Skip to Content.
Sympa Menu

mfa-interop - RE: [MFA-Interop] status of MFA Interop group

Subject: MFA Interop Working Group

List archive

RE: [MFA-Interop] status of MFA Interop group


Chronological Thread 
  • From: Paul Caskey <>
  • To: Michael A Grady <>
  • Cc: "" <>
  • Subject: RE: [MFA-Interop] status of MFA Interop group
  • Date: Wed, 16 Dec 2015 03:01:11 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23

Yep, good point.  These types of conversations are unavoidable and why I’ve been thinking from the beginning that we’ll end up with multiple profiles.

 

The premise I’m starting from is that, if an app says ‘I need 2-factor’, then the IdP needs to deliver that and not deliver something watered down like stronger auth, trusted devices, on-campus IP ranges, etc.

 

But, these profiles are, of course, community driven and will be defined by this group of folks.

 

But, if we don’t have at least one that offer unambiguous 2-factor, then folks will still have to define something themselves when that is, in fact, needed.

 

 

 

TTYL

 

 

From: Michael A Grady [mailto:]
Sent: Tuesday, December 15, 2015 8:41 PM
To: Paul Caskey <>
Cc:
Subject: Re: [MFA-Interop] status of MFA Interop group

 

Thanks. I'd been meaning to contact Jacob and ask him if he needed some help perhaps drafting a "stalking horse" document or two. But waiting till 2016 sounds good. :-)

 

But, while I'm thinking about it, I wanted to mention something I was thinking about the other day and that a question just now on the Shib Users list reminded me of. And that is the idea of having a variation on the authentication context required/satisfied based on truly forcing the user to do the 2nd factor, and not allowing "remember this device" or "trusted networks". Which might mean, for example, you'd need multiple app integrations with Duo from your IdP, one that allows activating features like remember this device", and one that doesn't. Work we are doing for a client needing two distinct integrations with Duo (not based on those features, but Duo commercial vs Duo FISMA) spurred me to consider other reasons why you might want multiple integrations with the same 2nd Factor service.

 

On Dec 15, 2015, at 3:23 PM, Paul Caskey <> wrote:

 

Hello Everyone-

 

As you no doubt are aware, the work of the MFA Interop group has been stalled for a bit.

 

There are some folks involved with this group who just got swamped by excessive workload (and from the people who actually pay them!  J  ).

 

We intend to restart things after the first of the year, so please stay tuned!

 

Meanwhile, Happy Holidays to you all!

 

 

Thanks for your participation,

-Paul

 


--
Michael A. Grady
IAM Architect, Unicon, Inc.

 


Archive powered by MHonArc 2.6.16.

Top of Page