Security Basics mailing list archives
RE: Multi-Factor Authentication Concern
From: "Devin Rambo" <drambo () vediorps com>
Date: Tue, 14 Aug 2007 15:11:09 -0400
In this case, I don't think that clarifying the definition of the term being discussed is attainable by breaking it down into its constituent parts, especially since your dictionary doesn't even really have a definition of factor that covers the term as we use it here. Dictionary.com is at least in the ballpark: "one of the elements contributing to a particular result or situation."
I do not believe Multi-factor Authentication necessarily refers to a
single user, nor even a living entity. For example, if multiple handwriting experts, and a computer with handwriting analysis algorithm, and a tarot card reader, as well random people on the street, all confirmed the authenticity of a signed document by Abraham Lincoln, would that not be Multiple-factor Authentication of that document?<<< That isn't multi-factor authentication. That's provenance. Proving that the signature on a document is indeed written in Abraham Lincoln's own hand depends as much on historical records, chain of ownership, etc. as it does on the expert opinion of handwriting analysts. And often, there are varying degrees of provenance, expressed in degrees of likelihood that such an object is what it is purported to be. Just as often, definitive proof is elusive; the Shroud of Turin is one enduring example of this. If you had to prove the authenticity of the Shroud of Turin one way or another in order to gain access to a locked file share, you'd be waiting a rather long time, no? In multi-factor authentication used to prove the identity of a user or process for the purpose of granting permissions to secured resources, it's pretty black and white. The factor either matches the retina scan, pin code, fingerprint, password, etc. or it doesn't, and if it doesn't then access is not granted. Adding multiple factors is a way to increase the depth of security by raising the obstacles put in the path of someone who is trying to defeat the authentication procedures in place.
Why do nuclear submarines require multiple people with keys and codes to
press the launch button, and approval from the president? Is that not Multi-factor authentication of not even individuals (who also pass authentication checks to even get on the submarine) but a process (or even multiple processes such as chain of command as well)?<<< I would say that this does not fit the commonly understood definition of multi-factor authentication, per se. There may in fact be multiple factors used to authenticate a person with the nuclear key codes (at least, I would hope so). I don't know if there's an actual common term for adding the requirement of having additional people authenticate in order to gain access to a system, but I would say that this is an example of multi-layered multi-factor authentication. You can require that two people enter their passwords correctly; to me that would be multi-layer, single-factor authentication. Or you can have three people required to correctly enter passwords AND have their retinas scanned, which would be multi-factor, multi-layer. The number of people being authenticated is discrete from the number of factors used, and in the case of the nuclear sub example, layers are being added as a check when the judgement of a human being must be evaluated as part of the authentication process. You wouldn't someone who's had a mental breakdown to have sole access to the nuclear button, just to cite one example. Devin
Current thread:
- Re: Multi-Factor Authentication Concern, (continued)
- Re: Multi-Factor Authentication Concern Nick Owen (Aug 10)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 10)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- Re: Multi-Factor Authentication Concern Jason Sewell (Aug 14)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- RE: Multi-Factor Authentication Concern Dave Lewis (Aug 14)
- RE: Multi-Factor Authentication Concern David Harley (Aug 15)
- RE: Multi-Factor Authentication Concern Devin Rambo (Aug 14)
- Re: Multi-Factor Authentication Concern Chad Perrin (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Roch (Aug 14)
- RE: Multi-Factor Authentication Concern Tony Reusser (Aug 15)
- RE: Multi-Factor Authentication Concern Uber Wannabe (Aug 15)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 16)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 15)
- Re: Multi-Factor Authentication Concern Mike Lococo (Aug 14)
- RE: Multi-Factor Authentication Concern Tep, Tom M. (CDC/CCHP/NCCDPHP) (Aug 15)
- RE: Multi-Factor Authentication Concern David Gillett (Aug 15)
- Re: Multi-Factor Authentication Concern Cristina & Fernando (Aug 15)