Assurance

[Tom Scavo <>]

> if our campus elects to have people authenticate with 2-factor in
> order for us to assert a Silver-compatible authentication ....
> 
> and one of those factors is a password ....
> 
> are there any requirements on strength, etc of that password ?
> 
> ... if the password is just one of the two factors, do
> all of those requirements in the Silver profile still apply ?

Are you going to *require* the second factor for a successful authentication? 
I'll assume the answer is no since authentication by password alone is still 
good enough for a significant percentage of apps. In which case you want to 
make sure the password is "good enough" to stand alone.

Our (non-Silver) use case is as follows. The SP asks for 2FA or 
PasswordProtectedTransport, in that order. If the 2FA cloud service is down, 
or the user does not have their mobile device, or there's some other issue 
that prevents 2FA, the user can still authenticate with their password alone. 
The app will inspect the AuthnContext returned from the IdP and adjust user 
privileges accordingly.

So we will require the password itself to satisfy Bronze (more or less).

Tom