TF-OpenSpace – Session 2, room 7.   16 October 2013. 

Lead by: Joost van Dijk (SURFnet) and Jaime Perez Crespo (UNINETT)

Attendees:

Notes: Brook Schofield

Problem:

1. What service would we like to protect with 2-factor authentication?
2. Is it valuable by itself? Without LoAs?
3. How to support SPs not supporting AuthnContexts?

Services

SURFconext has a big variability of IdPs -> This gateway model is useful for that range of IdPs and the Services they want to interact with.

Use Cases:

• Research Infrastructure within eduGAIN (Virtual Organisations)
• Payroll -> External Service (outsourcing) which makes institutional IDs and Phishing more attractive.
• Institutional requirements to have select services NOT use just the institutional IdP
• IGTF have an in-person ID vetting process. A compatible version would be useful to a broader audience (TCS Personal/eScience)
• Medical Datasets have identified ID vetting requirements but not higher authentication levels

• Guest IdP + ID Vetting => This is useful to give "same" assurance as institutional services.

SURFnet are exploring the "market" for vetting solutions that will scale (in addition to institutional vetting processes).

• Lots of partners possible.
• Need to look outside NL with wider groups.
• Ensure that vetting process is equivalent/compatible.

Verizon have a process to support LoA3 (supported by USA gov't) and may commercialise.

LoA

AuthN enhancement vs Identity LoA.

3 dimentional problem: ID Proof; AuthnContext; Attribute Assurance (covered by a different openspace topic).

Could be value in separated ID Proof + AuthnContext with regards to "the service".

Usability for 2 factor?

• USA Institutions have developed Per User Opt-In

• When do you need to reauth? (every login, 2 times per day, every 2 days, etc).

• User can control some aspects of on/off.

• Automatically off on devices that cannot support the 2 factor options deployed.

• Delegated workflow to support an authoritive person to allow you to bypass 2-factor (in the case of misplacing the device) the other person becomes the 2nd factor.

Identity Proofing LoA	AuthnContext LoA	SuaaS
4	4	Not Yet
4	3, 2 & 1	Yes
3, 2 & 1	*	Not planned

AuthnContext

The OASIS Authn Context List is extensive: http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf

Does Shibboleth and/or simpleSAMLphp support for this stuff?

Seem to be using "Password" when 3.4.9 PasswordProtectedTransport would be more appropriate for HTTPS dialogues.

Multi-Context AuthN -> IdP 2.3 extension with a 2013 release date: https://wiki.shibboleth.net/confluence/display/SHIB2/Multi-Context+Broker

Duo/SafeNet provide Shibboleth Extennions (deployment size unknown).

Actions

Fork SuaaS it support the wider community.

Perfect Paper Passwords (PPP) as an OTP option.