two-person login?

John Denker jsd at av8n.com
Mon Jan 28 17:56:11 EST 2008 

Hi Folks --

I have been asked to opine on a system that requires a 
"two-person login".  Some AIX documents refer to this as
a "common method of increasing login security"
  http://www.redbooks.ibm.com/redbooks/pdfs/sg245962.pdf

However, I don't think it is very common;  I get only five hits
from
  http://www.google.com/search?q=two-person-login

By way of not-very-apt analogy: 
 -- I am aware of business checks that require two signatures;
 -- I am aware that purchase orders are commonly signed by 
   two persons (the initiator and the approver); 
 -- I am aware of missile-launch procedures that require two
  persons using two keys;
 -- I am aware of software development procedures where a patch
  is submitted (and signed) by one person, tested (and signed
  off) by another, and committed to the official repository by 
  a third person.
 -- et cetera.

However, it is important to note that the aforementioned examples
all share an important property, as we see from the following:
  *) The parties give their approval _after_ the semantics has
   been fully determined.  It would defeat all security if two 
   signatures were attached to a blank check or a blank PO.
  *) As a related point, the approval is attached to a particular
   transaction.  The approver is not merely certifying that Joe
   is really Joe, and is generally allowed to write checks 
   (mere identification);  the approver is certifying that this 
   particular check is OK.
  *) To say the same thing another way, there is no pretexting.
   There is no pretext for turning the keys on the missile launcher
   unless you intend to launch a missile.  The semantics of the
   keys is clear.

We need to talk about threat models:
  a) The purveyors of the system in question don't have any clue
   as to what their threat model is.  I conjecture that they might
   be motivated by the non-apt analogies itemized above.
  b) In the system in question, there are myriad reasons why Joe
   would need to log in.  If Joe wanted to do something nefarious,
   it would take him less than a second to come up with a seemingly
   non-nefarious pretext.  When the approver approves Joe's login,
   the approver has no idea what the consequences of that approval
   will be.  The two-person login requires the approver to be
   present at login time, but does not require the approver to
   remain present, let alone take responsibility what Joe does 
   after login.
  c) The only threat model I can come up with is the case where
   Joe's password has been compromised, and nobody else's has.
   Two-person login would provide an extra layer of security
   in this case.  This threat is real, but there are other ways
   of dealing with this threat (e.g. two-factor authentication)
   ... so this seems like quite a lame justification for the
   two-person login.
  d) Or have I overlooked something?


>From the foregoing, you might conclude that the two-person login
system is worthless security theater ... but harmless security
theater, and therefore not worth worrying about either way.

But the plot thickens.  The purveyors have implemented two-person
login in a way that manifestly /reduces/ security.  Details 
available on request.

So now I throw it open for discussion.  Is there any significant
value in two-person login?  That is, can you identify any threat 
that is alleviated by two-person login, that is not more wisely 
alleviated in some other way?

If so, is there any advice you can give on how to do this right?  
Any DOs and DON"Ts?

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list