The is a podcast posted on the StorefrontBacktalk site that features George Hamilton, a senior product manager for LogMeIn. Here is a link to the article that has a link to the podcast, Can Remote Access And PCI Co-Exist? (http://www.storefrontbacktalk.com/securityfraud/can-remote-access-and-pci-co-exist/).

Now, I'm not an expert on two-factor authentication, but he makes a comment at about the 4:40 mark that I am having a difficult time with. He says, "Two-factor authentication is...a separate login for getting in to the remote access tool and another to get into the remote device that they want to manage."

To me, this does not seem to be two-factor authentication. Using multiple solutions from the same category does not constitute multi-factor authentication. He does go on to mention tokens, call-backs, etc. But, that quote above just seems wrong to me. Am I not understanding this correctly?

Sounds a bit like an SATA driver controller I looked at today. It advertised RAID 0, 5, or 10.. but only had 2 SATA ports.

Huh?

What the gentleman from LogMeIn is describing is defined in security circles as multi-factor authentication, not two-factor authentication. It's a common mistake.

By definition, two-factor authentication is something you know (i.e., a password, PIN or passphrase) AND something you have (i.e., token, proximity card, smartcard, hand geometry, fingerprint, retina scan, voice print, etc.). Tokens and smartcards are the most common types of two-factor authenticators used, but biometrics can also be used.

Three-factor authentication is two-factor PLUS something you are (i.e., hand geometry, fingerprint, retina scan, voice print, etc.). If you use a biometric attribute as one of your two-factor authenticators, you cannot reuse it as the third-factor. You must pick a different biometric authenticator as your third-factor.

What the gentleman from LogMeIn is describing is defined in security circles as multi-factor authentication, not two-factor authentication. It's a common mistake.

By definition, two-factor authentication is something you know (i.e., a password, PIN or passphrase) AND something you have (i.e., token, proximity card, smartcard, hand geometry, fingerprint, retina scan, voice print, etc.). Tokens and smartcards are the most common types of two-factor authenticators used, but biometrics can also be used. Hand geometry, fingerprint, retina scan, voice print are biometrics and not something you know!!!

Three-factor authentication is two-factor PLUS something you are (i.e., hand geometry, fingerprint, retina scan, voice print, etc.). If you use a biometric attribute as one of your two-factor authenticators, you cannot reuse it as the third-factor. You must pick a different biometric authenticator as your third-factor. Not exactly correct!!! The three forms of authentication are: i.) something you know, e.g. username/password; ii.) something you have e.g. token; and iii.) something you are, e.g. your thumbprint. Single factor authentication is any one of these, two factor authentication is any two of these and three factor authentication is all three of these.

Minor amendment!!

Here are some sources for you:

NIST 800-53
Supplemental Guidance: Users are uniquely identified and authenticated for all accesses other than those accesses explicitly identified and documented by the organization in accordance security control AC-14. Authentication of user identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication, some combination thereof.

NIST 800-63 Electronic Authentication Guideline
Authentication requires that the claimant prove through a secure authentication protocol that he or she controls the token, and must first unlock the token with a password or biometric, or must also use a password in a secure authentication protocol, to establish two factor authentication.

FIPS 201 - Personal Identity Verification of Federal Employees & Contractors

The CISSP reference guide also does a decent job of explaining 2-factor authentication.

have a digital security token for my account at ETrade. It provides two factor authentication by requiring me to logon using my usual password plus a code shown on the token that changes every 60 seconds. I'm looking for another online bank that offers this type of security to customers. Do you know of any?

have a digital security token for my account at ETrade. It provides two factor authentication by requiring me to logon using my usual password plus a code shown on the token that changes every 60 seconds. I'm looking for another online bank that offers this type of security to customers. Do you know of any?

There were a number of banks that went down this road. As I recall, Chase and Citicorp both had trial programs a few years back. I also know of some regional banks that also tried fobs. The problem was that so many customers misplaced/lost their fobs that it became too costly (those fobs are not cheap) and the programs were stopped. However, if you have a fob, you can still use it with the banks that issued the fob. I think they require two-factor authentication for their commercial customers that access their systems remotely.

The last time I went to the Verifone Secure Payments conference there was a vendor showing off a system that sent something to a cell phone instead of a FOB, which basically turned the cell phone into something akin to a Radius timer.

It was supposed to eliminate the issue with the consumer losing the FOB. We'll see if it catches on.

The last time I went to the Verifone Secure Payments conference there was a vendor showing off a system that sent something to a cell phone instead of a FOB, which basically turned the cell phone into something akin to a Radius timer.

It was supposed to eliminate the issue with the consumer losing the FOB. We'll see if it catches on.

Do you mean Phonefactor.com? I believe I touched on them here (this forum) earlier.