For his fantastic fiction, Howard Phillips Lovecraft drew a lot from many different cultures and folklore, among them there were the dark rituals of voodoo magic. In order to craft a voodoo doll, some specific ingredients are required. The Lady at the house of Mojo in The Secret of Monkey Island 2TM used to say:
- Something of the Thread
- Something of the Head
- Something of the Dead
- Something of the Body
Only these four Factors made it possible to craft the magic artifact that was to take away the bad guy(s).
Factors are also needed to access the Cardholder Data Environment (CDE). In particular, requirement 8.2 of PCI DSS v3.2:
8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smart card
- Something you are, such as a biometric.
And requirement 8.3:
8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.
Note: Multi-factor authentication requires that a minimum of two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.
In February 2017, PCI SSC released a supporting document about Multi Factor Authentication.
So, what is Multi Factor Authentication?
Multi Factor Authentication is the usage of different factors for accessing something, in our case a system residing in the CDE.
The factors that can be used are:
- Something you know
- Something you have
- Something you are
Such factors, once and only if combined should grant you access to the CDE. Using the same factor twice (or more) is not considered Multi-Factor Authentication and therefore will not fulfill the security demanded by the standard.
Given the above, a consequence is that the factors must be protected in order to grant their own integrity and therefore the integrity of the CDE, for:
- Passwords and other “something you know” data should be difficult to guess and get to with brute-force, to be protected from disclosure to unauthorized parties.
- Biometrics and other “something you are” data should be protected from unauthorized replication or use by others with access to the device on which the data is present.
- Smart cards, software certificates, and other “something you have” data should not be shared, and should be protected from replication or possession by unauthorized parties.
In the “something you have” scope, it is worth mentioning that while NIST still permits the use of out-of-band authentication mechanisms (e.g. SMS, voice on the PSTN), they have been discouraged by NIST and might be removed in the future, as stated on the NIST SP 800-63B.
Multi Factor Authentication is crucial for keeping the bad guys out of the CDE. But, how you safeguard the factors allowing multi-factored authentication is crucial, so no post-it with passwords or smartcard/OTP token/smartphone left around unattended anymore, by anyone!