mailing list archives
Re: Multi-Factor Authentication Concern
From: Chad Perrin <perrin () apotheon com>
Date: Thu, 16 Aug 2007 16:52:17 -0600
On Thu, Aug 16, 2007 at 09:36:48AM -0700, Justin Ross wrote:
I agree. Neither "Bob" nor Chris are wholly incorrect, nor wholly
correct. It's semantics, and the definition is in and of itself wholly
subjective to the requirements, the people implementing it, or it's use.
I also agree that generally speaking, when the INFOSEC community talks
about multi-factor authentication they are talking about a single person
- I think that is a far cry from saying "it ALWAYS refers to".
The major problem with the disagreement here is that it seems a great
many people are not aware of the distinction between "authentication" and
"authorization". These are two separate, discrete elements to access
control security, and should not be conflated.
When you must use two or more distinct methods to authenticate an
identity, you are using multi-factor authentication.
When you must authenticate two people to gain access, you are using
The fact that there is more than one identity being authenticated does
not translate into multi-factor authentication: each individual identity
has its own authentication. Multiple authenticated identities can be
used to provide authorization, but each authenticated identity is not
itself an authentication factor.
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Thomas McCauley: "The measure of a man's real character is what he would do
if he knew he would never be found out."
RE: Multi-Factor Authentication Concern Kandala, Nham (Aug 10)
Re: Multi-Factor Authentication Concern Chris Barber (Aug 13)