Assurance

[David Walker <>]

I think there are two issues here:

• First, is the existing authentication service good enough for Silver?
• Second, if the answer to the first question is no, what should be done?

I think for many institutions that the answer to the first question would be something like "Well, it would be, but we have a number of the issues Nick mentioned."  That brings us to the second question.

Adding a second factor is one way to address the second question, particularly if you're already using second-factor technology.  If you're not already using that second authentication technology, though, it can be expensive.

I suggest considering cloning your existing username/password technology, probably with the same usernames but different passwords, managing it in a way that makes you feel comfortable with its Silver-ness.  I recognize that many institutions want to implement 2-factor authentication anyway, and that's fine, but the requirements for federal LoA-2 (and, therefore, Silver) are satisfied without it, so this could be a less expansive path for many institutions.

David Walker

On Wed, 2012-03-14 at 17:16 +0000, Roy, Nicholas S wrote:
>     A question I have is what kind of authentication services are schools running who feel that they can use passwords to achieve Silver?  Specifically, what is your central source of authentication?  What will end up providing the verifier role to your Silver-compliant IdP?  What kind of clients of this service do you have (ERPs, *.webapp, workstations (Windows, OS X, Linux, other?), printers, file servers, network appliances, etc.)  How tightly controlled is access to the service?  What kinds of authentication endpoints are available (LDAP, LDAPS, Kerberos, RADIUS, web services, etc.) how are those endpoints protected and from what network scope can clients connect to them (only on-campus, off campus, only via a VPN, other?)  Do you provision passwords to other authentication services that aren't your central provider?  How do you plan to assess and/or enforce client behavior (for example, use of SSL for web forms that validate passwords against your authentication service), or do you consider that out of scope?
>     
>     I'm not saying you can't use passwords to achieve Silver, but the project complexity seems pretty high in a big, heterogeneous campus environment.
>     
>     Nick
>     
>     -----Original Message-----
>     From:  [] On Behalf Of Steven Carmody
>     Sent: Tuesday, March 13, 2012 11:48 AM
>     To: 
>     Subject: [Assurance] silver and two-factor ...
>     
>     I'm wondering why so many sites that are interested in Silver are so 
>     interested in two-factor....
>     
>     I haven't looked at the Silver profile in a long time. But, my memory is 
>     that strong passwords, stored sufficiently securely, and not replicated 
>     into uncontrolled environments (eg google), would pass muster with 
>     Silver. I'm assuming, of course, that the other Silver criteria (eg 
>     around identity proofing, account claiming, etc) would also be met.
>     
>     I can imagine that there may be issues with those passwords passing 
>     through a variety of systems (eg systems that are then authenticating 
>     users against a central ldap, for instance). But, that's just a guess -- 
>     I would be interested in hearing about specific concerns that are 
>     driving sites toward two-factor.
>     
>     Thanks for any light you can shine on this!