-----BEGIN PGP SIGNED MESSAGE-----
Mngadi, Simphiwe (SS) wrote:
All three are accountable; I don't see the logic in your
anyway authentication should be monitored, and your concern should
been build-in into the security system.
All three *are* accountable and therein lies the problem - only
the individuals actually entered the data centre but it appears as if
all three of them entered. Authentication is not only a method for
authorization, it is a method of accounting for who accessed what
resources. Just because all three of them are authorized to be in the
data centre doesn't mean that any one of them should be able to gain
entry using the credentials of the other two. One of the things
multi-factor authentication attempts to address is the scenario
individual can pass themselves off as someone else - basically ID
Another scenario would be on-line banking. Suppose you and your
partner have access to the same account. You decide to use web-based
banking. To access the account information you have to login using a
password then enter a PIN. To gain access to the account details you
would not login using your password then enter your partner's PIN -
would use *your* password and *your* PIN. Like the data centre
just because more than one person has access to a resource doesn't
you allow authentication credentials from anyone with access - it
destroys the concept of accountability. Instead you require that
the authentication credentials come from the same person so you
to hold accountable if something happens (and because it could be the
law in your vicinity).
That said, there *are* times when group level access may be desired
a "piece of the key" from each person is acceptable (or required) - if
that is the case then the original question is moot.
I hate relying on hypothetical examples but it really does come
"what are you trying to accomplish with your authentication methods?"
and "what are the laws in your area?". If group accountability is your
goal then you can suffice with allowing credentials from anyone at any
stage in the process (just make sure you have other accountability
measures in place). If you want granular accountability at the
individual level then all of the credentials must come from the same
I hope that helps.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP SIGNATURE-----