PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
FAQ #1426 Deleted

Is ?two-step? authentication the same as ?two-factor? or ?multi-factor? authentication?

The idea of ?two-step? or ?multi-step? authentication (e.g. the presentation of a secondary authentication step after the first is successfully performed) does not meet the Council?s definition of ?multi-factor? authentication, unless both of the following conditions are met:

  1. The whole authentication process requires at least two of the three authentication methods described in PCI DSS Requirement 8.2

a. Something you know, such as a password or passphrase

b. Something you have, such as a token device or smartcard

c. Something you are, such as a biometric

  1. All of the authentication mechanisms used must be independent of one another, meaning access to a secondary authentication mechanism cannot be dependent on the first (for example, relying on username/password authentication for both user authentication as well as governing access to an email account where a secondary factor is sent).
View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.