RE: Multi-Factor Authentication Concern

["Tony Reusser" <treusser () filertel com>]

I for one am getting a little tired of this argument.  I have been in the computer security business for many years.  
In the context of secure computing in this day and age, "multifactor authentication" does indeed refer to multiple 
authentication methods applied to a single user or transaction.  In my experience, we use "two-factor" authentication.  
That usually involves some sort of hardware token possessed by the VPN user.  The token has some sort of PIN number the 
user must enter to "enable" it.  Then the token is used to generate a one-time password, or pass a digital certificate. 
 In this application the two factors are "something you have" (i.e. the token) and "something you know" (i.e. the PIN). 
 Neither piece will work or be functional to a potential thief without the other.  This is the whole point to 
biometrics.

Yes, you can baffle us all with your vast knowledge and countless examples from history and submarine movies that seem 
to contradict this.  But I also have military experience with high security clearance and what you are actually 
describing is "two-person" or "multiple-person integrity."  Not the same thing as multiple-factor authentication.

Here is an "official" definition of multi-factor authentication.  Read and enjoy.  Now can we please stop this 
pointless argument?  I think we beat the proverbial dead horse, and then some!

- Multifactor authentication (MFA) is a security system in which more than one form of authentication is implemented to 
verify the legitimacy of a transaction. In contrast, single factor authentication (SFA) involves only a user ID and 
password.

In two-factor authentication, the user provides dual means of identification, one of which is typically a physical 
token, such as a card, and the other of which is typically something memorized, such as a security code.

Additional authentication methods that can be used in MFA include biometric verification such as fingerscanning, iris 
recognition, facial recognition and voice ID. In addition to these methods, smart cards and other electronic devices 
can be used along with the traditional user ID and password.

FMT_HMFWIC

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Roch
Sent: Tuesday, August 14, 2007 12:58 PM
To: Justin Ross; security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

> I do not believe Multi-factor Authentication necessarily refers to a
> single user, nor even a living entity. For example, if multiple
> handwriting experts, and a computer with handwriting analysis algorithm,
> and a tarot card reader, as well random people on the street, all
> confirmed the authenticity of a signed document by Abraham Lincoln,
> would that not be Multiple-factor Authentication of that document?

No that's still only one factor that's been used to authenticate.

> Why do nuclear submarines require multiple people with keys and codes to
> press the launch button, and approval from the president?

No, that's segregation and dual/multi control. Ensuring no one person
has full control over a process or procedure chain.

