Assurance

["Jones, Mark B" <>]

Are you saying that you consider this custom profile to be stronger 
authentication than Silver?

What NIST level would it map to?

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Wednesday, November 28, 2012 9:26 AM
To: 

Subject: Re: [Assurance] silver, 2-factor, password requirements

I was too vague yesterday. Let me try again.

The short answer is: the underlying password should be at least a Bronze 
password.

A primary reason for doing this is the flexibility it affords an SP. For 
example, an SP can request Silver, Bronze, and PasswordProtectedTransport, in 
that order. The SP will inspect the AuthnContext returned from the IdP and 
adjust user privileges accordingly.

The PasswordProtectedTransport AuthnContext at the end of the list is a 
placeholder. Eventually I think we need a custom AuthnContext URI that 
indicates compliance with a simple profile with some very basic requirements. 
These requirements might be outlined in a new IdP POP that is still in the 
discussion stages.

As an example, assume the IdP initially returns Bronze (since apparently the 
user or the IdP chose password-only authentication). Subsequently the user 
successfully accesses a number of resources at the SP that require no more 
than Bronze. Now suppose the user attempts to access a page that requires 
Silver. The SP sends the user back to the IdP, asking for Silver (and only 
Silver). The user is able to access the page if and only if the IdP returns 
Silver to the application.

The previous use case is optimized if the user is NOT asked to prove 
knowledge of the password a second time (unless of course the session has 
expired or some such thing). The login handler short circuits the password 
step and immediately initiates authentication with the second factor.

FWIW, we are refactoring the Federation Manager to work this way. At the top 
of pyramid is not Silver, however, but rather some custom profile that 
*requires* 2FA but does *not require* identity proofing.

Hope this helps,

Tom

----- Original Message -----
> 
> 
> > if our campus elects to have people authenticate with 2-factor in 
> > order for us to assert a Silver-compatible authentication ....
> > 
> > and one of those factors is a password ....
> > 
> > are there any requirements on strength, etc of that password ?
> > 
> > ... if the password is just one of the two factors, do all of those 
> > requirements in the Silver profile still apply ?
> 
> Are you going to *require* the second factor for a successful 
> authentication? I'll assume the answer is no since authentication by 
> password alone is still good enough for a significant percentage of 
> apps. In which case you want to make sure the password is "good 
> enough" to stand alone.
> 
> Our (non-Silver) use case is as follows. The SP asks for 2FA or 
> PasswordProtectedTransport, in that order. If the 2FA cloud service is 
> down, or the user does not have their mobile device, or there's some 
> other issue that prevents 2FA, the user can still authenticate with 
> their password alone. The app will inspect the AuthnContext returned 
> from the IdP and adjust user privileges accordingly.
> 
> So we will require the password itself to satisfy Bronze (more or 
> less).
> 
> Tom
>