assurance - RE: [Assurance] silver and two-factor ...
Subject: Assurance
List archive
- From: "Dunker, Mary" <>
- To: "" <>
- Subject: RE: [Assurance] silver and two-factor ...
- Date: Fri, 16 Mar 2012 14:02:46 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
I think each institution needs to decide how best to meet the Silver
requirements with their technologies, which may or may not be oriented toward
traditional password-based systems. The IAP opens the door to 2-factor
implementations for Silver in IAP section 4.2.3, Credential Technology, which
states,
'These InCommon IAPs are based on use of “shared Authentication Secret” forms
of identity Credentials. If other Credentials are used to authenticate the
Subject to the IdP, they must meet or exceed the effect of these
requirements.'
So, 2-factor is certainly not required for Silver, but a solution that
corresponds to NIST LoA 3 or 4 should "meet or exceed the effect of these
requirements."
Further guidance is in IAP section 4.2.3.4, Stored Authentication Secrets,
which states under option 3,
'Any method protecting stored Secrets at NIST [SP 800-63] Level 3 or 4 may be
used.'
It seems reasonable that an service might also identify a need for 2-factor
that does not necessarily meet all the requirements for NIST LoA 3 or 4 (nor
Silver, for that matter). So I think the "Silver-ness" of an implementation
just needs to be presented and evaluated according to all the criteria in the
IAP.
Mary
-----------------------------------------------------------------
Mary Dunker
Director, Secure Enterprise Technology Initiatives
Virginia Tech Information Technology
1700 Pratt Drive
Blacksburg, VA 24060
540-231-9327
--------------------------------------------------------------------
-----Original Message-----
From:
[mailto:]
On Behalf Of Jones, Mark B
Sent: Friday, March 16, 2012 10:25 AM
To:
Subject: RE: [Assurance] silver and two-factor ...
I agree. This is wonderful for federated applications. But I think the 'big
question' this thread has been dealing with is if institutions should do the
work to achieve Silver qualification with their existing password based
authentication infrastructure or try to build something completely separate
so that politics and user training are not as high a barrier.
The two strong opinions I have on this are:
One, that if we are going to develop a two-factor solution to use with
federated applications it should not be the Silver Profile. Adding
two-factor to Silver comes too close (or perhaps all the way) to satisfying
level 3. If you want two factor let's just start talking about a Gold
profile.
Two, I believe that all institutions have systems that can only use passwords
that should be using a level 2 authentication solution. This is work that
should be done regardless of the need for Silver qualification.
-----Original Message-----
From:
[mailto:]
On Behalf Of Roy, Nicholas S
Sent: Friday, March 16, 2012 8:35 AM
To:
Subject: RE: [Assurance] silver and two-factor ...
"But currently precious little is designed to accommodate two-factor
authentication of any kind."
I think that's the beauty of being able to do this in a federated
environment. By configuring the IdP to use a 2-factor authentication handler
when it provides authentication for a service which indicates that it needs
it (via metadata), we have abstracted the complexity of dealing with 2-factor
authentication away from the application- as long as it's a web app.
Nick
-----Original Message-----
From:
[mailto:]
On Behalf Of Jones, Mark B
Sent: Thursday, March 15, 2012 4:54 PM
To:
Subject: RE: [Assurance] silver and two-factor ...
I am a two-factor fanatic. I use the Google OTP. I have my Comodo cert on a
USB token and I love it. I wish I could use it to authenticate to
everything. But currently precious little is designed to accommodate
two-factor authentication of any kind.
The idealist in me is cheering you on (though I think you should be talking
about two-factor in relation to the development of a Gold profile), but the
realist in me has to acknowledge that even if the Silver Profile was changed
to accommodate a two-factor path to qualification (which I don't support) I
think there are barriers to actually making use of such credentials on any
meaningful scale. Cost of tokens, user education, modifying services to
accept two-factor,... perhaps others.
For us, my observation has been that IT Security, Legal, and Executive
support are critical. You have to look at the cost of security breaches due
to lax Identity Management in terms of loss of money, loss of data, and loss
of reputation. You also have to look at your ability to claim due diligence
with respect to Identity Management. Whether you qualify for Silver or not
you will still have services that handle sensitive data on campus that only
work with passwords.
Ask your skeptics how many front page news stories or lawsuits about security
breaches and data loss it will take to convince them that more security is a
good thing.
-----Original Message-----
From:
[mailto:]
On Behalf Of Tom Scavo
Sent: Thursday, March 15, 2012 4:00 PM
To:
Subject: Re: [Assurance] silver and two-factor ...
> I still need to make a case for any change that is seen as making
> access more difficult or generating more help desk calls.
I'm in exactly the same boat.
> To be fair to the
> skeptics at my institution, our help desks and other support points do
> routinely receive complaints about password complexity, password
> expiration, and vetting questions for self-service reset of forgotten
> passwords. So a clear and persuasive case has to made for changes that
> improve the level of assurance and protection from identity theft that
> are perceived - rightly or wrongly - as creating unnecessary barriers
> to services.
That's precisely why you want to look at two-factor authentication IMO. In
the presence of 2FA, you can take a fresh look at those antiquated password
policies that seemed to make sense in a password-only environment, and trim
them back so that they produce *fewer* help desk calls.
Of course that assumes you choose an appropriate 2FA technology to begin
with, since the usability gains with respect to the password factor can
easily be offset by loss of usability due to the added the second factor.
It's a balancing act, but it is doable, at least in some environments.
Tom
- RE: [Assurance] silver and two-factor ..., (continued)
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/15/2012
- Re: [Assurance] silver and two-factor ..., David Bantz, 03/15/2012
- RE: [Assurance] silver and two-factor ..., Roy, Nicholas S, 03/15/2012
- Re: [Assurance] silver and two-factor ..., Tom Scavo, 03/15/2012
- Re: [Assurance] silver and two-factor ..., Tom Scavo, 03/15/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/15/2012
- RE: [Assurance] silver and two-factor ..., Roy, Nicholas S, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/16/2012
- Re: [Assurance] silver and two-factor ..., Tom Scavo, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/16/2012
- Re: [Assurance] silver and two-factor ..., David Bantz, 03/15/2012
- RE: [Assurance] silver and two-factor ..., Dunker, Mary, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/15/2012
- Re: [Assurance] silver and two-factor ..., Tom Scavo, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/16/2012
- RE: [Assurance] silver and two-factor ..., Jones, Mark B, 03/13/2012
- RE: [Assurance] silver and two-factor ..., Russell J Yount, 03/14/2012
Archive powered by MHonArc 2.6.16.