Skip to Content.
Sympa Menu

assurance - [Assurance] attribute to indicate 2-factor authN for principal

Subject: Assurance

List archive

[Assurance] attribute to indicate 2-factor authN for principal


Chronological Thread 
  • From: David Bantz <>
  • To: Shib Users <>, mace-dir <>,
  • Subject: [Assurance] attribute to indicate 2-factor authN for principal
  • Date: Tue, 26 Nov 2013 12:51:07 -0900

As a component of phased roll-out of 2-factor authentication, we’re
envisioning enabling our users to opt in to use of two-factor authentication
via our IdP.
That is, if “the paranoids” (as my CITO labeled us) set this flag, the IdP
would consume an attribute from the enterprise directory and demand 2-factor
authN
from anyone presenting my identifier. (This would not of course interfere
with individual SPs requesting 2-factor or other assurance levels.)

I am soliciting advice for the (LDAP) directory attribute to convey this
information. This doesn’t perfectly match other use cases I’ve seen for
eduPersonAssurance,
though the formal definition seems flexible enough to cover this use. Would
it be a good idea to use eduPersonAssurance to carry such an 2-factor opt in
flag?

If a new attribute seems preferable, should be a very specific attribute with
a simple yes/no value, or generalized to be able to represent
yet-to-be-determined parallel uses?

Thanks for your reflection, and apologies if you receive duplicate requests
from cross-posting.

David Bantz
U Alaska

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



  • [Assurance] attribute to indicate 2-factor authN for principal, David Bantz, 11/26/2013

Archive powered by MHonArc 2.6.16.

Top of Page