Home page logo

basics logo Security Basics mailing list archives

Re: Multi-Factor Authentication Concern
From: Kevin Wilcox <kevin () tux appstate edu>
Date: Tue, 14 Aug 2007 15:46:08 -0400

Hash: SHA1

Justin Ross wrote:
I'm sorry, I have to play devil's advocate and disagree.

No need to apologize, Justin - we have public discussion so that folks
can disagree and present opposing sides.

I do not believe Multi-factor Authentication necessarily refers to a
single user, nor even a living entity. For example, if multiple
handwriting experts, and a computer with handwriting analysis algorithm,
and a tarot card reader, as well random people on the street, all
confirmed the authenticity of a signed document by Abraham Lincoln,
would that not be Multiple-factor Authentication of that document? 

It is entirely possible that a separation of authentication processes
can be a requirement. You indicate a very good example of that below
with the procedure necessary to fire nuclear missiles.

Why do nuclear submarines require multiple people with keys and codes to
press the launch button, and approval from the president? Is that not
Multi-factor authentication of not even individuals (who also pass
authentication checks to even get on the submarine) but a process (or
even multiple processes such as chain of command as well)? 

The process you are describing is an example of forced separation of
authentication. The President approves, messages are approved via
various authentication codes, launch codes are verified, keys are
necessary, etc. These things have to happen in a particular order, by
particular people, each and every time. Such rigidity and forced
separation was not indicated by the original poster. I took the OP to
mean that any person with access to the data centre could swipe their
ID, any person could have their retina scanned and any person could
enter their passcode.

Really though, I think the answer hinges on the definition of the words
themselves, which doesn't necessarily indicate a person is involved (at
any point), let alone the single "same" person.

Ultimately I think it boils down to two questions: what are the
requirements of the authentication scheme presented by the OP (separated
authentication, individual authentication, group-based authentication)
and what are the laws governing authentication and retention in the area
of the hypothetical data centre.

As for what passes as multi-factor authentication - I side with the
folks in the community that separate multi-factor authentication from
strong authentication where strong authentication could be multiple
passwords, password + PIN, things of that nature.

- From what I've been able to gather via observing the community, the word
factor in multi-factor would mean something a person knows (password,
PIN, date of birth, etc), something the person is (retina scan,
fingerprint, DNA) and something the person has (swipe card, USB stick,
some type of digital signature). These things can, of course, be spread
across multiple people if you need to separate authentication
credentials but if you are looking for "robust" group authentication
then each member of the group would need to be able to provide two (or
all three) of the "factors".

Version: GnuPG v1.4.7 (GNU/Linux)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]