I have run into it again. Another organization that thinks two user identifiers and passwords constitutes two-factor authentication and meets PCI DSS requirement 8.3. With all of the documentation available on the Internet, you would think this topic would be covered cold. However, there seems to still be confusion regarding what constitutes one-, two- and three-factor authentication, so I thought I would take this time to explain these concepts.
Let us talk about the definitions of the three factors of authentication.
- One-factor authentication – this is “something a user knows.” The most recognized type of one-factor authentication method is the password.
- Two-factor authentication – in addition to the first factor, the second factor is “something a user has.” Examples of something a user has are a fob that generates a pre-determined code, a signed digital certificate or even a biometric such as a fingerprint. The most recognized form of two-factor authentication is the ubiquitous RSA SecurID fob.
- Three-factor authentication – in addition to the previous two factors, the third factor is “something a user is.” Examples of a third factor are all biometric such as the user’s voice, hand configuration, a fingerprint, a retina scan or similar. The most recognized form of three-factor authentication is usually the retina scan.
The important thing to notice about the aforementioned definitions is that no where do they mention using two passwords or passphrases, two fingerprints or two retina scans. Such use of two of the same factors is considered multi-factor authentication and is not related to any of the aforementioned definitions. So those of you that are using two different user identifiers and passwords are not using two-factor authentication, you are using multi-factor authentication. The PCI DSS is very specific in requirement 8.3 and requires two-factor authentication or better. So multi-factor is not acceptable.
Another thing to mention is that security purists will argue that using a biometric for a second factor violates the rules of the third factor. However, other security practitioners say that something a user has or they are can be either something like a token or a biometric. Their logic is that a user has a fingerprint or a retina, so it qualifies as either factor. The key is to only use a particular biometric once. So if you use a fingerprint for your second factor, you cannot use a fingerprint for the third factor.
Finally, while obvious, a lot of people miss this point. One-factor is less secure than two-factor which is less secure than three-factor authentication. However, if users properly construct their passwords or passphrases and other logon restrictions are in place, one-factor authentication can be fairly effective against security breaches, possibly in the 90% range. Two factor authentication typically raises the effectiveness to probably around 97 or 98%. And three-factor authentication likely takes things to a six sigma level of effectiveness. Note that even with three-factor authentication you only get to 99.9999% effectiveness. As I have repeatedly pointed out, security is not perfect.
A lot of people do not realize the fact that they use two-factor authentication regularly. In order to use an ATM you need a card (something you have) and a four digit personal identification number or PIN (something you know). Another example that is common these days is in order to enter secure facilities, an authorized user is required to use their HID access card and enter a PIN into a keypad before a door will open. Something to note is that it does not matter the order in which the factors are used. In the case of the ATM and entry examples, you swipe your card (something you have) first and then enter your PIN (something you know).
Just because the second factor is something a user has, does not mean that the user must know they have it. A prime example is in the case of a digital certificate. A lot of organizations issue a digital certificate with their VPN software to provide two-factor authentication. Most users are unaware that they need a digital certificate to make the VPN work. The digital certificate is usually tied to the user or the computer and is installed as part of the installation of the VPN software. The only way a user ever becomes aware of the digital certificate is if it is ever corrupted or becomes out dated resulting in an error when they try to connect to the VPN.
Another important point is that in instances where all you use is your HID access card, you are using one-factor authentication. The definitions for the factors were established for ease of learning and memory. However, using any of the factors alone is one-factor authentication. Using each type of factor in conjunction with another, results in two- and three-factor authentication. As such, you can use different combinations of all of the factors to decrease the likelihood of a compromise. For example, in a lot of spy movies, there is an ultra-secure room where to gain entry, you need for example an ID card, a PIN, a retina scan and you need to say your passphrase. This is not an example of four-factor authentication; this is three-factor authentication with the use of two biometric factors (i.e., multi-factor).
Finally, there is a risk in using biometric factors that most people do not like to talk about but is important to consider. People suffer accidents all of the time. Fingers get cut or even removed. Hands get broken or maimed. Eyes become damaged. People lose their voices. As a result, if you are looking to use biometrics for authentication, make sure you plan for such incidents.
