1

What industries require multi-factor authentication?

Please include the following information:

  • Country
  • Industry
  • Regulation name
  • Additional information as you see relevant.

Some additional information I'd like to know is how the regulation "defines" multi-factor. This is of concern because the 2005 FFIEC regulations allowed a browser cookie to act as a second factor according to a surprising recent legal ruling.

makerofthings7
  • 50,488
  • 54
  • 253
  • 542

1 Answers1

2

This is kind of tangential to the question, but that courthouse is in walking distance for me so I followed the PATCO case closely (and the defense lawyers are across the street from my office).

The magistrate's logic is horrid... and unfortunately a judge accepted that recommendation, so that particular case was decided. However, (US legal theory) this is a district court, not an appeals court. The decision is not a binding precedent in future cases in any part of the country.

I referenced that case earlier when writing up an answer on muti-factor authentication for How is "something you have" typically defined for "two-factor" authentication? If another case were to come up involving similar questions, the logic whether cookies can qualify as "something you have" would be argued anew, though I'm certain at least one side would point to this case.

Assuming there isn't a definition that is relevant to the case (much like the FFIEC didn't define this particular question), a judge would decide how that should be interpreted in the context of a case based upon expert testimony.

With the above considered, I don't know of any legal standard, ruling, or precedent in law that defines the boundaries of what different systems qualify as which factors of authentication.

Jeff Ferland
  • 38,170
  • 9
  • 94
  • 172