Split Knowledge and Dual Authorization are two subcategories of Separation of Duties that further break down tasks so that no one person can perform them on their own. This is especially useful when sensitive company data and assets are involved. Both techniques break up the Identification, Authentication, and Authorization process between two or more employees. In Split Knowledge, one employee is given a factor, such as the service account username, while another employee is given the password for the account. Neither employee is informed of the other's knowledge. When work needs to be done on the resource in question, both employees provide their knowledge to the system one at a time out of the view of the other. For even more security, a third employee with a second authentication factor, like a smart card, can be implemented.
Dual Authorization is similar, but is instead geared towards a Multifactor Authentication scheme rather than separate knowledge. The username of the target resource is known by both employees, and each employee is given a different authentication factor, preferably a physical authenticator, such as a smart card paired with a fingerprint scan. When work needs to be done, both employees have to be present to provide their piece of the authentication puzzle.
While both of these techniques provide a good layer of security, they are still vulnerable to compromise. Collusion could occur if both employees decide to work together to compromise the resource. In this case, the separation of authentication factors is nullified since both employees are in on the scheme. Thus, it is important to regularly review the activity performed on the target resource and implement other security controls, such as job rotation and mandatory vacations.