Skip to main content

PCI DSS disses multi-step authentication

The PCI Council has published an "Information Supplement" on multi-factor authentication (pdf).  The document that multi-step and mutl-factor authentication are not the same and that the former is not acceptable. 

PCI DSS requires that all factors in multi-factor authentication be verified prior to the authentication mechanism granting the requested access. Moreover, no prior knowledge of the success or failure of any factor should be provided to the individual until all factors have been presented.
<snip>
For example, if an individual submits credentials (e.g., username/password) that, once successfully validated, lead to the presentation of  the second factor for validation (e.g., biometric), this would be considered “multi-step” authentication.

If this is the way you're doing your authentication with a service or using Google Authenticator, then it's probably time to re-think that (in addition to other issues with Google Authenticator).  WiKID's authentication process is true multi-factor, easy to integration into a one-step authentication process and it can perform 2FA for non-console administrative access as required by PCI 3.2 (pdf). 

Current rating: 2.3

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom