← Back to context

Comment by mazone

2 days ago

PCI DSS from 4.0 actually have something called customized approach for everything. If you can prove and the QSA agrees that you fullfill the goal of a requirement, you can be quite flexible. Example i am doing things like not using passwords at all and only passkeys, or only ssh keys protected by hardware security key etc. Together with agents trying to verify the devices connected are company owned and hardened in different ways. Your milage might vary depending on how good your auditor is but PCI DSS standard do have quite a bit of flexibility in it.

3 comments

mazone

Reply
yardstick  2 days ago

Presumably at some point in your environment you are doing MFA? Just not at every step?

Ie If someone broke into your office, opened computer, inserted the hardware security key, would they get in? Or is there something else non-physical going on? Like the initial login is password + security key, and you can demonstrate the ssh keys never leave the secured PCs etc.

  • mazone  2 days ago

    It is not about MFA or not but to demonstrate the process is secure for the purpose.

    It can be complicated but a example. TOTP that is very common used with passwords is regarded as MFA (tho most of the time software based on phone) but have many problems regardless

    - many time replayable - can be intercepted - implementations look different - recovery code reuse problems etc.

    On the other hand, using only passkeys dont have those problems but with passkeys, many times you cannot decide on what device a user have registrated the passkeys in a enterprise setting. example they could be apple passkeys, chrome passkeys, windows, hardware key(yubikey) etc and all of them behave different when it comes how they ex can be copied/ synced between users devices. So from where they can be used.

    So for any authentication flow, you need to look at the full picture. What is the process when credentials are lost? How do user onboard etc.

    Is a good entry point to say. We should use MFA or similar but the details matter.

    • yardstick  1 day ago

      It’s always interesting to hear other people’s approaches- Thanks for the insights!