On 14/08/07, Justin Ross <jross () cricketcommunications com> wrote:
> I'm sorry, I have to play devil's advocate and disagree.
>
> Initially I wanted to agree that Multi-factor authentication did indeed
> refer to the same person; However, I do not believe it to be the case
> after I too, took it to the most basic level, reading the actual
> definition of the words, which I included below as well as the
> dictionary referred to.
>
> I do not believe Multi-factor Authentication necessarily refers to a
> single user, nor even a living entity. For example, if multiple
> handwriting experts, and a computer with handwriting analysis algorithm,
> and a tarot card reader, as well random people on the street, all
> confirmed the authenticity of a signed document by Abraham Lincoln,
> would that not be Multiple-factor Authentication of that document?
>
> Why do nuclear submarines require multiple people with keys and codes to
> press the launch button, and approval from the president? Is that not
> Multi-factor authentication of not even individuals (who also pass
> authentication checks to even get on the submarine) but a process (or
> even multiple processes such as chain of command as well)? When you say
> "as it is commonly defined", please cite where you are getting the
> definition from? Isn't the point of this thread that you cannot cite one
> and need help locating such a source? If you said "culturally defined by
> the INFOSEC community", I would somewhat agree.
>
> Really though, I think the answer hinges on the definition of the words
> themselves, which doesn't necessarily indicate a person is involved (at
> any point), let alone the single "same" person.
>
> Just my 0.02.
>
> Justin.Ross
> Security Engineer
>
>
> American Heritage Stedman's Medical Dictionary
> multi-
> Many; much; multiple: multiarticular.
> More than one: multiparous.
> More than two: multipolar.
>
>
> American Heritage Dictionary
> fac*tor
> One who acts for someone else; an agent.
> A person or firm that accepts accounts receivable as security for
> short-term loans.
> Mathematics One of two or more quantities that divides a given quantity
> without a remainder. For example, 2 and 3 are factors of 6; a and b are
> factors of ab.
> A quantity by which a stated quantity is multiplied or divided, so as to
> indicate an increase or decrease in a measurement: The rate increased by
> a factor of ten.
>
>
> American Heritage Dictionary
> au*then*ti*cate
> To establish the authenticity of; prove genuine
>
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Jason Sewell
> Sent: Tuesday, August 14, 2007 7:05 AM
> To: security-basics () securityfocus com
> Subject: Re: Multi-Factor Authentication Concern
>
> I appreciate all of these responses.
>
> The general consensus seems to be:
>
> 1) The system that "Bob" has implemented does not reflect multi- factor
> authentication as it is commonly defined, and
> 2) there may be some esoteric reason to require different people to
> provide different authentication factors to protect a single resource,
> but
> 3) such a convoluted access control mechanism is not appropriate for
> protection of our data center, and furthermore
> 4) accounting and logging are complicated by such a system.
>
> However, what I still have not found yet is an authoritative document
> that I can point to and say "Bob, you're wrong". He's a hard-headed guy
> and responses from security experts on a mailing list won't convince
> him. I looked at all of the suggested links, including the Wikipedia
> article, and I cannot find anything that explicitly states that the
> factors in a multi-factor authentication system must all be from the
> same person.
>
> So, I'll show him these response, and I'll continue to try to find an
> authoritative source for my assertion (or perhaps I'll edit the
> wikipedia article).
>
> Thanks again everyone for you help!
>
>
> On Aug 14, 2007, at 8:58 AM, Kevin Wilcox wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Mngadi, Simphiwe (SS) wrote:
> >
> > > All three are accountable; I don't see the logic in your hypothesis.
> > > in anyway authentication should be monitored, and your concern should
>
> > > have been build-in into the security system.
> >
> > All three *are* accountable and therein lies the problem - only
> > *one* of
> > the individuals actually entered the data centre but it appears as if
> > all three of them entered. Authentication is not only a method for
> > authorization, it is a method of accounting for who accessed what
> > resources. Just because all three of them are authorized to be in the
> > data centre doesn't mean that any one of them should be able to gain
> > entry using the credentials of the other two. One of the things
> > multi-factor authentication attempts to address is the scenario where
> > an individual can pass themselves off as someone else - basically ID
> > theft.
> >
> > Another scenario would be on-line banking. Suppose you and your
> > business partner have access to the same account. You decide to use
> > web-based banking. To access the account information you have to login
>
> > using a password then enter a PIN. To gain access to the account
> > details you would not login using your password then enter your
> > partner's PIN - you would use *your* password and *your* PIN. Like the
>
> > data centre scenario, just because more than one person has access to
> > a resource doesn't mean you allow authentication credentials from
> > anyone with access - it destroys the concept of accountability.
> > Instead you require that all of the authentication credentials come
> > from the same person so you know who to hold accountable if something
> > happens (and because it could be the law in your vicinity).
> >
> > That said, there *are* times when group level access may be desired
> > and a "piece of the key" from each person is acceptable (or required)
> > - if that is the case then the original question is moot.
> >
> > I hate relying on hypothetical examples but it really does come down
> > to "what are you trying to accomplish with your authentication
> > methods?"
> > and "what are the laws in your area?". If group accountability is your
>
> > goal then you can suffice with allowing credentials from anyone at any
>
> > stage in the process (just make sure you have other accountability
> > measures in place). If you want granular accountability at the
> > individual level then all of the credentials must come from the same
> > individual.
> >
> > I hope that helps.
> >
> > kmw
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.7 (GNU/Linux)
> >
> > iD8DBQFGwab6sKMTOtQ3fKERAsTQAJ4p3VaL48KmMNpOx2T6ZmwdoWfqfACfTltF
> > 5yojC7HzWEujHd5x1OT56xk=
> > =lXuR
> > -----END PGP SIGNATURE-----