Assurance

[Eric Goodman <>]

This is one of the reasons we went to two different passwords (one intended to be Silver compliant, one not). We don't have any non-web, publicly facing authentication protocols available for our proto-Silver password (i.e., firewalls restrict all those interfaces). And our policies state that use of the proto-Silver password requires approval -- with Shibboleth preferred, and proxy authentication requiring additional approvals.

That said, I've already seen cases where application developers have created apps that prompt users for passwords and then screen scrape logins against web applications that do have access, checking for "successful/unsuccessful login" messages on the authorized app. To me that's clearly inappropriate besides being our policies, but not all developers look at things the same way I do, and there's no good way to stop it technically if you don't know that it's happening.

--- Eric

On Mon, Aug 20, 2012 at 8:35 AM, Cantor, Scott <> wrote:

On 8/20/12 11:25 AM, "Ann West" <> wrote:
>
>Can you explain what "a policy against such apps" means? Do you mean "a
>policy against non-silver-compliant apps using silver credentials"?

Yes. Telling depts they can't just stand up password harvesting
front-ends. At most sites, that's unenforceable because if nothing else
you have email openly available as a password checker (though that's
changing somewhat with all the outsourcing of email I guess).

I'm very skeptical of such "don't ask, don't tell" approaches to all this,
and yes, that's one of my arguments here for two-factor as you said.

-- Scott