On Friday, May 19, 2017 at 7:19:27 AM UTC-5, Gervase Markham wrote: > "enforce multi-factor authentication for all accounts capable of causing > certificate issuance or performing validation functions"
Should we specify somewhere that multi-factor auth encompasses two _different_ factors and not simply multiple authenticators? It seems possible that some could (or possibly do) interpret multi-factor as including 'double-single-factor' or 'multi-step' using something like a client cert (something you have) and a TOTP like Google Authenticator (something you have). Taken to the extreme, this could include two 4-digit pins (something you know and something you know). If that's not the intent, then something such as the following may be more clear: "enforce multi-factor authentication (using 2 or more factors from NIST 800-63-2) for all accounts capable of causing certificate issuance or performing validation functions" _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
