RE: Multi-Factor Authentication Concern

["Mngadi, Simphiwe (SS)" <Simphiwe.Mngadi () sasol com>]

try:
http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/
com.ibm.itame2.doc_5.1/am51_webservers_guide167.htm


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jason Sewell
Sent: 14 August 2007 16:05 PM
To: security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

I appreciate all of these responses.

The general consensus seems to be:

1) The system that "Bob" has implemented does not reflect multi- 
factor authentication as it is commonly defined, and
2) there may be some esoteric reason to require different people to  
provide different authentication factors to protect a single  
resource, but
3) such a convoluted access control mechanism is not appropriate for  
protection of our data center, and furthermore
4) accounting and logging are complicated by such a system.

However, what I still have not found yet is an authoritative document  
that I can point to and say "Bob, you're wrong". He's a hard-headed  
guy and responses from security experts on a mailing list won't  
convince him. I looked at all of the suggested links, including the  
Wikipedia article, and I cannot find anything that explicitly states  
that the factors in a multi-factor authentication system must all be  
from the same person.

So, I'll show him these response, and I'll continue to try to find an  
authoritative source for my assertion (or perhaps I'll edit the  
wikipedia article).

Thanks again everyone for you help!


On Aug 14, 2007, at 8:58 AM, Kevin Wilcox wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mngadi, Simphiwe (SS) wrote:
>
> > All three are accountable; I don't see the logic in your  
> > hypothesis. in
> > anyway authentication should be monitored, and your concern should  
> > have
> > been build-in into the security system.
>
> All three *are* accountable and therein lies the problem - only  
> *one* of
> the individuals actually entered the data centre but it appears as if
> all three of them entered. Authentication is not only a method for
> authorization, it is a method of accounting for who accessed what
> resources. Just because all three of them are authorized to be in the
> data centre doesn't mean that any one of them should be able to gain
> entry using the credentials of the other two. One of the things
> multi-factor authentication attempts to address is the scenario  
> where an
> individual can pass themselves off as someone else - basically ID  
> theft.
>
> Another scenario would be on-line banking. Suppose you and your  
> business
> partner have access to the same account. You decide to use web-based
> banking. To access the account information you have to login using a
> password then enter a PIN. To gain access to the account details you
> would not login using your password then enter your partner's PIN -  
> you
> would use *your* password and *your* PIN. Like the data centre  
> scenario,
> just because more than one person has access to a resource doesn't  
> mean
> you allow authentication credentials from anyone with access - it
> destroys the concept of accountability. Instead you require that  
> all of
> the authentication credentials come from the same person so you  
> know who
> to hold accountable if something happens (and because it could be the
> law in your vicinity).
>
> That said, there *are* times when group level access may be desired  
> and
> a "piece of the key" from each person is acceptable (or required) - if
> that is the case then the original question is moot.
>
> I hate relying on hypothetical examples but it really does come  
> down to
> "what are you trying to accomplish with your authentication methods?"
> and "what are the laws in your area?". If group accountability is your
> goal then you can suffice with allowing credentials from anyone at any
> stage in the process (just make sure you have other accountability
> measures in place). If you want granular accountability at the
> individual level then all of the credentials must come from the same
> individual.
>
> I hope that helps.
>
> kmw
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
>
> iD8DBQFGwab6sKMTOtQ3fKERAsTQAJ4p3VaL48KmMNpOx2T6ZmwdoWfqfACfTltF
> 5yojC7HzWEujHd5x1OT56xk=
> =lXuR
> -----END PGP SIGNATURE-----



----------------------------------------------------------------------------
NOTICE: Please note that this eMail, and the contents thereof, 
is subject to the standard Sasol eMail legal notice which may be found at: 
http://www.sasol.com/legalnotices                                                                                       
                   

If you cannot access the legal notice through the URL attached and you wish 
to receive a copy thereof please send an eMail to 
legalnotice () sasol com
----------------------------------------------------------------------------