assurance - Re: [Assurance] example of login handler that conditionally supports 2FA
Subject: Assurance
List archive
- From: "Cantor, Scott" <>
- To: "" <>
- Subject: Re: [Assurance] example of login handler that conditionally supports 2FA
- Date: Wed, 31 Oct 2012 14:30:26 +0000
- Accept-language: en-US
On 10/31/12 10:25 AM, "Tom Scavo"
<>
wrote:
>I'm looking for an example of a Shibboleth login handler that supports
>two-factor authentication but doesn't strictly require it. In particular,
>if two-factor authentication fails (due to a service or network error),
>the handler falls back on password alone. So, for example, if the SP
>requests Silver, Bronze, or PasswordProtectedTransport (in that order),
>the IdP would fall back on password alone in the event it can't meet the
>Silver requirement due to a failure of the two-factor authentication
>system.
Mine's in the neighborhood, but I haven't done any work on supporting
multiple contexts at once, and I don't have separate UI for the different
back-ends, so it only prompts with a single form. Since the credentials
would be different, it would rely on the user to know that if SecurID
didn't work, he/she could try a password.
It does support not using the password back-ends if the TimeSyncToken
method is requested so it mostly does the right thing.
-- Scott
- [Assurance] example of login handler that conditionally supports 2FA, Tom Scavo, 10/31/2012
- Re: [Assurance] example of login handler that conditionally supports 2FA, Cantor, Scott, 10/31/2012
Archive powered by MHonArc 2.6.16.