Home page logo

basics logo Security Basics mailing list archives

RE: Multi-Factor Authentication Concern
From: "Uber Wannabe" <nucleargeekdown () gmail com>
Date: Wed, 15 Aug 2007 07:51:35 -0500

Really?  Because if the system doesn't care what data is used or how it is
used, then why does it even bother to authenticate anyone?

Seems like this argument is grasping for straws now... while I'm sure it
would be gratifying to be on the opposing side of logic and justify an
argument, the point still remains (as mentioned before) that authentication
is geared towards a single individual.  If multiple individuals
authenticate, then authentication occurs multiple times, not as multi-factor

And, if multiple people "authenticate" partially with different
authentication mediums, then none of them are fully authenticated.

This discussion should be pretty well covered.  Refer to Mike Lococo's
previous post if you have any further doubt, as his post said it as best as
anyone could've.

-- N/A

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Webster, William P CTR FNMOC, N661
Sent: Tuesday, August 14, 2007 6:59 PM
To: security-basics () securityfocus com
Cc: jsewell () jsewell com; Francois Yang; Chris Barber
Subject: RE: Multi-Factor Authentication Concern

 Good Morning,

        Looking at this from a different perspective, and I hate to say
it but Bob is correct, It is a matter of semantics, the authentication
is just a data set, and however that data is entered and stored is
anyone's guess. Why one would want to set multiple people objects into
an authentication model is beyond me, but, the theory is correct. And of
course, as someone earlier pointed out, it kinda leaves the field open
to abuse.

        Therefore, it is "OK" as far as the system is concerned, it does
not care what data is used or how it is used, or where it comes from, we
are the ones that make up the rational part of the equation.

My 2 Centz


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Francois Yang
Sent: Monday, August 13, 2007 11:45
To: Chris Barber
Cc: jsewell () jsewell com; security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

I think there's a confusion in the way the term is used.
Multi-factor meaning multiple factors to authenticate ONE person.
Not multiple ways to authenticate multiple people.

A factor could be regarded as password, id card, retina scan,
fingerprint, etc....
So a multi-factor authentication system would require one person to use
two or more factors to authenticate.

So bob would have to use a password and finger print to authenticate.

Also most of those systems are set to what it can do.
So you can't have all the options and pick and choose which one you want
to do.
Like, you won't see a system with password, retina scan, finger print,
id card, etc..and say I want to only use these two authentication out of
the 10 to authenticate the users. Unless I'm wrong.

Hope that makes sense.

On 8/13/07, Chris Barber <cmbarber () gmail com> wrote:
OK, lets take this down to the very basics.  single factor
If Bob were to think about it just a bit harder it would be obvious to

him as well.
If Sally new Mike's Username and used her password she would not get 
in, even though both were values in the authentication database.

Now we expand the Database to hold more fields (Identity, Password, 
Retina Print, Badge number, etc.).  All feilds must match one record 
in the database or no access is allowed.

                             Secure Programming 101...

My thoughts, simple as they are.

On 10 Aug 2007 15:21:32 -0000, jsewell () jsewell com
<jsewell () jsewell com> wrote:
I'm having an argument with someone at work about multi-factor
authentication. We'll call him Bob.

Bob claims that in a multi-factor authentication system, the factors
don't need to identify the same person. In other words, Bob thinks it's
perfectly OK for the door to the data-center to open when Jim badges in,
Mike scans his retina, and Sally enters a her PIN.

This is obviously wrong. Bob says "prove it". So I've scoured the
net and books for something that describes multi-factor authentication
as requiring that all factors identify the same person. So far, I can't
find anything.

Is it so obvious that nobody has bothered to write it down, or am I
wrong in my thinking?


If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked. - White House Cybersecurity
Advisor, Richard Clarke

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]