Hopefully you now understand the various factors of authentication and understand how they are used.
Can digital signature be accepted as “something you have” in PA-DSS compliance?
I do not see why not. A digital signature resolves into a certificate which is like any other certificate. We accept certificates as “something you have.”
when having multiple instances of factoring it can be broken down simply like the author states. but, i do not see the mistake the others have identified in their comments. He resonably communicated the idea of one factor two factor and three factor forms of security.
You seem to be confused about multi-factor authentication. You state that:
“Such use of two of the same factors is considered multi-factor authentication and is not related to any of the aforementioned definitions.”
I can not find a single source to agree with you. Two items from the same category is still single-factor and does not change the definition from single-factor to two-factor. Every other source I have seen refers to “multi-factor” as item(s) from two or more categories. So you could be required to enter a password and a pin and insert a card and a token and you would have two-factor authentication.
I don’t want to say that you an overbearing idiot or anything like that, but I would suggest that, if you express exasperation at the knowledge limits of others, you should not add to that yourself.
Welcome to part of the problem with security. You say, “poe – tay – toe” and I say “pa – ta – toe” problem in security. When I went started implementing SecurID an eternity ago, the guy from SecurID referred to two-factor authentication as two-factor and anything using the same factors as multi-factor authentication and that stuck with me. Over the years, most of the security people I have run across have referred to it similarly. However, over the last 8 to 10 years, I have seen that change with multi-factor coming to mean that multiple factors are being used. However, I still think the bulk of security professionals would say my definitions still work.
I completely disagree with you defense and agree with Zorg, you are confused and ostensibly part of the problem. Multi-factor auth is an auth requiring multiple factors. It’s simple English. If I live in a multi-cat house, there is more than one cat, not multiple instances of the same cat.
Additionally you’ve got “one-factor”, “three-factor”, and “three-factor”, mixed up with the factors. There are currently three widely accepted factors of Authentication. Something you know, something you have, and something you are. You correctly identify the most recognized instances of these factors as passwords, security tokens, and fingerprints. But using only a fingerprint would be “one-factor” are you are actually using only one factor.
It’s really scary that you claim to be an expert but don’t know even this basic terminology. Something that you started the article by admitting has been expounded on the Internet in detail for years. You really need to read up on the subject (may I suggest Wikipedia given the elementary nature of the mistakes) or do some proof-reading before publishing an article you claim to be authoritative. It’s embarrassing to you and the security community as a whole.
I went back and re-read my post and I am confused as to where I even implied that using only a fingerprint is something other than one-factor authentication.
Security professionals I know do NOT recognize multi-factor authentication, (for example, two user identifiers with two password, different or otherwise, on different but interconnected systems, using a thumb and index finger at different authentication points, using the right iris and then the left iris at different authentication points) as meeting the concept of two-factor authentication.
And since you brought up the point of proofing your work. ‘Additionally you’ve got “one-factor”, “three-factor”, and “three-factor”’. I know you meant “two-factor” for the first instance of “three-factor” but it points to your rush to condemn those of us trying to make the world a more secure place.
Not quite as far as the definitions. If there are three factors a user can be identified by:
1. Something the user knows.
2. Something the user has.
3. Something the user is.
Then dual or two factor authentication is a combination of any two of these factors (as opposed to two factor authentication being the same as the second factor listed). For example, a biometric scan and a password is two factor authentication. You sort of say the same in the third paragraph.
Fingerprint scanners and voice recognition are likely the most commonly deployed type of biometric authentication methods.
Multi-factor authentication is a synonym, it only means two or more factors of authentication (not multiple uses of the same factor).
I’ve never before seen the metrics (percentages) you reference in paragraph 4.
For a small company that purchased and hosts in their own network a vendor PA-DSS certified software, what types of two-factor authentication solutions do you recommend to allow customer reps from the vendor to remote assist the company when issues arise? Thanks.
rpa