Home page logo

basics logo Security Basics mailing list archives

RE: Multi-Factor Authentication Concern
From: "Devin Rambo" <drambo () vediorps com>
Date: Tue, 14 Aug 2007 15:11:09 -0400

In this case, I don't think that clarifying the definition of the term being
discussed is attainable by breaking it down into its constituent parts,
especially since your dictionary doesn't even really have a definition of
factor that covers the term as we use it here. Dictionary.com is at least in
the ballpark: "one of the elements contributing to a particular result or

I do not believe Multi-factor Authentication necessarily refers to a
single user, nor even a living entity. For example, if multiple handwriting
experts, and a computer with handwriting analysis algorithm, and a tarot
card reader, as well random people on the street, all confirmed the
authenticity of a signed document by Abraham Lincoln, would that not be
Multiple-factor Authentication of that document?<<<

That isn't multi-factor authentication. That's provenance. Proving that the
signature on a document is indeed written in Abraham Lincoln's own hand
depends as much on historical records, chain of ownership, etc. as it does
on the expert opinion of handwriting analysts. And often, there are varying
degrees of provenance, expressed in degrees of likelihood that such an
object is what it is purported to be. Just as often, definitive proof is
elusive; the Shroud of Turin is one enduring example of this. If you had to
prove the authenticity of the Shroud of Turin one way or another in order to
gain access to a locked file share, you'd be waiting a rather long time, no?

In multi-factor authentication used to prove the identity of a user or
process for the purpose of granting permissions to secured resources, it's
pretty black and white. The factor either matches the retina scan, pin code,
fingerprint, password, etc. or it doesn't, and if it doesn't then access is
not granted. Adding multiple factors is a way to increase the depth of
security by raising the obstacles put in the path of someone who is trying
to defeat the authentication procedures in place.

Why do nuclear submarines require multiple people with keys and codes to
press the launch button, and approval from the president? Is that not
Multi-factor authentication of not even individuals (who also pass
authentication checks to even get on the submarine) but a process (or even
multiple processes such as chain of command as well)?<<<

I would say that this does not fit the commonly understood definition of
multi-factor authentication, per se. There may in fact be multiple factors
used to authenticate a person with the nuclear key codes (at least, I would
hope so). I don't know if there's an actual common term for adding the
requirement of having additional people authenticate in order to gain access
to a system, but I would say that this is an example of multi-layered
multi-factor authentication. You can require that two people enter their
passwords correctly; to me that would be multi-layer, single-factor
authentication. Or you can have three people required to correctly enter
passwords AND have their retinas scanned, which would be multi-factor,

The number of people being authenticated is discrete from the number of
factors used, and in the case of the nuclear sub example, layers are being
added as a check when the judgement of a human being must be evaluated as
part of the authentication process. You wouldn't someone who's had a mental
breakdown to have sole access to the nuclear button, just to cite one


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]