FAQ #1426 Diff

Is "two-step" authentication the same as "two-factor" or "multi-factor" authentication?

Earlier Version
2016-06-17T00:00:00+00:00

Later Version
2019-05-16T19:37:42+00:00

Removed

Added

~~The idea of "two-step"~~?Two-step" or "multi-step" authentication ~~(e.g.~~is not the same as "two-factor" or "multi-factor". "Two-step" or "multi-step" authentication involves the subsequent presentation of aone ~~secondary~~or more authentication ~~step~~steps after the first authentication step is successfully ~~performed)~~performed. ~~does~~This approach is not ~~meet~~ the ~~Council's~~same ~~definition of~~as "multi-factor" authentication, ~~unless~~as ~~both~~even ofthough the ~~following~~overall ~~conditions~~process ~~are~~may met:

Therely ~~whole~~on multiple authentication ~~process~~methods, ~~requires~~each atstep ~~least~~relies ~~two~~on ofa single authentication factor.

Refer to the ~~three~~Information ~~authentication~~Supplement: ~~methods~~Multi-Factor ~~described~~Authentication Guidance, available under Guidance Documents in the PCI ~~DSS~~SSC ~~Requirement~~Document 8.2

a. Something you know, such as a password or passphrase

b. Something you have, such as a token device or smartcard

c. Something you are, such as a biometric

All of the authentication mechanisms used must be independent of one another, meaning access to a secondary authentication mechanism cannot be dependent on the first (for example, relying on username/password authenticationLibrary, for ~~both~~further ~~user authentication as well as governing access to an email account where a secondary factor is sent).~~guidance.

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.