By: Brandon Polk, Director of Compliance Services
Contextual Security Solutions | March 16, 2017 @ 15:26
The Payment Card Industry Security Standards Council recently released guidance on multi-factor authentication (MFA) to describe the industry-accepted principles and best practices for organizations that use and providers of MFA solutions.
MFA requires at least two (2) of the three (3) following authentication methods: something you know (password, etc.), something you have (token, etc.), or something you are (fingerprint, etc.). It is important to note that this guidance does not extend PCI DSS requirement 8.3; rather, it provides additional guidance and suggests that these principles may be incorporated in future versions of the standard.
The first big consideration is the independence of authentication mechanisms, which essentially means that a compromise of any one (1) of the three (3) MFA authentication methods cannot lead to a subsequent compromise of either of the remaining two (2) methods. For example, a compromised password manager application cannot lead to a compromised token. This needs careful thought because a lot of times a compromised password manager application may also contain access to email accounts if they aren’t also equipped with MFA, which can then be used to reset passwords and/or tokens… thus leading to a compromise of a second method.
The MFA guidance makes another major distinction between Multi-Step and Multi-Factor authentication. The authentication process must validate at least two (2) of the three (3) authentication methods before a user receives an overall success or failure result; otherwise, you have single-factor multi-step authentication rather than multi-factor authentication. For example, a username and password prompt followed by a second authentication method is multi-step whereas a username, password, and second authentication method all at once is multi-factor.
Additional details and common scenarios of what and how various authentication methodologies can be found in the official PCI Guidance document on their website at the following address: https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf