Assurance

["Jones, Mark B" <>]

Can you elaborate on your need for strong authentication but not strong 
identity?

I suppose that is in a sense what Google is offering with its OTP.  I don't 
see that it gives Google any more confidence in who I am, but it gives me 
more confidence that as a user I will maintain control of my account.  But 
I'm not seeing why this might be required by a University run SP. 

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Friday, March 16, 2012 11:36 AM
To: 

Subject: Re: [Assurance] silver and two-factor ...


> ...if we are going to develop a two-factor solution to use
> with federated applications it should not be the Silver Profile.

That's a given. Silver does not mandate 2FA and it never will. That's not the 
problem it was designed to solve.

> Adding two-factor to Silver comes too close (or perhaps all the
> way) to satisfying level 3.  If you want two factor let's just start
> talking about a Gold profile.

Yes and no. I agree we should start working on a Gold profile, but Gold is 
not the answer to all our problems. It doesn't meet the needs of my SP, for 
instance. I need strong authentication, but I don't need strong identity.

But I'm diverging from the original intent of this thread. Silver *can* 
leverage 2FA and clearly some IdPs are planning to take advantage of that. 
That's great.

Tom