Assurance

["Jones, Mark B" <>]

Tom,
You say you have an SP that requires two-factor authentication.  I think we 
need to begin talking in terms of level of assurance.  The question is what 
LoA does your SP require.  For instance, I use a Google OTP for my Google 
account but I assume the LoA of that authentication is still something less 
than level 2.  And if you are talking in terms of NIST 800-63, two-factor 
might refer to levels 3 or 4.  Does your SP require Level 3 authentication?  

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Friday, March 16, 2012 11:18 AM
To: 

Subject: Re: [Assurance] silver and two-factor ...



> By configuring the IdP to use a 2-factor
> authentication handler when it provides authentication for a service
> which indicates that it needs it (via metadata), we have abstracted
> the complexity of dealing with 2-factor authentication away from the
> application- as long as it's a web app.

Agreed (in principle). Note that SPs do not indicate their desire for 2FA via 
metadata, however. They request it just-in-time via the AuthnRequest. The 
problem is that there is no agreed upon qualifier to signal such an exchange, 
so the SP doesn't know what to request and the IdP doesn't know what to 
assert.

I run an SP that *requires* 2FA, so I'm feeling the pain. I don't know if 
there are other such SPs. If there were significant numbers of such SPs, that 
might justify writing a specification that addresses this use case.

Tom