mailing list archives
RE: Multi-Factor Authentication Concern
From: "Dan Denton" <ddenton () remitpro com>
Date: Fri, 10 Aug 2007 12:00:57 -0500
Whether that's ok or not I believe is a policy issue. It might be useful if
access by more than one person at a time were used as some kind of check
against wrongdoing by one of the parties. As far as whether it's possible,
sure, the security officer who creates the badge, takes the retinal scan,
and creates the PIN could conceivably use 3 separate people as the source
for the information. The computer authorizing access would never know the
difference, since it relies on the security officer entering the info to
tell if it's legit.
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of jsewell () jsewell com
Sent: Friday, August 10, 2007 10:22 AM
To: security-basics () securityfocus com
Subject: Multi-Factor Authentication Concern
I'm having an argument with someone at work about multi-factor
authentication. We'll call him Bob.
Bob claims that in a multi-factor authentication system, the factors don't
need to identify the same person. In other words, Bob thinks it's perfectly
OK for the door to the data-center to open when Jim badges in, Mike scans
his retina, and Sally enters a her PIN.
This is obviously wrong. Bob says "prove it". So I've scoured the net and
books for something that describes multi-factor authentication as requiring
that all factors identify the same person. So far, I can't find anything.
Is it so obvious that nobody has bothered to write it down, or am I wrong in