Security Basics mailing list archives
RE: Multi-Factor Authentication Concern
From: "Dutton, Larry" <Larry.Dutton () redstone co uk>
Date: Fri, 10 Aug 2007 18:08:20 +0100
To me it's obvious and I agree with you - multi factor authentication requires a SINGLE person to provide multiple identification, security access systems are all keyed around the user object, you assign resources (pins, badges, bio-data) to the user for THEM to access - if they only provide one credential then they won't get in unless you have multiple methods and allow any: Jim badges in = "Hello Jim, please scan retina" Mike scans his retina = "you're not Jim! - no entry" Sally enters a her PIN = "Hello, please scan retina" Multi-factor authentication is an AND statement, not an OR, unless you provide three methods and except only one.. That's my take on it! Larry -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jsewell () jsewell com Sent: 10 August 2007 16:22 To: security-basics () securityfocus com Subject: Multi-Factor Authentication Concern I'm having an argument with someone at work about multi-factor authentication. We'll call him Bob. Bob claims that in a multi-factor authentication system, the factors don't need to identify the same person. In other words, Bob thinks it's perfectly OK for the door to the data-center to open when Jim badges in, Mike scans his retina, and Sally enters a her PIN. This is obviously wrong. Bob says "prove it". So I've scoured the net and books for something that describes multi-factor authentication as requiring that all factors identify the same person. So far, I can't find anything. Is it so obvious that nobody has bothered to write it down, or am I wrong in my thinking? Thanks! ********************************************************************** DISCLAIMER: This correspondence may contain information which is confidential or proprietary or both. Any dissemination, distribution, copying or use of this communication without prior permission of the addressee is strictly prohibited. If you are not the intended recipient you may not disclose, copy or use this information. If you have received this message in error, please contact the sender to discuss its return or destruction. The contents, comments and views contained or expressed within this correspondence do not necessarily reflect those of Redstone, its subsidiaries, affiliates, associates or sister companies and are not intended to create legal relations with the recipient. Redstone may monitor email traffic data and also the content of email for the purposes of security and staff training. If you would like to know more about Redstone, visit us on the web at www.redstone.co.uk or contact our Head Office on 0845-200-2200. Redstone Communications Limited Registered in England & Wales with Company Number: 3021292 Registered Office: 80 Great Eastern Street, London EC2A 3RS **********************************************************************
Current thread:
- Multi-Factor Authentication Concern jsewell (Aug 10)
- RE: Multi-Factor Authentication Concern Dutton, Larry (Aug 10)
- Re: Multi-Factor Authentication Concern Roch (Aug 10)
- RE: Multi-Factor Authentication Concern Dan Denton (Aug 10)
- Re: Multi-Factor Authentication Concern Nick Owen (Aug 10)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 10)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 15)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- Re: Multi-Factor Authentication Concern Jason Sewell (Aug 14)
- RE: Multi-Factor Authentication Concern Justin Ross (Aug 14)
- Re: Multi-Factor Authentication Concern Kevin Wilcox (Aug 14)
- RE: Multi-Factor Authentication Concern Mngadi, Simphiwe (SS) (Aug 14)
- RE: Multi-Factor Authentication Concern Dutton, Larry (Aug 10)