mailing list archives
Re: Multi-Factor Authentication Concern
From: "Kurt Buff" <kurt.buff () gmail com>
Date: Tue, 14 Aug 2007 17:34:02 -0700
On 8/14/07, Jason Sewell <jsewell () mac com> wrote:
I appreciate all of these responses.
The general consensus seems to be:
1) The system that "Bob" has implemented does not reflect multi-
factor authentication as it is commonly defined, and
2) there may be some esoteric reason to require different people to
provide different authentication factors to protect a single
3) such a convoluted access control mechanism is not appropriate for
protection of our data center, and furthermore
4) accounting and logging are complicated by such a system.
However, what I still have not found yet is an authoritative document
that I can point to and say "Bob, you're wrong". He's a hard-headed
guy and responses from security experts on a mailing list won't
convince him. I looked at all of the suggested links, including the
Wikipedia article, and I cannot find anything that explicitly states
that the factors in a multi-factor authentication system must all be
from the same person.
So, I'll show him these response, and I'll continue to try to find an
authoritative source for my assertion (or perhaps I'll edit the
Thanks again everyone for you help!
Take a look at the wikipedia article again. At the end, it contains this:
"The U.S. Government's National Information Assurance Glossary defines
strong authentication as:
Layered authentication approach relying on two or more
authenticators to establish the identity of an originator or receiver
of information. "
Authentication is all about establishing identity. Unless your
interlocutor is dense, it should be easy to point out that identity
inheres in individuals, not in groups. It really couldn't be more
clear. All you have to do is parse the sentence for him.
RE: Multi-Factor Authentication Concern Kandala, Nham (Aug 10)
Re: Multi-Factor Authentication Concern Chris Barber (Aug 13)