Tillbaka till resurser
Blog

What does Voodoo and Multi Factor Authentication have in common?

Aug 11, 2021

2 min

Voodoo and multi factor authentication

Multi-Factor Authentication – More Than Just a Password

For his fantastic fiction, H. P. Lovecraft drew inspiration from many cultures and folklore, including the dark rituals of voodoo magic. In order to craft a voodoo doll, specific ingredients were required. As the Lady at the House of Mojo in Monkey Island 2: LeChuck’s Revenge famously said:

  • Something of the Thread
  • Something of the Head
  • Something of the Dead
  • Something of the Body

Only these four “factors” made it possible to create the magical artifact. Interestingly, a similar concept applies in cyber security, especially when accessing sensitive environments like the Cardholder Data Environment (CDE).

Authentication Requirements in PCI DSS

According to PCI DSS v3.2, secure authentication is essential.

Requirement 8.2

Organizations must ensure proper user authentication by using at least one of the following:

  • Something you know (e.g., password or passphrase)
  • Something you have (e.g., token device or smart card)
  • Something you are (e.g., biometric data)

Requirement 8.3

All administrative and remote access to the CDE must use multi-factor authentication (MFA).

MFA requires at least two different factors from the categories above. Using the same factor twice (for example, two passwords) does not qualify as multi-factor authentication.

In February 2017, PCI SSC released a supporting document about Multi Factor Authentication.

What Is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is a security method that requires users to verify their identity using multiple independent factors.

These factors include:

  • Something you know – passwords, PINs
  • Something you have – smart cards, tokens, mobile devices
  • Something you are – fingerprints, facial recognition

Only when at least two of these are combined should access to sensitive systems, such as the CDE, be granted.

Why Protecting Each Factor Matters

MFA is only as strong as the protection of each individual factor. If one factor is compromised, the entire system becomes vulnerable.

Protect “Something You Know”

Passwords should be:

  • Strong and complex
  • Resistant to brute-force attacks
  • Kept confidential

Protect “Something You Are”

Biometric data must be safeguarded against:

  • Unauthorized access
  • Replication or spoofing
  • Misuse on compromised devices

Protect “Something You Have”

Devices such as tokens and smart cards should:

  • Never be shared
  • Be protected from theft or duplication
  • Be kept under strict user control

Important Considerations

Within the “something you have” category, it is worth noting that while National Institute of Standards and Technology (NIST) still allows certain out-of-band authentication methods, such as SMS or voice calls,these methods are increasingly discouraged.

According to NIST SP 800-63B, such approaches may be phased out in the future due to security concerns.

  • Supporting document about Multi Factor Authentication
  • NIST SP 800-63B