Tuesday, 4 April 2017

PCI DSS disses multi-step authentication

The PCI Council has published an "Information Supplement" on multi-factor authentication (pdf).  The document that multi-step and mutl-factor authentication are not the same and that the former is not acceptable. 

PCI DSS requires that all factors in multi-factor authentication be verified prior to the authentication mechanism granting the requested access. Moreover, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented.
<snip>
For example, if an individual submits credentials (e.g., username/password) that, once successfully validated, lead to the presentation of  the second factor for validation (e.g., biometric), this would be considered “multi-step” authentication.

If this is the way you're doing your authentication with a service or using Google Authenticator, then it's probably time to re-think that (in addition to other issues with Google Authenticator).  WiKID's authentication process is true multi-factor, easy to integration into a one-step authentication process and it can perform 2FA for non-console administrative access as required by PCI 3.2 (pdf). 



from PCI DSS disses multi-step authentication

No comments:

Post a Comment