Home page logo

basics logo Security Basics mailing list archives

Re: Multi-Factor Authentication Concern
From: Chad Perrin <perrin () apotheon com>
Date: Tue, 14 Aug 2007 22:21:17 -0600

On Tue, Aug 14, 2007 at 03:11:09PM -0400, Devin Rambo wrote:

I would say that this does not fit the commonly understood definition of
multi-factor authentication, per se. There may in fact be multiple factors
used to authenticate a person with the nuclear key codes (at least, I would
hope so). I don't know if there's an actual common term for adding the
requirement of having additional people authenticate in order to gain access
to a system, but I would say that this is an example of multi-layered
multi-factor authentication. You can require that two people enter their
passwords correctly; to me that would be multi-layer, single-factor
authentication. Or you can have three people required to correctly enter
passwords AND have their retinas scanned, which would be multi-factor,

The number of people being authenticated is discrete from the number of
factors used, and in the case of the nuclear sub example, layers are being
added as a check when the judgement of a human being must be evaluated as
part of the authentication process. You wouldn't someone who's had a mental
breakdown to have sole access to the nuclear button, just to cite one

You're talking about the difference between authentication (determining
the authenticity of the identity the person is trying to use to access
the system) and authorization (the level of authority the person has
assuming he or she has been authenticated).  One might refer to a
combination of two or more authentication options from among "something
you know", "something you have", and "something you are" as multi-factor
authentication, whereas needing two or more people of a particular level
of authority or greater might be called multi-factor authorization.

These are quite distinct concepts, as you pointed out.

CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Paul Graham: "Real ugliness is not harsh-looking syntax, but having to
build programs out of the wrong concepts."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]