Home page logo

basics logo Security Basics mailing list archives

RE: Multi-Factor Authentication Concern
From: "Tony Reusser" <treusser () filertel com>
Date: Wed, 15 Aug 2007 15:59:58 -0600

One more point of clarification.  From one particular vendor's perspective,
which makes sense, but I don't know if this is an "industry standard."

The approach was referred to as "AAA" or "triple-a" security.  To put it
simply, these three things happen in order:

1.  Authentication (are you allowed access?)
2.  Authorization (if "yes" to #1, how much access?)
3.  Accounting (I'm logging everything you do after you pass #1 and #2)

The point here is there is a distinct difference between "authentication"
and "authorization."  A point made by another subscriber here, and a
distinction in semantics apparently lost on our friend "Bob."

You can get through life, I suppose, with a 80,000-foot view of everything.
But the Devil's always in the details.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Uber Wannabe
Sent: Wednesday, August 15, 2007 12:04 PM
To: 'Kurt Buff'; 'Jason Sewell'
Cc: security-basics () securityfocus com
Subject: RE: Multi-Factor Authentication Concern

Just to add a quick clarification for the OP, "authenticators" refers to the
authentication medium, not the person.  Thought that might come up.

-- N/A

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Kurt Buff
Sent: Tuesday, August 14, 2007 7:34 PM
To: Jason Sewell
Cc: security-basics () securityfocus com
Subject: Re: Multi-Factor Authentication Concern

On 8/14/07, Jason Sewell <jsewell () mac com> wrote:
I appreciate all of these responses.

The general consensus seems to be:

1) The system that "Bob" has implemented does not reflect multi-
factor authentication as it is commonly defined, and
2) there may be some esoteric reason to require different people to
provide different authentication factors to protect a single
resource, but
3) such a convoluted access control mechanism is not appropriate for
protection of our data center, and furthermore
4) accounting and logging are complicated by such a system.

However, what I still have not found yet is an authoritative document
that I can point to and say "Bob, you're wrong". He's a hard-headed
guy and responses from security experts on a mailing list won't
convince him. I looked at all of the suggested links, including the
Wikipedia article, and I cannot find anything that explicitly states
that the factors in a multi-factor authentication system must all be
from the same person.

So, I'll show him these response, and I'll continue to try to find an
authoritative source for my assertion (or perhaps I'll edit the
wikipedia article).

Thanks again everyone for you help!

Take a look at the wikipedia article again. At the end, it contains this:

"The U.S. Government's National Information Assurance Glossary defines
strong authentication as:

    Layered authentication approach relying on two or more
authenticators to establish the identity of an originator or receiver
of information. "

Authentication is all about establishing identity. Unless your
interlocutor is dense, it should be easy to point out that identity
inheres in individuals, not in groups. It really couldn't be more
clear. All you have to do is parse the sentence for him.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]