Assurance

["Dunker, Mary" <>]

Without knowing more about the implementation, it is difficult to weigh in on 
the password question, but certainly a strong password is always good. :) The 
CIC schools' multi-factor working group thought at least one of the factors 
would need to meet all the Silver requirements. 

For further guidance, you may wish to look at the Multi-factor Considerations 
posted at 
https://spaces.internet2.edu/display/InCAssurance/Multi-factor+Considerations 
.

Best,
Mary 


-----------------------------------------------------------------
Mary Dunker
Director, Secure Enterprise Technology Initiatives
Virginia Tech Information Technology
1700 Pratt Drive
Blacksburg, VA 24060
540-231-9327

 
--------------------------------------------------------------------


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Steven Carmody
Sent: Tuesday, November 27, 2012 4:01 PM
To: 

Subject: [Assurance] silver, 2-factor, password requirements

Hi,

if our campus elects to have people authenticate with 2-factor in order for 
us to assert a Silver-compatible authentication ....

and one of those factors is a password ....

are there any requirements on strength, etc of that password ?

If we wanted people to authenticate with with just a password and be 
Silver-compliant, then the Silver profile contains lots of requirements about 
how that password is stored, access to the machine rooms with the KDC, etc. 
However, if the password is just one of the two factors, do all of those 
requirements in the Silver profile still apply ?

I think I know the answer, but I thought I'd ask ..  ;-)