Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
370
Views
1
Helpful
4
Replies

Two factor auth tied together?

andrew.hallberg
Level 1
Level 1

‎08-09-2007 02:09 PM - edited ‎03-09-2019 06:34 PM

Hi all,

I have an irritating problem dealing with the physical security staff in my datacenter. We have a requirement for certain areas to have "two factor authentication", and they've provided badge readers and fingerprint scanners, and consider this requirement solved.

Unfortunately, the systems don't work together and you can use one person's badge, and someone else's fingerprint.

My experience (and common sense) says that two factor means YOUR badge needs to only work with YOUR fingerprint, but our physical security team doesn't see it that way.

They've asked for some sort of evidence that this is how it works... A government directive or other "proof" that they need to tie together.

I thought that it would be a quick Google search away, but it turns out to be more difficult than I thought! All the definitions seem to leave the "tie in" to the imagination! They all say "password and token" or "badge and bio" but never explicitly say that those devices need to tie to the person who is authenticating.

This seems like such a simple thing! Does anyone know of a document that clearly defines two factor as both factors required to be tied to the same person?

Labels:
0 Helpful
4 Replies 4

carenas123
Level 5
Level 5

‎08-16-2007 09:29 AM

I think with two factor authentication it is not defined to have the badge and finger print of the same person. If a person carries someone else's badge and his fingerprint is authenticated the system will allow the access to the person.

andrew.hallberg
Level 1
Level 1
In response to carenas123

‎08-16-2007 10:18 AM

So, if you go to the bank and have an ATM card... Can you use anybody's PIN to get access? Doesn't that defeat the purpose of authentification?

And if Steve's badge is swiped and John's finger is scanned... Who gained access? How do you audit this event?

0 Helpful

tsteger1
Level 8
Level 8
In response to andrew.hallberg

‎08-16-2007 01:35 PM

I agree that tying them together would be better security but you may lose this one.

In the bank card scenario, the unique item is the card, but the card and PIN can be used by anyone.

Your situation is different in that the unique item is the fingerprint (since any card will do, thank you) AND it is physically tied to a single person (lopped off fingers aside).

It's not as tight as it could be but it does qualify as two factor since you need both to enter.

Since John's finger is scanned, John entered.

JMTC

Tom

0 Helpful

tsteger1
Level 8
Level 8
In response to andrew.hallberg

‎08-16-2007 01:44 PM

Forum suggestion: A way to delete a post during the 30 minute edit window.

0 Helpful
Customers Also Viewed These Support Documents