Two factor auth tied together?

Unanswered Question
Aug 9th, 2007
User Badges:

Hi all,


I have an irritating problem dealing with the physical security staff in my datacenter. We have a requirement for certain areas to have "two factor authentication", and they've provided badge readers and fingerprint scanners, and consider this requirement solved.


Unfortunately, the systems don't work together and you can use one person's badge, and someone else's fingerprint.


My experience (and common sense) says that two factor means YOUR badge needs to only work with YOUR fingerprint, but our physical security team doesn't see it that way.


They've asked for some sort of evidence that this is how it works... A government directive or other "proof" that they need to tie together.


I thought that it would be a quick Google search away, but it turns out to be more difficult than I thought! All the definitions seem to leave the "tie in" to the imagination! They all say "password and token" or "badge and bio" but never explicitly say that those devices need to tie to the person who is authenticating.


This seems like such a simple thing! Does anyone know of a document that clearly defines two factor as both factors required to be tied to the same person?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
carenas123 Thu, 08/16/2007 - 09:29
User Badges:
  • Silver, 250 points or more

I think with two factor authentication it is not defined to have the badge and finger print of the same person. If a person carries someone else's badge and his fingerprint is authenticated the system will allow the access to the person.

andrew.hallberg Thu, 08/16/2007 - 10:18
User Badges:

So, if you go to the bank and have an ATM card... Can you use anybody's PIN to get access? Doesn't that defeat the purpose of authentification?


And if Steve's badge is swiped and John's finger is scanned... Who gained access? How do you audit this event?

tsteger1 Thu, 08/16/2007 - 13:35
User Badges:
  • Red, 2250 points or more

I agree that tying them together would be better security but you may lose this one.


In the bank card scenario, the unique item is the card, but the card and PIN can be used by anyone.


Your situation is different in that the unique item is the fingerprint (since any card will do, thank you) AND it is physically tied to a single person (lopped off fingers aside).


It's not as tight as it could be but it does qualify as two factor since you need both to enter.


Since John's finger is scanned, John entered.


JMTC


Tom

tsteger1 Thu, 08/16/2007 - 13:44
User Badges:
  • Red, 2250 points or more

Forum suggestion: A way to delete a post during the 30 minute edit window.

Actions

This Discussion