I have run into it again. Another organization that thinks two user identifiers and passwords constitutes two-factor authentication and meets PCI DSS requirement 8.3. With all of the documentation available on the Internet, you would think this topic would be covered cold. However, there seems to still be confusion regarding what constitutes one-, two- and three-factor authentication, so I thought I would take this time to explain these concepts.
Let us talk about the definitions of the three factors of authentication.
- One-factor authentication – this is “something a user knows.” The most recognized type of one-factor authentication method is the password.
- Two-factor authentication – in addition to the first factor, the second factor is “something a user has.” Examples of something a user has are a fob that generates a pre-determined code, a signed digital certificate or even a biometric such as a fingerprint. The most recognized form of two-factor authentication is the ubiquitous RSA SecurID fob.
- Three-factor authentication – in addition to the previous two factors, the third factor is “something a user is.” Examples of a third factor are all biometric such as the user’s voice, hand configuration, a fingerprint, a retina scan or similar. The most recognized form of three-factor authentication is usually the retina scan.
The important thing to notice about the aforementioned definitions is that no where do they mention using two passwords or passphrases, two fingerprints or two retina scans. Such use of two of the same factors is considered multi-factor authentication and is not related to any of the aforementioned definitions. So those of you that are using two different user identifiers and passwords are not using two-factor authentication, you are using multi-factor authentication. The PCI DSS is very specific in requirement 8.3 and requires two-factor authentication or better. So multi-factor is not acceptable.
Another thing to mention is that security purists will argue that using a biometric for a second factor violates the rules of the third factor. However, other security practitioners say that something a user has or they are can be either something like a token or a biometric. Their logic is that a user has a fingerprint or a retina, so it qualifies as either factor. The key is to only use a particular biometric once. So if you use a fingerprint for your second factor, you cannot use a fingerprint for the third factor.
Finally, while obvious, a lot of people miss this point. One-factor is less secure than two-factor which is less secure than three-factor authentication. However, if users properly construct their passwords or passphrases and other logon restrictions are in place, one-factor authentication can be fairly effective against security breaches, possibly in the 90% range. Two factor authentication typically raises the effectiveness to probably around 97 or 98%. And three-factor authentication likely takes things to a six sigma level of effectiveness. Note that even with three-factor authentication you only get to 99.9999% effectiveness. As I have repeatedly pointed out, security is not perfect.
A lot of people do not realize the fact that they use two-factor authentication regularly. In order to use an ATM you need a card (something you have) and a four digit personal identification number or PIN (something you know). Another example that is common these days is in order to enter secure facilities, an authorized user is required to use their HID access card and enter a PIN into a keypad before a door will open. Something to note is that it does not matter the order in which the factors are used. In the case of the ATM and entry examples, you swipe your card (something you have) first and then enter your PIN (something you know).
Just because the second factor is something a user has, does not mean that the user must know they have it. A prime example is in the case of a digital certificate. A lot of organizations issue a digital certificate with their VPN software to provide two-factor authentication. Most users are unaware that they need a digital certificate to make the VPN work. The digital certificate is usually tied to the user or the computer and is installed as part of the installation of the VPN software. The only way a user ever becomes aware of the digital certificate is if it is ever corrupted or becomes out dated resulting in an error when they try to connect to the VPN. (NOTE: In the Council’s Multi-Factor Authentication Information Supplement from 2017, the use of digital certificates as discussed here was disallowed for meeting PCI compliant two-factor authentication.)
Another important point is that in instances where all you use is your HID access card, you are using one-factor authentication. The definitions for the factors were established for ease of learning and memory. However, using any of the factors alone is one-factor authentication. Using each type of factor in conjunction with another, results in two- and three-factor authentication. As such, you can use different combinations of all of the factors to decrease the likelihood of a compromise. For example, in a lot of spy movies, there is an ultra-secure room where to gain entry, you need for example an ID card, a PIN, a retina scan and you need to say your passphrase. This is not an example of four-factor authentication; this is three-factor authentication with the use of two biometric factors (i.e., multi-factor).
Finally, there is a risk in using biometric factors that most people do not like to talk about but is important to consider. People suffer accidents all of the time. Fingers get cut or even removed. Hands get broken or maimed. Eyes become damaged. People lose their voices. As a result, if you are looking to use biometrics for authentication, make sure you plan for such incidents.
Hopefully you now understand the various factors of authentication and understand how they are used.
PCI Guru 
Business need
Identifying proper business instance and need for MFA. Not all authentication instances would need MFA
Identifying appropriate factor (tokens, cards, bio-metrics), one size does not fit all.
Is the additional cost incurred adding value to the business? Important question to answer while planning for MFA
Agreed. But where MFA can become problematic is when an organization does not have a defined CDE and is doing MFA on a device by device basis. It is those situations that lead to MFA being missed (and non-compliance determinations) because people are not sure if it’s needed.
Here is a personal comment and I am a QSA… PCI can be a real joke. Consider the payment services of this world, Moneris in Canada, etc. They typically offer a nice web portal to their merchants for them to be able to initiate payments but also to extract reports, sometimes with the credit card info in the clear. Those systems are accessed remotely over the internet. So PCI Req 8.3 does apply. But guess what, those systems do not have 2 FA in place. Still, those providers are PCI compliant. To me, they shouldn’t be. Instead, they should have 2 FA implemented. Solutions exist. In Europe, 2 FA is used to access your personal PC banking application.
Ah, to be a financial institution. 😉
Should the digital certificate be per user or can a single digital certificate be used for many users and still count as a valid part of 2FA?
It needs to be per user.
Question: If you have a certificate bound to a user account then logging in to the account using the U/N & P/W would potentially give you access to that certificate (Private Key) which means it is no more secure than just using the username and password?
I think implementing an independent password on the private key would better satisfy PCI for 2 factor?
Additionally, I can see the basis for some of the comments about use of factors, they read the first part and don’t get to the clarification elements later on, so if you read the first bit then you could be misled into thinking that you have to use factors in that order 1 = You Know 2 = You Know + You Have, and 3 = You Know + You Have + You Are.
A minor edit to remove the factoring numbers away from the definitions so they are just the definitions and then underneath a general note that 2 is any 2 of them and 3 is all of them may keep them happy as an idea 🙂
All in all another great post
If an e-commerce portal pass through credit card and not stored, is it correct to say that two factor authentication is not required for customers just use the portal for purchases as per 8.3?
There are administrators who access the portal from internet using URL for portal administration only. I noticed a statement that if the user “cannot access or impact the cardholder data environment” two-factor authentication is not required. Can i use this to exclude the administrator from having two-factor authentication?
Requirement 8.3 does NOT apply to customers only to users that have access to bulk cardholder data (CHD). Customers typically only have access to their own CHD, not everyone that uses your Web site (at least I would hope that is the case).
Administrators would have potential access to bulk CHD in the form of the transmissions that pass through the server either through buffers or memory.
Is it browser access from internet to the e-commerce portal by administrator can be considered as application level access and not network level access(referred in below requirement)?
8.3 Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).
If an administrator of the eCommerce site is only accessing it no different than any other consumer, then that access does not have to meet requirement 8.3.
However, if any site administrator is access the site for administrative purposes such as modifying the site’s parameters, managing users and other administrative activities AND that is being done through a remote connection over an untrusted network, then that remote access needs to incorporate two-factor authentication before the administrator is granted access to the site.
I believe there is actually a fourth factor of authentication: Physical location. If a piece of information is required that is stored exclusively at a specific location and that physical location is deemed secure to some acceptable level of security, then there is a high probability that the person signing into the system is actually physically at that location. This would be reserved for the most stringent forms of authentication (requiring physical presence) and there would also be big guys with guns nearby.
While physical location is a possibility, it is not always able to be determined reliably (IP spoofing comes to mind), particularly in remote access situations. As a result, it’s not relied upon.
According the FFIEC who define these acknowledged definition for authentication factors, there are only three. The reason being is that the geolocation does not identify the location of the user, it only identifies the location of the device. Basically, it is a possession factor. That said, the definitions the author provides at the beginning of this article can be misleading. Each factor is independent, so single factor authentication can be biometrics only, knowledge factor only or card only. Two factor can be a combination of any of the three factors, e.g. card and PIN, biometrics and PIN, card and biometric. You might want to make some other corrections as posted by previous comment
Geolocation is an attribute of authentication, not a factor. For example, one could in theory create a system to only allows a user to log in (using one or more factors) while at a specific location. Another common example of an attribute is time. If one can only log in during standard working hours, then the time attribute has been applied. Neither geolocation nor time can definitively say that one is who they say they are even if no attack was in progress. Thus, they are only attributes.
If we use two factor authentication, can we keep the first factor(password) permanent instead of changing every 90 days?
Best practice is to change passwords at least every 90 days regardless of other controls you have in place. If you decide to keep the password permanent, then you will need to create a compensating control to comply with requirement 8.5.9. That said, you will likely find creating a compensating control more difficult, if not impossible, than just changing the passwords every 90 days.
I’m sorry, but that’s not best practice at all.
Passwords should be changed *only* when necessary. Arbitrary changes every x days only decreases security.
Specify the recognized security standard that does not mandate changing of passwords on some periodic basis? ISO 27K, FFIEC, FISMA, COBIT, et.al. all specify that passwords be changed on some time period. The more sensitive the account, the more often the password should be changed and the stronger the password should be. You lost me on how such a practice decreases security because security professionals all agree that password changes are necessary at some point.
I appreciate it’s counter – intuitive, but these security standards are sadly ignorant of how passwords are actually handled in the real world.
I would suggest watching or attending a PasswordsCon event; I assure you… forced password changes with no evidence of a breach is a step backwards. Passwords contain metadata which is more valuable than the password itself.
When I’m not on the mobile, I’ll update this.
On the contrary, I think everyone knows the pros and cons of passwords as they have been around and well studied for at least the last 40 years.
The problem with your logic about password changes is that you have predicated it on the fact that organizations actually know that they have been breached. Statistics from Verizon, Trustwave, Cisco and the like all prove that the vast majority of organizations have no clue that they have been breached and therefore would not be able to tell users in a timely manner to change passwords to be effective in halting the breach as the damage is already done.
Passwords containing metadata is all predicated on users constructing their passwords from known information. While I would agree that the vast majority of users do that, not all do. And that is slowly changing as people begin to use password vaults and similar applications that come with password generators.
Retina scans are extremely rare today, having been almost completely replaced by iris scans. Furthermore, they were never the “most recognized” biometric. That has always been the fingerprint – in use, by far, more than any other biometric. Virtually ever laptop has a fingerprint sensor.
Retina scanning is not as rare as you think. While it has been replaced in some locations, in very, very high security installations, the retina scan is still king as it cannot be faked out by a well made contact lens with a fake iris.
Those fingerprint scanners that you see ala Lenovo ThinkPads are not something I would particularly want to trust. The full print scanners are much more accurate than the swipe variety. We have seen instances where the swipe version can be easily faked out and you can gain access.
Is there any reason to believe one category of factor is more secure than the other. For example, “what is know” is more secure than “what you have”.
If I change the authentication protocol from password to “what you have” does it make is less safe?
Biometric factors are going to be more secure than a password or a fob. However, the risk with biometrics is that someone loses the biometric such as a finger, eye or their voice. You can replace a fob or reset a password, but biometrics are not replaceable. As a result, when using biometrics you need to plan for the loss of the biometric.
The other consideration with biometrics is that not everyone has two eyes, all their fingers or can speak. As a result, you need to allow for multiple biometrics so that you have alternatives.
Please allow me to clear this up. From Wikipedia:
“On October 12, 2005, the Federal Financial Institutions Examination Council’s (FFIEC) issued guidance for financial institutions recommending financial institutions conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services. The FFIEC identified three authentication factors as:
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint)”
With this preface, allow me to make a few observations:
1) PCIGuru refers to retina scans as three-factor, which is inaccurate. It is one-factor using a biometric.
2) A username and password constitute one-factor authentication, but is considered two-STEP.
3) A biometric scan of two retinas and 20 fingers and toes is ONE-factor, 22-steps. Get it now? ;c)
4) True 3-factor authentication necessitates combining all three of the aforementioned factors in the authentication process. our company offers such a method through interacting with a biometric image on a mobile device.
I would be open to shedding more light on the subject if you would care to contact me.
Mike Hill
Director
Avimir Limited
What is it about this post? I keep re-reading it and I do not get where you all keep coming up these supposed errors. However, all of the comments on this post go to my original reason for writing it which is, even within the security profession, there is a misunderstanding of the factors of authentication.
I do NOT refer to a retina scan by itself as an example of three factor authentication. Go back and re-read the post, it’s NOT there. What is there is the statement, “… in addition to the previous two factors, the third factor is …” and then I use some examples, one of which is the retina.
Your point number two of retina AND fingerprints is an example of two-factor authentication, not one-factor. Remember fingerprints and retinas are two different things (i.e., factors) even though they are both in the same class of factors (i.e., biometrics). Just because biometrics are commonly associated with the third factor does not mean that they can only be used as the third factor.
And your point number three – DUH! Again, re-read the post – PLEASE!
I do not mind having people correct me when I am wrong, but there is nothing wrong with this post. Re-read it. It is correct. Yes, you have developed a new factor that can be used. Hurray for you and your company. However, promoting it by trying to correct someone who has done nothing to justify correction proves … Well, I will let the other readers fill in what it proves.
Can digital signature be accepted as “something you have” in PA-DSS compliance?
I do not see why not. A digital signature resolves into a certificate which is like any other certificate. We accept certificates as “something you have.”
when having multiple instances of factoring it can be broken down simply like the author states. but, i do not see the mistake the others have identified in their comments. He resonably communicated the idea of one factor two factor and three factor forms of security.
You seem to be confused about multi-factor authentication. You state that:
“Such use of two of the same factors is considered multi-factor authentication and is not related to any of the aforementioned definitions.”
I can not find a single source to agree with you. Two items from the same category is still single-factor and does not change the definition from single-factor to two-factor. Every other source I have seen refers to “multi-factor” as item(s) from two or more categories. So you could be required to enter a password and a pin and insert a card and a token and you would have two-factor authentication.
I don’t want to say that you an overbearing idiot or anything like that, but I would suggest that, if you express exasperation at the knowledge limits of others, you should not add to that yourself.
Welcome to part of the problem with security. You say, “poe – tay – toe” and I say “pa – ta – toe” problem in security. When I went started implementing SecurID an eternity ago, the guy from SecurID referred to two-factor authentication as two-factor and anything using the same factors as multi-factor authentication and that stuck with me. Over the years, most of the security people I have run across have referred to it similarly. However, over the last 8 to 10 years, I have seen that change with multi-factor coming to mean that multiple factors are being used. However, I still think the bulk of security professionals would say my definitions still work.
I completely disagree with you defense and agree with Zorg, you are confused and ostensibly part of the problem. Multi-factor auth is an auth requiring multiple factors. It’s simple English. If I live in a multi-cat house, there is more than one cat, not multiple instances of the same cat.
Additionally you’ve got “one-factor”, “three-factor”, and “three-factor”, mixed up with the factors. There are currently three widely accepted factors of Authentication. Something you know, something you have, and something you are. You correctly identify the most recognized instances of these factors as passwords, security tokens, and fingerprints. But using only a fingerprint would be “one-factor” are you are actually using only one factor.
It’s really scary that you claim to be an expert but don’t know even this basic terminology. Something that you started the article by admitting has been expounded on the Internet in detail for years. You really need to read up on the subject (may I suggest Wikipedia given the elementary nature of the mistakes) or do some proof-reading before publishing an article you claim to be authoritative. It’s embarrassing to you and the security community as a whole.
I went back and re-read my post and I am confused as to where I even implied that using only a fingerprint is something other than one-factor authentication.
Security professionals I know do NOT recognize multi-factor authentication, (for example, two user identifiers with two password, different or otherwise, on different but interconnected systems, using a thumb and index finger at different authentication points, using the right iris and then the left iris at different authentication points) as meeting the concept of two-factor authentication.
And since you brought up the point of proofing your work. ‘Additionally you’ve got “one-factor”, “three-factor”, and “three-factor”’. I know you meant “two-factor” for the first instance of “three-factor” but it points to your rush to condemn those of us trying to make the world a more secure place.
Not quite as far as the definitions. If there are three factors a user can be identified by:
1. Something the user knows.
2. Something the user has.
3. Something the user is.
Then dual or two factor authentication is a combination of any two of these factors (as opposed to two factor authentication being the same as the second factor listed). For example, a biometric scan and a password is two factor authentication. You sort of say the same in the third paragraph.
Fingerprint scanners and voice recognition are likely the most commonly deployed type of biometric authentication methods.
Multi-factor authentication is a synonym, it only means two or more factors of authentication (not multiple uses of the same factor).
I’ve never before seen the metrics (percentages) you reference in paragraph 4.
For a small company that purchased and hosts in their own network a vendor PA-DSS certified software, what types of two-factor authentication solutions do you recommend to allow customer reps from the vendor to remote assist the company when issues arise? Thanks.
rpa