MFA Interop Working Group

[Fredrik Åslund <>]

On Thu, 28 Apr 2016, Eric Goodman wrote:

> Hi all,
> 
> I put some proposed changes in the Usage Guidance document based on our 
> conversation today. They are all entered as suggestions, so they are 
> clearly marked (and undoable):
> 
> 
> *         Added a section called "Types of Factors" that calls out that two 
> different passwords is not compliant with the profile.
> 
> *         Modified the language about factors that are accessible using 
> only the first factor per suggestions on the call.
> 
> o   Focus was on inserting the text: "is no more secure than the single 
> factor by itself" as an explanation of why it is not considered sufficient.
> 
Do not underestimate the other way around, for example a "second factor"
mobile phone, with "first factor" password stored in login forms in the 
web browser in the phone.
  
/Fredrik

> *         Same change made to the "reregistration" example.
> 
> *         Added text about SPs needing to validate returned 
> <AuthnContextClassRef> values in the "Considerations" section.
> 
> o   Scott, I did already take a stab to make it more strongly focus on 
> validating the values in responses, rather than focusing on "not trusting" 
> the request by itself, but of course feel free to further edit.
> 
> In the Base Level profile, I also suggested changes to remove the language 
> that the profile will "establish a base over which other profiles can be 
> defined".
> 
> --- Eric
> 

Fredrik Åslund
----------------------------------
System Administrator
IT-stöd och systemutveckling (ITS)
Umeå University
901 87 Umeå
Sweden
----------------------------------
Telefon: +46 (0)90 786 65 43
Mobil:   +46 (0)70 303 78 36
----------------------------------

www.its.umu.se