Assurance

[Tom Scavo <>]

On Thu, May 29, 2014 at 4:09 PM, Steven Carmody
<>
 wrote:
>
> We're in the process of evaluating, moving toward deploying two-factor for
> some applications. We'll probably end up TXTing a code to people's phones.

Is there some reason why you've settled on a telephony-based approach?
There are lots of reasons NOT to do that: cost, security, privacy,
usability, etc.

> Its now occurred to us that we should require stronger authN when someone
> wants to edit their mobile phone number.

Yes, account recovery is the "achilles heal" of multifactor.

> We're wondering what other sites have done to bootstrap themselves into the
> situation where someone MUST have already entered a mobile phone number so
> they can edit their mobile number ...

This won't work for everyone but it works for us so I'll share it. We
don't use telephony for MFA. We reserve that capability for the
bootstrap process, which we call two-step identity verification:

https://spaces.internet2.edu/x/ywIwAg

It assumes knowledge of an email address and a phone number for all
users. No, the phone number does not have to be a mobile phone number,
and in fact, it's better if it isn't.

> what's the best practice to get someone started down this road ?

I don't know if there is one.

Tom