For clarification from wikipedia Multi-factor authentication (MFA) is a method of confirming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something they and only they know), possession (something they and only they have), and inherence (something they and only they are).[1][2]
Two-factor authentication (also known as 2FA) is a type (subset) of multi-factor authentication. It is a method of confirming a user's claimed identity by utilizing a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are. Thus, MFA should have a wide variety of solutions. Rob Schramm On Wed, Mar 21, 2018 at 2:15 PM David Boyes <[email protected]> wrote: > On 3/21/18, 12:49 PM, "IBM Mainframe Discussion List on behalf of Jesse 1 > Robinson" <[email protected] on behalf of [email protected]> > wrote: > >So how does MFA work in practice? I ask because the idea of having to go > through MFA every few minutes would be a very hard sell at the ranch. > > It's not really a big issue for most modern setups. Some MFA solutions are > priced per authentication, so you have to balance security vs cost. Use of > things like Kerberos where you can authenticate on your local system, get a > delegatable passticket that you can use with network services like a VPN > server without passwords passing over the wire are a major plus. > > It has a lot to do with just how paranoid your security people are, and > whether they have done the due diligence on the typical length of a session > and if they've given some thought to how identities and credentials are > handled network wide. It also depends if your setup permits different > timeouts by userid/group so trusted users can be allowed longer intervals > before reauthentication. For example, most modern VPN servers use RADIUS to > set session parameters, so it's not too hard to allow per-user settings. > Kerberos is pretty much the only universally accepted network identity > management system that all the vendors can agree on (thank you, MIT), so if > your setup can use it or one of its derivatives like Active Directory, it's > a big plus. > > It's like most things: did you pick reasonable default behaviors? If you > did, it's not a pain. > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Rob Schramm ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
