September 25 2012

Defining multifactor authentication



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

I was recently having a discussion about the definition of multifactor authentication and what actually constitutes one, two or three factor authentication.  There seems to be confusion around these definitions, so I am posting some industry accepted definitions for all to see or reference.  Authentication methodologies involve three basic “factors”:

  1. Something the user knows (eg. password, personal identification number, personally identifiable information)
  2. Something the user has (eg. smartcard, security token, telephone, signed digital certificate)
  3. Something the user is (eg. fingerprint, voice, retinal pattern, DNA)

 

According to the Federal Financial Institutions Examination Council’s Authentication in an Internet Banking Environment, August 15, 2006, two-factor authentication (aka multifactor authentication) is described as:

 

“By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category would not constitute multifactor authentication.”

 

Therefore, two factor (aka multifactor) authentication is a combination of any two of these factors. For example – a fingerprint scan and a password is two factor authentication; a password and a signed computer digital certificate is two factor authentication.  However if you use a password, a signed computer digital certificate, a PIN and a number generated from your RSA SecurID token then you are still using two factor authentication as the identifiers only come from two of the three categories listed above.

There is a great article here (http://pciguru.wordpress.com/2010/05/01/one-two-and-three-factor-authentication/) which discusses this in detail, and it is also worth checking out the PCI Security Standard Council Quick Reference Guide, especially section 8.3 (https://www.pcisecuritystandards.org/documents/pci_ssc_quick_guide.pdf), FFIEC’s Authenitcation Guidance whitepaper (http://www.ffiec.gov/pdf/authentication_guidance.pdf) and Australia’s DSD security advice article (http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htm).

 

 



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

January 12 2011

Outlook prompting for credentials with Exchange 2007

I saw this issue again today. Outlook 2007 & 2010 were prompting for username and password at startup and randomly during use.

I’ve used this fix a couple of times now. In IIS Manager navigate to the website that contains your Exchange Virtual Directories (In Exchange 2007 this is Default website, in SBS2008 this is SBS Web Applications)

In turn highlight the following Virtual Directories:

AutoDiscover
RPC
EWS
OAB

Once highlighted select Authentication, right click on Windows Authentication and select Advanced Settings and put a check in the enable kernel-mode authentication. Do this for each directory.

Careful as when upgrading to Exchange 2007 Service Pack 3, it reset the setting on 2 of the 4 directories, so these needed to be set back to enable kernel-mode authentication.