mailing list archives
Re: Multi-Factor Authentication Concern
From: Yves Bourdic <yvesbourdic () wanadoo fr>
Date: Wed, 15 Aug 2007 11:26:51 -0400
May be this will help.
Access control objective is to provide:
1) Identification - How to identify an entity? (userid,...)
2) Authentication - How to make sure the entity is the proper one?
3) Accounting - How to keep a trace of who access the system? (logs,..)
There are three known ways to provide an authentication based on:
1) Something you know (a password, a passphrase, a cultural secret,...)
2) Something you have (a key, a smartcard,...)
3) Something you are (any biometric system)
What we call a multi-factor authentication is a system that provides
more than one way of authentication based on the list above.
A) "After being identified with a userid I provide to connect to a
system, I provide a password to authenticate myself'. The password is
something I know then this is a one factor authentication system.
B) "After being identified with an ID card I provide to enter a room, I
provide my fingerprint to authenticate myself'. The fingerprint
represent something I am then this is a one factor authentication
If I do B) followed by A) this is considered a dual authentication
system (1 & 1) because I identify myself twice and I authenticate
myself each time.
C) "After being identified with a userid I provide to connect to a
system, I provide a password I generate with a card and a PIN code".
The PIN code is something I know, the card is something I have then
this is a two factor authentication system.
The last example is a multi-factor (more than one) authentication
system. I identify myself once and provide two ways to authenticate
To answer to bob: In access control we separate Identification and
Authentication. The access control bob describes is a mixture of
multi-identification and multi-authentication.
Hope this will help.
On 10-Aug-07, at 11:21 AM, jsewell () jsewell com wrote:
I'm having an argument with someone at work about multi-factor
authentication. We'll call him Bob.
Bob claims that in a multi-factor authentication system, the factors
don't need to identify the same person. In other words, Bob thinks
it's perfectly OK for the door to the data-center to open when Jim
badges in, Mike scans his retina, and Sally enters a her PIN.
This is obviously wrong. Bob says "prove it". So I've scoured the net
and books for something that describes multi-factor authentication as
requiring that all factors identify the same person. So far, I can't
Is it so obvious that nobody has bothered to write it down, or am I
wrong in my thinking?
RE: Multi-Factor Authentication Concern Kandala, Nham (Aug 10)
Re: Multi-Factor Authentication Concern Chris Barber (Aug 13)
Re: Multi-Factor Authentication Concern Yves Bourdic (Aug 15)
RE: Multi-Factor Authentication Concern zenmasterbob123 (Aug 10)
Re: RE: Multi-Factor Authentication Concern subconscienceless (Aug 14)