Re: Multi-Factor Authentication Concern

[Nick Owen <nickowen () mindspring com>]

jsewell () jsewell com wrote:
> I'm having an argument with someone at work about multi-factor
> authentication. We'll call him Bob.
>
> Bob claims that in a multi-factor authentication system, the factors
> don't need to identify the same person. In other words, Bob thinks
> it's perfectly OK for the door to the data-center to open when Jim
> badges in, Mike scans his retina, and Sally enters a her PIN.
>
> This is obviously wrong. Bob says "prove it". So I've scoured the net
> and books for something that describes multi-factor authentication as
> requiring that all factors identify the same person. So far, I can't
> find anything.
>
> Is it so obvious that nobody has bothered to write it down, or am I
> wrong in my thinking?
>
> Thanks!

The question here is what is the definition of authentication.  I
suggest the Free online Dictionary of computing:

http://foldoc.org/index.cgi?query=authentication&action=Search

"<security> The verification of the identity of a person or process. In
a communication system, authentication verifies that messages really
come from their stated source, like the signature on a (paper) letter.
The most common form of authentication is typing a user name (which may
be widely known or easily guessable) and a corresponding password that
is presumed to be known only to the individual being authenticated. "

By using more than one person's factor of authentication, Jim, Mike and
Sally are defeating the authentication mechanism, not changing the
definition.

HTH,

Nick
-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid