During the recent PCI SSC’s presentation on the coming changes to v3.2 of the PCI DSS, one of those changes is the adoption of the term “multi-factor authentication” instead of “two-factor authentication”. This change resulted in some heated discussion in the Q&A session that followed their presentation.
Even though the Council was very, very clear what they meant by multi-factor a lot of us have concerns about that terminology. The reason for all of this concern? It is because most of us in the information security profession dislike the term “multi-factor authentication”. It is driven by the fact that the term typically includes stupid practices such as using two sets of credentials. I have discussed this in a previous post, but I thought the time was right to discuss this topic again before QSAs start running into organizations trying to pawn off two passwords as valid multi-factor authentication.
Multiple factors of authentication are defined as:
- Knowledge also referred to as ‘something you know’ such as a password or passphrase,
- Possession also referred to as ‘something you have’ such as an RSA SecurID or Symantec VIP token, and
- Inherence also referred to as ‘something you are’ such as a fingerprint, hand or voice.
In order for multi-factor authentication to be secure, you must use one of the factors from each category, hence the terms one, two and three factor authentication. Using only a password is single or one factor authentication. Using a PIN with a fingerprint is two factor authentication. Using a password with the token number and a fingerprint is three factor authentication.
Therefore using two passwords is not using factors from two of the three categories. It is using the same category twice which is not considered secure. This holds true for using a fingerprint and an iris scan as those are also two items from the same category. Although those biometric factors are arguably much stronger than just two passwords.
Why are two passwords not considered secure? An attacker only has to compromise your authentication system and they would likely have access to those two sets of credentials. But if you also require either of the other two factors, the attacker may have credentials but they do not have those other factors needed to use those credentials. Therefore if you are using true two or three factor authentication your security is still effective.
So all of you out there thinking the Council has approved of using two passwords as an approved multi-factor authentication solution need to think again. Although I know there will be some that do not get this message and will try and use it in that context anyway.
PCI Guru 