RE: Multi-Factor Authentication Concern

["Tony Reusser" <treusser () filertel com>]

One more point of clarification.  From one particular vendor's perspective,
which makes sense, but I don't know if this is an "industry standard."

The approach was referred to as "AAA" or "triple-a" security.  To put it
simply, these three things happen in order:

1.  Authentication (are you allowed access?)
2.  Authorization (if "yes" to #1, how much access?)
3.  Accounting (I'm logging everything you do after you pass #1 and #2)

The point here is there is a distinct difference between "authentication"
and "authorization."  A point made by another subscriber here, and a
distinction in semantics apparently lost on our friend "Bob."

You can get through life, I suppose, with a 80,000-foot view of everything.
But the Devil's always in the details.

FMT_HMFWIC

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Uber Wannabe
Sent: Wednesday, August 15, 2007 12:04 PM
To: 'Kurt Buff'; 'Jason Sewell'
Cc: security-basics () securityfocus com
Subject: RE: Multi-Factor Authentication Concern

Just to add a quick clarification for the OP, "authenticators" refers to the
authentication medium, not the person.  Thought that might come up.


-- N/A


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Kurt Buff
Sent: Tuesday, August 14, 2007 7:34 PM
To: Jason Sewell
Cc: security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

On 8/14/07, Jason Sewell <jsewell () mac com> wrote:
> I appreciate all of these responses.
>
> The general consensus seems to be:
>
> 1) The system that "Bob" has implemented does not reflect multi-
> factor authentication as it is commonly defined, and
> 2) there may be some esoteric reason to require different people to
> provide different authentication factors to protect a single
> resource, but
> 3) such a convoluted access control mechanism is not appropriate for
> protection of our data center, and furthermore
> 4) accounting and logging are complicated by such a system.
>
> However, what I still have not found yet is an authoritative document
> that I can point to and say "Bob, you're wrong". He's a hard-headed
> guy and responses from security experts on a mailing list won't
> convince him. I looked at all of the suggested links, including the
> Wikipedia article, and I cannot find anything that explicitly states
> that the factors in a multi-factor authentication system must all be
> from the same person.
>
> So, I'll show him these response, and I'll continue to try to find an
> authoritative source for my assertion (or perhaps I'll edit the
> wikipedia article).
>
> Thanks again everyone for you help!

Take a look at the wikipedia article again. At the end, it contains this:

"The U.S. Government's National Information Assurance Glossary defines
strong authentication as:

    Layered authentication approach relying on two or more
authenticators to establish the identity of an originator or receiver
of information. "

Authentication is all about establishing identity. Unless your
interlocutor is dense, it should be easy to point out that identity
inheres in individuals, not in groups. It really couldn't be more
clear. All you have to do is parse the sentence for him.