Ted Boyd wrote:
Someone doesn't understand three-factor security...
HIstorically, the distinction between the three "factors" of
authentication -- the three ways in which a remote computer can
validate an online authentication call as legit, and then link that
call to a set of privileges earlier granted to a pre-registered user --
has been on the basis of the potential avenues of attacks, the ways in
which an adversary could corrupt the access control system.
The traditional three -- soemthing you know; something you physically
hold; and something you are (biometrically) -- are distinct because
they are thought to require three separate and distinct attacks in
order to subvert a three-factor defense.
(I sometimes wonder we might eventually see a come-back of what, in the
1970s and earlier, was considered the fourth factor: location. When a
command console could be hardwired into a mainframe, it could be given
privileges that were not permitted on other remote terminals. Imagine
the advantages -- in this era of malware and targeted trojans -- if
only you, at your keyboard, could get privileged access to, say, a
window in which you could safely input authentication data, which would
be then passed to a specific application by some trusted path.)
Surete,
_Vin