Assurance

[David Bantz <>]

As a component of phased roll-out of 2-factor authentication, we’re 
envisioning enabling our users to opt in to use of two-factor authentication 
via our IdP.
That is, if “the paranoids” (as my CITO labeled us) set this flag, the IdP 
would consume an attribute from the enterprise directory and demand 2-factor 
authN
from anyone presenting my identifier.  (This would not of course interfere 
with individual SPs requesting 2-factor or other assurance levels.)  

I am soliciting advice for the (LDAP) directory attribute to convey this 
information.  This doesn’t perfectly match other use cases I’ve seen for 
eduPersonAssurance,
though the formal definition seems flexible enough to cover this use.  Would 
it be a good idea to use eduPersonAssurance to carry such an 2-factor opt in 
flag?

If a new attribute seems preferable, should be a very specific attribute with 
a simple yes/no value, or generalized to be able to represent 
yet-to-be-determined parallel uses?

Thanks for your reflection, and apologies if you receive duplicate requests 
from cross-posting.

David Bantz
U Alaska

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail