Assurance

[Tom Scavo <>]

> By configuring the IdP to use a 2-factor
> authentication handler when it provides authentication for a service
> which indicates that it needs it (via metadata), we have abstracted
> the complexity of dealing with 2-factor authentication away from the
> application- as long as it's a web app.

Agreed (in principle). Note that SPs do not indicate their desire for 2FA via 
metadata, however. They request it just-in-time via the AuthnRequest. The 
problem is that there is no agreed upon qualifier to signal such an exchange, 
so the SP doesn't know what to request and the IdP doesn't know what to 
assert.

I run an SP that *requires* 2FA, so I'm feeling the pain. I don't know if 
there are other such SPs. If there were significant numbers of such SPs, that 
might justify writing a specification that addresses this use case.

Tom