RE: Multi-Factor Authentication Concern

["Mngadi, Simphiwe (SS)" <Simphiwe.Mngadi () sasol com>]

Password is "something you know", factor-1
Key/token is "something you have", factor-2;

THEREFORE password and key/token are two separate factors; a password
can never be classified as DYNAMIC (contextually speaking)

Semantically speaking:
        More than one factor, can be two        = two-factor
        More than 2 factor                      = multi-factor

But I don't see what the argument is because we are not disagreeing
about the facts, but about semantics.

PS: you had to brag about your iPhone, envious on my part.

-----Original Message-----
From: Cristina & Fernando [mailto:frobayo () mac com] 
Sent: 16 August 2007 15:11 PM
To: Mngadi, Simphiwe (SS)
Cc: Tep, Tom M. (CDC/CCHP/NCCDPHP); security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

I have extremely tough skin and love debates.

Instead of focusing on a word, pay attention to the context.

It was a simple example of using a combination of factor (1) a static  
password with another factor (2)DYNAMIC password/key/token or whatever  
you fancy.

More than one factor = multi


Sent from my iPhone

On Aug 16, 2007, at 6:02 AM, "Mngadi, Simphiwe (SS)"
<Simphiwe.Mngadi () sasol com 
> wrote:

> this issue has been dealt with in great detail, I can write a book
> already.
>
> I won't say anything about your password issue, but password is a  
> single
> factor, putting multi- does not make it a multi-factor. but I was not
> creating a debate.
>
> please don't skin him alive, it was only semantics.
>
> -----Original Message-----
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com 
> ]
> On Behalf Of Cristina & Fernando
> Sent: 15 August 2007 22:05 PM
> To: Tep, Tom M. (CDC/CCHP/NCCDPHP)
> Cc: security-basics () securityfocus com
> Subject: Re: Multi-Factor Authentication Concern
>
> Multi-factor authentication simply means a static password along with
> a dynamic password (i.e.: tokens) tied to a username/id.
>
> The multi passwords combined must match the username/id.
>
>
> On Aug 15, 2007, at 9:23 AM, "Tep, Tom M. (CDC/CCHP/NCCDPHP)"
> <tft3 () cdc gov
> > wrote:
>
> > Based from everyone responses, neither Bob nor Chris are incorrect in
> > their understanding.  It depends on the company security policy.  I
> > believe what Bob is referring to is the Limited Access Privilege in
> > Physical Security Policy. It requires multiple parties' involvement  
> > in
> > order to grant a person access to a secure room.  On the other hand,
> > Chris is talking about the multi-factor authentication in system  
> > login
> > which implemented a little differently and require three important
> > things in Authentication:
> >
> > 1.  Something you know (i.e Password)
> > 2.  Something you have (id badge or cryptographic key)
> > 3.  Something you are (a voice print or other biometric)
> >
> > It DEPENDS!!!!
> >
> > Hope I haven't confused anyone.
> >
> > `tom
> >
> >
> > -----Original Message-----
> > From: Mike Lococo [mailto:mike.lococo () nyu edu]
> > Sent: Tuesday, August 14, 2007 2:59 PM
> > To: security-basics () securityfocus com
> > Subject: Re: Multi-Factor Authentication Concern
> >
> > > I looked at all of the suggested links, including the Wikipedia
> > > article, and I cannot find anything that explicitly states that the
> > > factors in a multi-factor authentication system must all be from the
> > > same person.
> >
> > Because authentication is, by definition, the process of verifying an
> > asserted identity (that statement is easy to find references for,
> > including the wikipedia article on authentication).  An access  
> > control
> > system must authenticate _each_ identity separately, even when  
> > several
> > identities are involved in a single transaction and even if the
> > process
> > is streamlined to 'feel' as though it's a single action.  As you're
> > thinking and speaking about this, remember the difference between
> > identification, authentication, and authorization.
> >
> > 1) Identification:  Your identity is your username in the system.   
> > You
> > may have to say it, or type it, or it may be inferred from a retinal
> > scan or whatever.  As a basic access control principle, every
> > individual
> > must have an identity.  Anytime you're accepting credentials from  
> > more
> > than one individual, you are _by_definition_ performing more than one
> > authentication.
> >
> > 2) Authentication:  An identity is authenticated via password, or
> > voiceprint, or token, or whatever.  If only one type is required,  
> > it's
> > single factor.  If more than one type is required, it's multi-factor.
> > If more than one type is available (you have a token and a password),
> > but either is sufficient (you can log in with your password even if
> > you
> > lost the token), it's still single factor... you just have options.
> >
> > 3) Authorization:  Once you are authenticated, you may or may not be
> > _authorized_ to access the resource you're interested in.  If a  
> > system
> > requires more than one user to authenticate in order authorize an
> > action, it implements split-authentication or split-authorization
> > (often
> > referred to in the context of passwords/pins as split-knowledge).
> > Each
> > identity is still authenticated individually, but more than one is
> > required before any are authorized.
> >
> > You're talking about multi-factor authentication.  Your friend is
> > talking about split-knowledge/authentication/authorization.  No
> > authoritative source on IDM or access-control is going to talk about
> > whether multi-factor authentication involves multiple identities
> > because
> > it's well-established that all authentication schemes have as their
> > basic goal the verification of a single asserted identity.
> > Authorization schemes exist that require multiple identities to be
> > involved in a single transaction (nukes and expensive safe-deposit
> > boxes
> > work this way), but each is always authenticated individually.
> >
> > Thanks,
> > Mike Lococo
>
>
> --- 
> --- 
> ----------------------------------------------------------------------
> NOTICE: Please note that this eMail, and the contents thereof,
> is subject to the standard Sasol eMail legal notice which may be  
> found at:
> http://www.sasol.com/legalnotices
>
> If you cannot access the legal notice through the URL attached and  
> you wish
> to receive a copy thereof please send an eMail to
> legalnotice () sasol com
> --- 
> --- 
> ----------------------------------------------------------------------


----------------------------------------------------------------------------
NOTICE: Please note that this eMail, and the contents thereof, 
is subject to the standard Sasol eMail legal notice which may be found at: 
http://www.sasol.com/legalnotices                                                                                       
                   

If you cannot access the legal notice through the URL attached and you wish 
to receive a copy thereof please send an eMail to 
legalnotice () sasol com
----------------------------------------------------------------------------