I have an irritating problem dealing with the physical security staff in my datacenter. We have a requirement for certain areas to have "two factor authentication", and they've provided badge readers and fingerprint scanners, and consider this requirement solved.
Unfortunately, the systems don't work together and you can use one person's badge, and someone else's fingerprint.
My experience (and common sense) says that two factor means YOUR badge needs to only work with YOUR fingerprint, but our physical security team doesn't see it that way.
They've asked for some sort of evidence that this is how it works... A government directive or other "proof" that they need to tie together.
I thought that it would be a quick Google search away, but it turns out to be more difficult than I thought! All the definitions seem to leave the "tie in" to the imagination! They all say "password and token" or "badge and bio" but never explicitly say that those devices need to tie to the person who is authenticating.
This seems like such a simple thing! Does anyone know of a document that clearly defines two factor as both factors required to be tied to the same person?