• Created by Unknown User (harris), last modified by Unknown User (schofield) on Oct 31, 2013

TF-OpenSpace – Session 2, room 7.   16 October 2013. 

Lead by: Joost van Dijk (SURFnet) and Jaime Perez Crespo (UNINETT)

Attendees:

Notes: Brook Schofield

Problem:

  1. What service would we like to protect with 2-factor authentication?
  2. Is it valuable by itself? Without LoAs?
  3. How to support SPs not supporting AuthnContexts?

 

Services

SURFconext has a big variability of IdPs -> This gateway model is useful for that range of IdPs and the Services they want to interact with.

Use Cases:

  • Research Infrastructure within eduGAIN (Virtual Organisations)
  • Payroll -> External Service (outsourcing) which makes institutional IDs and Phishing more attractive.
  • Institutional requirements to have select services NOT use just the institutional IdP
  • IGTF have an in-person ID vetting process. A compatible version would be useful to a broader audience (TCS Personal/eScience)
  • Medical Datasets have identified ID vetting requirements but not higher authentication levels

  • Guest IdP + ID Vetting => This is useful to give "same" assurance as institutional services.

 

SURFnet are exploring the "market" for vetting solutions that will scale (in addition to institutional vetting processes).

  • Lots of partners possible.
  • Need to look outside NL with wider groups.
  • Ensure that vetting process is equivalent/compatible.

 

Verizon have a process to support LoA3 (supported by USA gov't) and may commercialise.

 

LoA

AuthN enhancement vs Identity LoA.

3 dimentional problem: ID Proof; AuthnContext; Attribute Assurance (covered by a different openspace topic).

Could be value in separated ID Proof + AuthnContext with regards to "the service".

 

Usability for 2 factor?

  • USA Institutions have developed Per User Opt-In

  • When do you need to reauth? (every login, 2 times per day, every 2 days, etc).

  • User can control some aspects of on/off.

  • Automatically off on devices that cannot support the 2 factor options deployed.

  • Delegated workflow to support an authoritive person to allow you to bypass 2-factor (in the case of misplacing the device) the other person becomes the 2nd factor.

 

Identity Proofing LoAAuthnContext LoASuaaS
44(warning) Not Yet
43, 2 & 1(tick) Yes
3, 2 & 1*(warning) Not planned

 

AuthnContext

The OASIS Authn Context List is extensive: http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf

Does Shibboleth and/or simpleSAMLphp support for this stuff?

Seem to be using "Password" when 3.4.9 PasswordProtectedTransport would be more appropriate for HTTPS dialogues.

Multi-Context AuthN -> IdP 2.3 extension with a 2013 release date: https://wiki.shibboleth.net/confluence/display/SHIB2/Multi-Context+Broker

Duo/SafeNet provide Shibboleth Extennions (deployment size unknown).


[ACTION] Fork SuaaS to support the wider community.

[ACTION] Perfect Paper Passwords (PPP) as an OTP option.

  • No labels