RE: Multi-Factor Authentication Concern

["Tep, Tom M. (CDC/CCHP/NCCDPHP)" <tft3 () cdc gov>]

Totally agree!!

-----Original Message-----
From: Chad Perrin [mailto:perrin () apotheon com] 
Sent: Thursday, August 16, 2007 6:52 PM
To: Justin Ross
Cc: Tep, Tom M. (CDC/CCHP/NCCDPHP); security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

On Thu, Aug 16, 2007 at 09:36:48AM -0700, Justin Ross wrote:
> I agree. Neither "Bob" nor Chris are wholly incorrect, nor wholly
> correct. It's semantics, and the definition is in and of itself wholly
> subjective to the requirements, the people implementing it, or it's
use.
> I also agree that generally speaking, when the INFOSEC community talks
> about multi-factor authentication they are talking about a single
person
> - I think that is a far cry from saying "it ALWAYS refers to".

The major problem with the disagreement here is that it seems a great
many people are not aware of the distinction between "authentication"
and
"authorization".  These are two separate, discrete elements to access
control security, and should not be conflated.

When you must use two or more distinct methods to authenticate an
identity, you are using multi-factor authentication.

When you must authenticate two people to gain access, you are using
"multi-factor authorization".

The fact that there is more than one identity being authenticated does
not translate into multi-factor authentication: each individual identity
has its own authentication.  Multiple authenticated identities can be
used to provide authorization, but each authenticated identity is not
itself an authentication factor.

-- 
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Thomas McCauley: "The measure of a man's real character is what he would
do
if he knew he would never be found out."