On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
SSH password + key file is accepted as two factor by PCI DSS auditors, so yes it is in fact two factor.
They also accept NAT as "security". If anything, PCI DSS is yet another example of a money grab masquerading as security theater (not even real security). I remember seeing a story a while ago that stated that of companies hit by a data breach on a system that was inside their PCI scope, something insane like 98% or 99% were in 100% full PCI compliance at the time of the breach. The only conclusion to be drawn is that the PCI set of checkboxes are missing a lot of really crucial things for real security. (And let's not forget the competence level of the average PCI auditor, as the ones I've encountered have all been very nice people, but more suited to checking boxes based on buzzwords than actual in-deopth security analysis). So excuse me for not taking "is accepted by PCI auditors" as grounds for a claim of strong actual security.