mailing list archives
Re: Multi-Factor Authentication Concern
From: "Chris Barber" <cmbarber () gmail com>
Date: Mon, 13 Aug 2007 09:59:11 -0700
OK, lets take this down to the very basics. single factor authentication.....
If Bob were to think about it just a bit harder it would be obvious to
him as well.
If Sally new Mike's Username and used her password she would not get
in, even though both were values in the authentication database.
Now we expand the Database to hold more fields (Identity, Password,
Retina Print, Badge number, etc.). All feilds must match one record
in the database or no access is allowed.
Secure Programming 101...
My thoughts, simple as they are.
On 10 Aug 2007 15:21:32 -0000, jsewell () jsewell com <jsewell () jsewell com> wrote:
I'm having an argument with someone at work about multi-factor authentication. We'll call him Bob.
Bob claims that in a multi-factor authentication system, the factors don't need to identify the same person. In other
words, Bob thinks it's perfectly OK for the door to the data-center to open when Jim badges in, Mike scans his
retina, and Sally enters a her PIN.
This is obviously wrong. Bob says "prove it". So I've scoured the net and books for something that describes
multi-factor authentication as requiring that all factors identify the same person. So far, I can't find anything.
Is it so obvious that nobody has bothered to write it down, or am I wrong in my thinking?
RE: Multi-Factor Authentication Concern Kandala, Nham (Aug 10)
Re: Multi-Factor Authentication Concern Chris Barber (Aug 13)
Re: Multi-Factor Authentication Concern Yves Bourdic (Aug 15)
RE: Multi-Factor Authentication Concern zenmasterbob123 (Aug 10)
Re: RE: Multi-Factor Authentication Concern subconscienceless (Aug 14)