Multifactor authentication (MFA)
The multifactor authentication platform (2FA) is designed as an authentication solution for access to local workstations. It complies with the PCI DSS v3.2 standard and guarantees interoperability in environments with Windows and Linux operating systems.
Non-console access refers to logical access to a system component that occurs over a network interface rather than via a direct, physical connection to the system component.
In this case, the user who connects is not physically present in front of the system console and cannot interact directly with the screen and the local keyboard. Some examples of different access to the console are Remote Desktop Protocol (RDP) or web-based administration interfaces such as graphical user interface (GUI).
The scope of this project is limited to the security of MFA in local workstations. It is not available to MFA via browser connection, though. Specifically:
- Requirement 8.3.1: For non-console access to any account with administrative privileges originating from trusted networks (such as internal networks) that allow access to the Cardholder Data Environment (CDE).
The recommendations published in the NIST SP 800-63-3 “Digital Authentication Guideline” include a series of best practices in the electronic authentication process that will be take into account in order to make the solution possible.
The multifactor authentication of ANF AC is validated at once, so that, in the case of a failed authentication, the user does not know which of the authentication factors entered is incorrect.
This gives the service greater security, following the instructions of the latest updates of the Payment Card Industry Security Standards Council (PCI SSC).
Main characteristics of the solution:
- The factor corresponding to “what I know”,
- The factor corresponding to “what I own”
- The project is scalable to as many workstations as required.
- It includes qualified electronic signature certificates that are valid for 2 years (physical token, distribution code, or centralized)
- Engineering support services related to the implementation, updates, commissioning and training in its installation and use and administration of the solution.
- In the case of workstations with Mac OS, the ANF AC´s engineering team will determine the maximum possible compatibility once the corresponding laboratory tests have been carried out.
To the 2FA service you can optionally add:
- Renewal of qualified electronic signature certificates:
- Technical Assistance Service once the first six months included in the project have passed.
Qualified electronic signature certificates issued by ANF AC comply with the current legal framework Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation).
The MFA solution complies with the General Data Protection Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. If necessary, ANF AC can prepare a document corresponding to the Impact Assessment of the MFA solution.