TF-OpenSpace – Session 2, room 7. 16 October 2013.
Lead by: Joost van Dijk (SURFnet) and Jaime Perez Crespo (UNINETT)
Notes: Brook Schofield
- What service would we like to protect with 2-factor authentication?
- Is it valuable by itself? Without LoAs?
- How to support SPs not supporting AuthnContexts?
SURFconext has a big variability of IdPs -> This gateway model is useful for that range of IdPs and the Services they want to interact with.
Use Cases:
- Research Infrastructure within eduGAIN (Virtual Organisations)
- Payroll -> External Service (outsourcing) which makes institutional IDs and Phishing more attractive.
- Institutional requirements to have select services NOT use just the institutional IdP
- IGTF have an in-person ID vetting process. A compatible version would be useful to a broader audience (TCS Personal/eScience)
- Medical Datasets have identified ID vetting requirements but not higher authentication levels
Guest IdP + ID Vetting => This is useful to give "same" assurance as institutional services.
SURFnet are exploring the "market" for vetting solutions that will scale (in addition to institutional vetting processes).
- Lots of partners possible.
- Need to look outside NL with wider groups.
- Ensure that vetting process is equivalent/compatible.
Verizon have a process to support LoA3 (supported by USA gov't) and may commercialise.
AuthN enhancement vs Identity LoA.
3 dimentional problem: ID Proof; AuthnContext; Attribute Assurance (covered by a different openspace topic).
Could be value in separated ID Proof + AuthnContext with regards to "the service".
Usability for 2 factor?
USA Institutions have developed Per User Opt-In
When do you need to reauth? (every login, 2 times per day, every 2 days, etc).
User can control some aspects of on/off.
Automatically off on devices that cannot support the 2 factor options deployed.
Delegated workflow to support an authoritive person to allow you to bypass 2-factor (in the case of misplacing the device) the other person becomes the 2nd factor.
Identity Proofing LoA | AuthnContext LoA | SuaaS |
4 | 4 | |
4 | 3, 2 & 1 | |
3, 2 & 1 | * |
The OASIS Authn Context List is extensive:
Does Shibboleth and/or simpleSAMLphp support for this stuff?
Seem to be using "Password" when 3.4.9 PasswordProtectedTransport would be more appropriate for HTTPS dialogues.
Multi-Context AuthN -> IdP 2.3 extension with a 2013 release date:
Duo/SafeNet provide Shibboleth Extennions (deployment size unknown).
[ACTION] Fork SuaaS to support the wider community.
[ACTION] Perfect Paper Passwords (PPP) as an OTP option.