Home page logo

basics logo Security Basics mailing list archives

Re: Multi-Factor Authentication Concern
From: Yves Bourdic <yvesbourdic () wanadoo fr>
Date: Wed, 15 Aug 2007 11:26:51 -0400


May be this will help.
Access control objective is to provide:
1) Identification - How to identify an entity? (userid,...)
2) Authentication - How to make sure the entity is the proper one? (passwords,...)
3) Accounting - How to keep a trace of who access the system? (logs,..)

There are three known ways to provide an authentication based on:
1) Something you know (a password, a passphrase, a cultural secret,...)
2) Something you have (a key, a smartcard,...)
3) Something you are (any biometric system)

What we call a multi-factor authentication is a system that provides more than one way of authentication based on the list above.
A) "After being identified with a userid I provide to connect to a system, I provide a password to authenticate myself'. The password is something I know then this is a one factor authentication system. B) "After being identified with an ID card I provide to enter a room, I provide my fingerprint to authenticate myself'. The fingerprint represent something I am then this is a one factor authentication system.

If I do B) followed by A) this is considered a dual authentication system (1 & 1) because I identify myself twice and I authenticate myself each time.

C) "After being identified with a userid I provide to connect to a system, I provide a password I generate with a card and a PIN code". The PIN code is something I know, the card is something I have then this is a two factor authentication system.

The last example is a multi-factor (more than one) authentication system. I identify myself once and provide two ways to authenticate myself.

To answer to bob: In access control we separate Identification and Authentication. The access control bob describes is a mixture of multi-identification and multi-authentication.

Hope this will help.


On 10-Aug-07, at 11:21 AM, jsewell () jsewell com wrote:

I'm having an argument with someone at work about multi-factor authentication. We'll call him Bob.

Bob claims that in a multi-factor authentication system, the factors don't need to identify the same person. In other words, Bob thinks it's perfectly OK for the door to the data-center to open when Jim badges in, Mike scans his retina, and Sally enters a her PIN.

This is obviously wrong. Bob says "prove it". So I've scoured the net and books for something that describes multi-factor authentication as requiring that all factors identify the same person. So far, I can't find anything.

Is it so obvious that nobody has bothered to write it down, or am I wrong in my thinking?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]