We’re often presented with environments where the PCI DSS mandates that two-factor authentication (2FA) is required. Sometimes, our client implements something which sounds like 2FA, but isn’t.
To describe why this is the case, let’s revisit what 2FA actually is.
Two factor authentication is a generic term describing a system that strongly confirms the identity of the person trying to gain access. It does this by requiring at least two valid pieces of proof of identity (“factors”) to be presented. The factors are:
- Something you know. This is usually a password.
- Something you have. This could be a hardware token device, or a one-time token delivered to your mobile phone or email.
- Something you are. Biometric systems that read fingerprints are common here.
Choose any two and you’re using two-factor authentication. But there are some pitfalls to look out for.
The following use cases are not two-factor:
- Using only a username and a password. The username is not considered a factor on it’s own. Username and password are a single factor (something you know).
- Logging on to one system with a username and password, and then from there logging on to the target system with another username and password. This is simply two instances of one-factor.
- Any implementation where a factor is optional or can be bypassed. This would almost certainly be a PCI DSS compliance issue.
The way in which two-factor authentication is implemented varies considerably between hardware and software vendors. Our very own MailAssured system, which many readers will be familiar with, implements a form of two-factor authentication. We send you a token in the form of a temporary unique URL in an email, and then we call or text you with an associated password. In that way, we are confident that the person we sent the link to is the one who has retrieved the documents.
PCI DSS places great importance on establishing the identity of individuals who have remote access to the card data environment (for reasons that should be obvious). This is why requirement 8.3 mandates that two-factor authentication be in place for remote access. This underpins other requirements (essentially the whole of requirement 10).
Further reading: http://en.wikipedia.org/wiki/Two-factor_authentication