mailing list archives
Re: Multi-Factor Authentication Concern
From: Nick Owen <nickowen () mindspring com>
Date: Fri, 10 Aug 2007 13:21:43 -0400
jsewell () jsewell com wrote:
I'm having an argument with someone at work about multi-factor
authentication. We'll call him Bob.
Bob claims that in a multi-factor authentication system, the factors
don't need to identify the same person. In other words, Bob thinks
it's perfectly OK for the door to the data-center to open when Jim
badges in, Mike scans his retina, and Sally enters a her PIN.
This is obviously wrong. Bob says "prove it". So I've scoured the net
and books for something that describes multi-factor authentication as
requiring that all factors identify the same person. So far, I can't
Is it so obvious that nobody has bothered to write it down, or am I
wrong in my thinking?
The question here is what is the definition of authentication. I
suggest the Free online Dictionary of computing:
"<security> The verification of the identity of a person or process. In
a communication system, authentication verifies that messages really
come from their stated source, like the signature on a (paper) letter.
The most common form of authentication is typing a user name (which may
be widely known or easily guessable) and a corresponding password that
is presumed to be known only to the individual being authenticated. "
By using more than one person's factor of authentication, Jim, Mike and
Sally are defeating the authentication mechanism, not changing the
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication