Is Two-Factor Authentication an example of a simple Web of Trust Network?

[ChristopherA]

In https://www.fbi.gov/seattle/press-releases/2013/man-in-the-e-mail-fraud-could-victimize-area-businesses the FBI advises:

"Here are some of the ways businesses can reduce their chance of being scammed by this man-in-the- e-mail fraud:

• Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.

In effect, a telephone call to verify a transaction could be considered the first of a series "web-of-trust" validations. What we are saying in #DPKI and #SmartSignatures is that a single validation up a chain to a root CA is insufficient. If we are going to do more validations, we should design more kinds of validation. This results is in a social network creation of trust, aka a "web of trust".

[du5t]

This sounds like a great way of introducing people to the larger concepts! Highly networked people are definitely used to this kind of interaction and could easily imagine a cascade of the same through a decentralized system replacing centralized ones, especially now that reporting has done a good job of showing them to be huge brittle targets.

[jimscarver]

This is not just two factor. It is multi-channel, out-of-band authentication. It is also "multimodal authentication" in adding a device factor to the authentication. If the face and/or voice factors of the person holding the device are verified passively the biometric mode is are added factors. Validating the gps local is another mode as is user behaviour.

I should be able to specify what factors are needed for a person to represent me on the internet for some purpose. Both the factor requirements of the system and the user should be met or there should be no interaction.

[Identitywoman]

If we get out of using the language or term "web-of-trust" I think we will get a lot further. The fact is that 2 factor authentication is just that - an additional way to prove that person accessing an account is the rightful older of that account.
I would stay clear of using terms like 'validation' relative to authentication events - it is imprecise language.

[jimscarver]

I would suggest that decentralized overlapping webs of trust can be a
solution to a trustworthy cyberspace whereas multifactor authentication is
an improvement but not a solution.

I am not sure what the issue being raised with the term validation is but I
think verification is a better term than validation for authentication
events. Credentials may be validated but factors are verified. Did I miss
the point here?

On Mon, Nov 16, 2015 at 6:07 PM, Kaliya - Identity Woman <
notifications@github.com> wrote:

If we get out of using the language or term "web-of-trust" I think we will
get a lot further. The fact is that 2 factor authentication is just that -
an additional way to prove that person accessing an account is the rightful
older of that account.

I would stay clear of using terms like 'validation' relative to
authentication events - it is imprecise language.

—
Reply to this email directly or view it on GitHub
#62 (comment)
.

[Identitywoman]

You have to actually define what you mean by trust.
As I have made clear via my writings willy nilly throwing the term around is useless. It is VERY VERY broad.
One form of trust that needs to be improved is that people's control of their identifier end points no mater what the type (email addresses, phone number, pgpkey, login to ANY website an particularly sensitive ones be stronger -that is more secure (more trustworthy) then just a password - so multi-factor authentication and efforts to create way more useable and ubiquitous multi-factor authentication like the fido alliance is doing are key.

I am an identity management expert - the word verification usually applies to the process of verifying attributes you present in a formal enrollment process (what is the name on your legal paperwork, birthdate, gender, address etc).

What do you mean by Credentials? What do you mean by validation?
There are quite a few niches in and around enterprise Identity Management that all use them slightly differently.