What’s behind PCI’s New MFA Requirements?

Requirement 8.3 of the PCI DSS 3.2 goes into effect today (Feb 1, 2018), making MFA (multi-factor authentication) a requirement for every organization involved in payment card processing.

Many have implemented MFA ahead of the requirement, however a look at the PCI’s multi-factor implementation guidance highlights some considerations, particularly around passwords that may otherwise be overlooked.

1. Multi-factor means multiple strong factors

The guidelines make it clear that you need to apply at least two of the three strong authentication factors: 1) something you know; 2) something you have; 3) something you are.

Other factors like geo-location and time data can also be included, but not at the expense of including two of the strong factors listed above. In fact, it’s not sufficient to reuse the same type of factor twice.

Some have used their MFA implementations as rationale to eliminate passwords, however clearly PCI recognizes password-based authentication over alternative authenticators.

2. Each factor needs to be appropriately protected

There needs to be sufficient controls to harden each layer: physical authenticators (e.g. device or token) and biometric authenticators need to be protected against unauthorized replication and passwords need to be sufficiently hard to guess.

Passwords have become increasingly vulnerable due to password reuse and data breaches that have exposed billions of frequently used credentials.

PCI typically follows other industry standards—such as NIST, ISO, and ANSI and to overcome this weakness, NIST guidelines now require validating against known compromised passwords.

3. Independence of layers is essential

PCI offers makes it explicit that each layer needs to be independent. This means that one factor can’t allow access to another.

Many MFA implementations fail this test. For example PCI says that it’s not appropriate for a username and password (first factor) to also allow system access to an email account where a one-time password (second factor) is sent. It’s not sufficient to have a biometric authenticator (first factor) allow access to a browser that has username and password (second factor) cached.

Each factor needs to be a separate, unique challenge. Some implementations skip the first factor and send a new one-time password to the email address on request. This clearly misses this point entirely.

4. No confirmation can be provided until all factors are entered

The PCI guidance says that it’s not appropriate to inform the user that one factor has been passed or failed until they’ve entered all factors.

The goal here is to prevent a form of enumeration risk, an often-overlooked security consideration where attackers gain information about the system based on feedback received. PCI explains:

“If an unauthorized user can deduce the validity of any individual authentication factor, the overall authentication process becomes a collection of subsequent, single-factor authentication steps, even if a different factor is used for each step.”

For the increased security it provides, PCI accepts the risk of some user frustration with a process that doesn’t validate any steps until all steps are entered.

Conclusion

There are a variety of ways to approach multi-factor authentication. The PCI requirement 8.3 makes it clear how to effectively implement a multi-layered mechanism that will substantially increase the obstacles an unauthorized user would need to defeat.