thePCI Portal

MultiFactor and Multistep authentication

Some of the simple common questions regarding what is allowed for multifactor authentication are answered in FAQs from the Council.

Not a factor anymore.

Some of the more complex ones aren’t and need technical expertise to answer, sorry.

FAQ 1425:  Is “two-step” authentication the same as “two-factor” or “multi-factor” authentication?

Answer summary:  NO

FAQ 1449: Is two-step authentication acceptable for PCI DSS Requirement 8.3?

Answer summary:  Basically NO, but yes IF the authentication mechanisms are independent of one another, such that access to one factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.

FAQ 1425: What is the difference between “multi-factor” authentication and “two-factor” authentication?

Answer summary:  Two=Two.  Multi=Multiple, More than one, Like 2 or 3.


These FAQs are just summaries of what can be found in INFORMATION SUPPLEMENT Multi-Factor Authentication Version: 1.0 Date: February 2017.

Ad below this line:

Leave a Reply