Home page logo

basics logo Security Basics mailing list archives

Re: Multi-Factor Authentication Concern
From: Nick Owen <nickowen () mindspring com>
Date: Fri, 10 Aug 2007 13:21:43 -0400

jsewell () jsewell com wrote:
I'm having an argument with someone at work about multi-factor
authentication. We'll call him Bob.

Bob claims that in a multi-factor authentication system, the factors
don't need to identify the same person. In other words, Bob thinks
it's perfectly OK for the door to the data-center to open when Jim
badges in, Mike scans his retina, and Sally enters a her PIN.

This is obviously wrong. Bob says "prove it". So I've scoured the net
and books for something that describes multi-factor authentication as
requiring that all factors identify the same person. So far, I can't
find anything.

Is it so obvious that nobody has bothered to write it down, or am I
wrong in my thinking?


The question here is what is the definition of authentication.  I
suggest the Free online Dictionary of computing:


"<security> The verification of the identity of a person or process. In
a communication system, authentication verifies that messages really
come from their stated source, like the signature on a (paper) letter.
The most common form of authentication is typing a user name (which may
be widely known or easily guessable) and a corresponding password that
is presumed to be known only to the individual being authenticated. "

By using more than one person's factor of authentication, Jim, Mike and
Sally are defeating the authentication mechanism, not changing the


Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]