Home page logo

basics logo Security Basics mailing list archives

RE: Multi-Factor Authentication Concern
From: "Tep, Tom M. (CDC/CCHP/NCCDPHP)" <tft3 () cdc gov>
Date: Fri, 17 Aug 2007 09:07:01 -0400

Totally agree!!

-----Original Message-----
From: Chad Perrin [mailto:perrin () apotheon com] 
Sent: Thursday, August 16, 2007 6:52 PM
To: Justin Ross
Cc: Tep, Tom M. (CDC/CCHP/NCCDPHP); security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

On Thu, Aug 16, 2007 at 09:36:48AM -0700, Justin Ross wrote:
I agree. Neither "Bob" nor Chris are wholly incorrect, nor wholly
correct. It's semantics, and the definition is in and of itself wholly
subjective to the requirements, the people implementing it, or it's

I also agree that generally speaking, when the INFOSEC community talks
about multi-factor authentication they are talking about a single
- I think that is a far cry from saying "it ALWAYS refers to".

The major problem with the disagreement here is that it seems a great
many people are not aware of the distinction between "authentication"
"authorization".  These are two separate, discrete elements to access
control security, and should not be conflated.

When you must use two or more distinct methods to authenticate an
identity, you are using multi-factor authentication.

When you must authenticate two people to gain access, you are using
"multi-factor authorization".

The fact that there is more than one identity being authenticated does
not translate into multi-factor authentication: each individual identity
has its own authentication.  Multiple authenticated identities can be
used to provide authorization, but each authenticated identity is not
itself an authentication factor.

CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ]
Thomas McCauley: "The measure of a man's real character is what he would
if he knew he would never be found out."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]