Assurance

[David Walker <>]

The answer really depends on the combination of factors you use, with the ultimate goal of comparable management of risk.  I agree with Tom Scavo that it is probably effective to make one of the factors Bronze compliant, but if you're only looking at Silver (LoA-2), then you're only concerned with the combination of the two factors.

In 800-63, for example, LoA-3 and LoA-4 don't require nearly as much password entropy for cryptographic tokens as for Bronze, as the token must be used in conjunction with the password.  Also, the IdPO doesn't hold the shared-secrets for those tokens, so many other requirements no longer apply.

David

On Tue, 2012-11-27 at 16:01 -0500, Steven Carmody wrote:
> Hi,
>
> if our campus elects to have people authenticate with 2-factor in order 
> for us to assert a Silver-compatible authentication ....
>
> and one of those factors is a password ....
>
> are there any requirements on strength, etc of that password ?
>
> If we wanted people to authenticate with with just a password and be 
> Silver-compliant, then the Silver profile contains lots of requirements 
> about how that password is stored, access to the machine rooms with the 
> KDC, etc. However, if the password is just one of the two factors, do 
> all of those requirements in the Silver profile still apply ?
>
> I think I know the answer, but I thought I'd ask ..  ;-)