals (who also pass authentication checks to even get on the submarine) but a process (or even multiple processes such as chain of command as well)?
The process you are describing is an example of forced separation of authentication. The President approves, messages are approved via various authentication codes, launch codes are verified, keys are necessary, etc. These things have to happen in a particular order, by particular people, each and every time. Such rigidity and forced separation was not indicated by the original poster. I took the OP to mean that any person with access to the data centre could swipe their ID, any person could have their retina scanned and any person could enter their passcode.
Really though, I think the answer hinges on the definition of the words themselves, which doesn't necessarily indicate a person is involved (at any point), let alone the single "same" person.
Ultimately I think it boils down to two questions: what are the requirements of the authentication scheme presented by the OP (separated authentication, individual authentication, group-based authentication) and what are the laws governing authentication and retention in the area of the hypothetical data centre. As for what passes as multi-factor authentication - I side with the folks in the community that separate multi-factor authentication from strong authentication where strong authentication could be multiple passwords, password + PIN, things of that nature. - From what I've been able to gather via observing the community, the word factor in multi-factor would mean something a person knows (password, PIN, date of birth, etc), something the person is (retina scan, fingerprint, DNA) and something the person has (swipe card, USB stick, some type of digital signature). These things can, of course, be spread across multiple people if you need to separate authentication credentials but if you are looking for "robust" group authentication then each member of the group would need to be able to provide two (or all three) of the "factors". kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGwgZ6sKMTOtQ3fKERApqyAKCf00/32tuRi1Z8FQoM5QEfGdARlQCgnJ8h 69217i5ENUd5DaDHobRFNeI= =IAa2 -----END PGP SIGNATURE-----
Current thread:
- RE: Multi-Factor Authentication Concern, (continued)
- RE: Multi-Factor Authentication Concern Dutton, Larry (Aug 10)
- Re: Multi-Factor Authentication Concern Roch (Aug 10)
- RE: Multi-Factor Authentication Concern Dan Denton (Aug 10)
- Re: Multi-Factor Authentication Concern Nick Owen (Aug 10)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 10)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- Re: Multi-Factor Authentication Concern Jason Sewell (Aug 14)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- RE: Multi-Factor Authentication Concern Dave Lewis (Aug 14)
- RE: Multi-Factor Authentication Concern David Harley (Aug 15)
- RE: Multi-Factor Authentication Concern Devin Rambo (Aug 14)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Roch (Aug 14)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 15)
- RE: Multi-Factor Authentication Concern Dutton, Larry (Aug 10)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Mike Lococo (Aug 14)