Home page logo
/

basics logo Security Basics mailing list archives

RE: Multi-Factor Authentication Concern
From: "Mngadi, Simphiwe (SS)" <Simphiwe.Mngadi () sasol com>
Date: Thu, 16 Aug 2007 15:31:17 +0200

Password is "something you know", factor-1
Key/token is "something you have", factor-2;

THEREFORE password and key/token are two separate factors; a password
can never be classified as DYNAMIC (contextually speaking)

Semantically speaking:
        More than one factor, can be two        = two-factor
        More than 2 factor                      = multi-factor

But I don't see what the argument is because we are not disagreeing
about the facts, but about semantics.

PS: you had to brag about your iPhone, envious on my part.

-----Original Message-----
From: Cristina & Fernando [mailto:frobayo () mac com] 
Sent: 16 August 2007 15:11 PM
To: Mngadi, Simphiwe (SS)
Cc: Tep, Tom M. (CDC/CCHP/NCCDPHP); security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

I have extremely tough skin and love debates.

Instead of focusing on a word, pay attention to the context.

It was a simple example of using a combination of factor (1) a static  
password with another factor (2)DYNAMIC password/key/token or whatever  
you fancy.

More than one factor = multi


Sent from my iPhone

On Aug 16, 2007, at 6:02 AM, "Mngadi, Simphiwe (SS)"
<Simphiwe.Mngadi () sasol com 
wrote:

this issue has been dealt with in great detail, I can write a book
already.

I won't say anything about your password issue, but password is a  
single
factor, putting multi- does not make it a multi-factor. but I was not
creating a debate.

please don't skin him alive, it was only semantics.

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com 
]
On Behalf Of Cristina & Fernando
Sent: 15 August 2007 22:05 PM
To: Tep, Tom M. (CDC/CCHP/NCCDPHP)
Cc: security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

Multi-factor authentication simply means a static password along with
a dynamic password (i.e.: tokens) tied to a username/id.

The multi passwords combined must match the username/id.


On Aug 15, 2007, at 9:23 AM, "Tep, Tom M. (CDC/CCHP/NCCDPHP)"
<tft3 () cdc gov
wrote:


Based from everyone responses, neither Bob nor Chris are incorrect in
their understanding.  It depends on the company security policy.  I
believe what Bob is referring to is the Limited Access Privilege in
Physical Security Policy. It requires multiple parties' involvement  
in
order to grant a person access to a secure room.  On the other hand,
Chris is talking about the multi-factor authentication in system  
login
which implemented a little differently and require three important
things in Authentication:

1.  Something you know (i.e Password)
2.  Something you have (id badge or cryptographic key)
3.  Something you are (a voice print or other biometric)

It DEPENDS!!!!

Hope I haven't confused anyone.

`tom


-----Original Message-----
From: Mike Lococo [mailto:mike.lococo () nyu edu]
Sent: Tuesday, August 14, 2007 2:59 PM
To: security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

I looked at all of the suggested links, including the Wikipedia
article, and I cannot find anything that explicitly states that the
factors in a multi-factor authentication system must all be from the
same person.

Because authentication is, by definition, the process of verifying an
asserted identity (that statement is easy to find references for,
including the wikipedia article on authentication).  An access  
control
system must authenticate _each_ identity separately, even when  
several
identities are involved in a single transaction and even if the
process
is streamlined to 'feel' as though it's a single action.  As you're
thinking and speaking about this, remember the difference between
identification, authentication, and authorization.

1) Identification:  Your identity is your username in the system.   
You
may have to say it, or type it, or it may be inferred from a retinal
scan or whatever.  As a basic access control principle, every
individual
must have an identity.  Anytime you're accepting credentials from  
more
than one individual, you are _by_definition_ performing more than one
authentication.

2) Authentication:  An identity is authenticated via password, or
voiceprint, or token, or whatever.  If only one type is required,  
it's
single factor.  If more than one type is required, it's multi-factor.
If more than one type is available (you have a token and a password),
but either is sufficient (you can log in with your password even if
you
lost the token), it's still single factor... you just have options.

3) Authorization:  Once you are authenticated, you may or may not be
_authorized_ to access the resource you're interested in.  If a  
system
requires more than one user to authenticate in order authorize an
action, it implements split-authentication or split-authorization
(often
referred to in the context of passwords/pins as split-knowledge).
Each
identity is still authenticated individually, but more than one is
required before any are authorized.

You're talking about multi-factor authentication.  Your friend is
talking about split-knowledge/authentication/authorization.  No
authoritative source on IDM or access-control is going to talk about
whether multi-factor authentication involves multiple identities
because
it's well-established that all authentication schemes have as their
basic goal the verification of a single asserted identity.
Authorization schemes exist that require multiple identities to be
involved in a single transaction (nukes and expensive safe-deposit
boxes
work this way), but each is always authenticated individually.

Thanks,
Mike Lococo




--- 
--- 
----------------------------------------------------------------------
NOTICE: Please note that this eMail, and the contents thereof,
is subject to the standard Sasol eMail legal notice which may be  
found at:
http://www.sasol.com/legalnotices

If you cannot access the legal notice through the URL attached and  
you wish
to receive a copy thereof please send an eMail to
legalnotice () sasol com
--- 
--- 
----------------------------------------------------------------------


----------------------------------------------------------------------------
NOTICE: Please note that this eMail, and the contents thereof, 
is subject to the standard Sasol eMail legal notice which may be found at: 
http://www.sasol.com/legalnotices                                                                                       
                   

If you cannot access the legal notice through the URL attached and you wish 
to receive a copy thereof please send an eMail to 
legalnotice () sasol com
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault