Home page logo

basics logo Security Basics mailing list archives

Re: Multi-Factor Authentication Concern
From: Roch <elrocho () gmail com>
Date: Fri, 10 Aug 2007 18:31:37 +0100

Bob appears to be mixing up dual-control (or more) systems, user
segregation etc, and multi-factor authentication.

On 10/08/07, Dutton, Larry <Larry.Dutton () redstone co uk> wrote:
To me it's obvious and I agree with you - multi factor authentication
requires a SINGLE person to provide multiple identification, security
access systems are all keyed around the user object, you assign
resources (pins, badges, bio-data) to the user for THEM to access - if
they only provide one credential then they won't get in unless you have
multiple methods and allow any:

        Jim badges in = "Hello Jim, please scan retina"
        Mike scans his retina = "you're not Jim! - no entry"
        Sally enters a her PIN = "Hello, please scan retina"

Multi-factor authentication is an AND statement, not an OR, unless you
provide three methods and except only one..
That's my take on it!

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of jsewell () jsewell com
Sent: 10 August 2007 16:22
To: security-basics () securityfocus com
Subject: Multi-Factor Authentication Concern

I'm having an argument with someone at work about multi-factor
authentication. We'll call him Bob.

Bob claims that in a multi-factor authentication system, the factors
don't need to identify the same person. In other words, Bob thinks it's
perfectly OK for the door to the data-center to open when Jim badges in,
Mike scans his retina, and Sally enters a her PIN.

This is obviously wrong. Bob says "prove it". So I've scoured the net
and books for something that describes multi-factor authentication as
requiring that all factors identify the same person. So far, I can't
find anything.

Is it so obvious that nobody has bothered to write it down, or am I
wrong in my thinking?


This correspondence may contain information which is confidential or proprietary or both.  Any dissemination, 
distribution, copying or use of this communication without prior permission of the addressee is strictly prohibited. 
If you are not the intended recipient you may not disclose, copy or use this information.  If you have received this 
message in error, please contact the sender to discuss its return or destruction.

The contents, comments and views contained or expressed within this correspondence do not necessarily reflect those 
of Redstone, its subsidiaries, affiliates, associates or sister companies and are not intended to create legal 
relations with the recipient.

Redstone may monitor email traffic data and also the content of email for the purposes of security and staff training.

If you would like to know more about Redstone, visit us on the web at www.redstone.co.uk or contact our Head Office 
on 0845-200-2200.

Redstone Communications Limited
Registered in England & Wales with Company Number: 3021292
Registered Office: 80 Great Eastern Street, London EC2A 3RS

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]