Multi-Factor Authentication

During the recent PCI SSC’s presentation on the coming changes to v3.2 of the PCI DSS, one of those changes is the adoption of the term “multi-factor authentication” instead of “two-factor authentication”.  This change resulted in some heated discussion in the Q&A session that followed their presentation.

Even though the Council was very, very clear what they meant by multi-factor a lot of us have concerns about that terminology.  The reason for all of this concern?  It is because most of us in the information security profession dislike the term “multi-factor authentication”.  It is driven by the fact that the term typically includes stupid practices such as using two sets of credentials.  I have discussed this in a previous post, but I thought the time was right to discuss this topic again before QSAs start running into organizations trying to pawn off two passwords as valid multi-factor authentication.

Multiple factors of authentication are defined as:

  • Knowledge also referred to as ‘something you know’ such as a password or passphrase,
  • Possession also referred to as ‘something you have’ such as an RSA SecurID or Symantec VIP token, and
  • Inherence also referred to as ‘something you are’ such as a fingerprint, hand or voice.

In order for multi-factor authentication to be secure, you must use one of the factors from each category, hence the terms one, two and three factor authentication.  Using only a password is single or one factor authentication.  Using a PIN with a fingerprint is two factor authentication.  Using a password with the token number and a fingerprint is three factor authentication.

Therefore using two passwords is not using factors from two of the three categories.  It is using the same category twice which is not considered secure.  This holds true for using a fingerprint and an iris scan as those are also two items from the same category.  Although those biometric factors are arguably much stronger than just two passwords.

Why are two passwords not considered secure?  An attacker only has to compromise your authentication system and they would likely have access to those two sets of credentials.  But if you also require either of the other two factors, the attacker may have credentials but they do not have those other factors needed to use those credentials.  Therefore if you are using true two or three factor authentication your security is still effective.

So all of you out there thinking the Council has approved of using two passwords as an approved multi-factor authentication solution need to think again.  Although I know there will be some that do not get this message and will try and use it in that context anyway.


7 Responses to “Multi-Factor Authentication”

  1. 1 Wai Loon
    August 9, 2016 at 3:54 AM

    What if username/password + one time pin + analyzing the user’s location? Is that consider multi-factor too?

    • August 13, 2016 at 3:40 PM

      Analyzing the user’s location? I’m assuming you are implying you would have a way of geolocating the user requesting access. I would caution you on this as there are too many buildings where GPS is unavailable. I would also not rely on any sort of service that does geolocation by IP address. I have encountered too many of the IP-based geolocating services where VPNs, ISPs, network architectures, etc. mask the user’s actual geolocation. In addition, what do you do with mobile users whose geolocation is not static?

      Regarding the PIN, it depends on how the PIN is delivered. Delivery via SMS (i.e., texting) is no longer considered secure by the National Institute of Standards and Technology (NIST) so that is no longer acceptable. Using RSA SecurID, Symantec VIP Access or similar would be acceptable.

      So while in theory what you suggest is multi-factor authentication, I would not necessarily call those factors always reliable.

  2. 3 KC
    May 11, 2016 at 11:41 AM

    What about a scenario with a username/password that generates a one-time login they gets sent through email/text (to a phone) that is required to login? Is that considered multi-factor?

  3. 5 John
    April 30, 2016 at 9:42 AM

    So this now applies to servers such as security and authentication servers or just servers that store, process, or transmit CHD?

    • May 3, 2016 at 8:43 AM

      Yes, it does. This is why it will be a pain for some organizations that have not segmented their administrative systems from their general systems.

  4. 7 David Young
    April 15, 2016 at 12:23 PM

    Boom! (Drops mic, walks off stage…)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

April 2016

%d bloggers like this: