Horrific Distinction between ‘ Multi-Layer’ and ‘Multi-Entrance’ Deployments
‘Multi-Layer’ is also represented by ‘In-Series’, ‘In-Addition-To’, ‘All/BothAnd’ and ‘Conjunction’ in logic,
‘Multi-Entrance’ by ‘In-Parallel’, ‘In-Stead-Of’, ‘EitherOr’ and ‘Disjunction’.
Carelessly mixing up these two deployment methods causes a false sense of security that so many security professionals are so embarrassingly turning a blind eye to. And, unfortunately, misinformation, once integrated into our long-term memory, becomes very difficult to correct, particularly when it was spread by big names.
Below is a plain riddle to help you judge how free you are from a very serious misinformation spreading in the sphere of identity assurance and cybersecurity.
Assuming that a mobile device sends out a private key (or a digital certificate signed by the private key) upon verification of the user by 'Either a biometrics Or a fallback password/PIN' to the authentication server where the corresponding public key is stored, we count 3 factors in this scheme- what you have, what your body features are and what you know/remember.
Is this scheme
1. a 3-factor authentication?
2. a 2-factor authentication?
3. neither a 3-factor nor a 2-factor authentication?
Which of (1), (2) and (3) do you think is the correct answer?
This video offers a clue to the answer https://youtu.be/wuhB5vxKYlg
< Remark >
Presumably behind this confusion is the security professionals’ ignorance of the relations between False Rejection Rates (FRR) and False Acceptance Rates (FAR).
FAR and FRR are not the variables that are independent from each other, but are dependent on each other. Furthermore, FAR and FRR are not just mutually dependent but are in a trade-off relation. When a FAR is close to 0 (zero), the corresponding FRR is close to 1 (one). When a FRR is close to 0 (zero), the corresponding FAR is close to 1 (one). This means that biometrics inevitably has to rely on a fallback means against false rejection, a password or PIN in most cases, in cyberspace.
Sadly, there are too many security people who talk loudly about biometrics without the knowledge of such basics of biometrics.