During the recent PCI SSC’s presentation on the coming changes to v3.2 of the PCI DSS, one of those changes is the adoption of the term “multi-factor authentication” instead of “two-factor authentication”. This change resulted in some heated discussion in the Q&A session that followed their presentation.
Even though the Council was very, very clear what they meant by multi-factor a lot of us have concerns about that terminology. The reason for all of this concern? It is because most of us in the information security profession dislike the term “multi-factor authentication”. It is driven by the fact that the term typically includes stupid practices such as using two sets of credentials. I have discussed this in a previous post, but I thought the time was right to discuss this topic again before QSAs start running into organizations trying to pawn off two passwords as valid multi-factor authentication.
Multiple factors of authentication are defined as:
- Knowledge also referred to as ‘something you know’ such as a password or passphrase,
- Possession also referred to as ‘something you have’ such as an RSA SecurID or Symantec VIP token, and
- Inherence also referred to as ‘something you are’ such as a fingerprint, hand or voice.
In order for multi-factor authentication to be secure, you must use one of the factors from each category, hence the terms one, two and three factor authentication. Using only a password is single or one factor authentication. Using a PIN with a fingerprint is two factor authentication. Using a password with the token number and a fingerprint is three factor authentication.
Therefore using two passwords is not using factors from two of the three categories. It is using the same category twice which is not considered secure. This holds true for using a fingerprint and an iris scan as those are also two items from the same category. Although those biometric factors are arguably much stronger than just two passwords.
Why are two passwords not considered secure? An attacker only has to compromise your authentication system and they would likely have access to those two sets of credentials. But if you also require either of the other two factors, the attacker may have credentials but they do not have those other factors needed to use those credentials. Therefore if you are using true two or three factor authentication your security is still effective.
So all of you out there thinking the Council has approved of using two passwords as an approved multi-factor authentication solution need to think again. Although I know there will be some that do not get this message and will try and use it in that context anyway.
PCI Guru 
What if username/password + one time pin + analyzing the user’s location? Is that consider multi-factor too?
Analyzing the user’s location? I’m assuming you are implying you would have a way of geolocating the user requesting access. I would caution you on this as there are too many buildings where GPS is unavailable. I would also not rely on any sort of service that does geolocation by IP address. I have encountered too many of the IP-based geolocating services where VPNs, ISPs, network architectures, etc. mask the user’s actual geolocation. In addition, what do you do with mobile users whose geolocation is not static?
Regarding the PIN, it depends on how the PIN is delivered. Delivery via SMS (i.e., texting) is no longer considered secure by the National Institute of Standards and Technology (NIST) so that is no longer acceptable. Using RSA SecurID, Symantec VIP Access or similar would be acceptable.
So while in theory what you suggest is multi-factor authentication, I would not necessarily call those factors always reliable.
What about a scenario with a username/password that generates a one-time login they gets sent through email/text (to a phone) that is required to login? Is that considered multi-factor?
It could be argued to be multi-factor, but I would question the security of the transmission mechanism in the open through email/SMS.
So this now applies to servers such as security and authentication servers or just servers that store, process, or transmit CHD?
Yes, it does. This is why it will be a pain for some organizations that have not segmented their administrative systems from their general systems.
Boom! (Drops mic, walks off stage…)