Skip to Content.
Sympa Menu

mfa-interop - RE: [MFA-Interop] Changes based on conversation on today's call

Subject: MFA Interop Working Group

List archive

RE: [MFA-Interop] Changes based on conversation on today's call


Chronological Thread 
  • From: Fredrik Åslund <>
  • To: Eric Goodman <>
  • Cc: "" <>
  • Subject: RE: [MFA-Interop] Changes based on conversation on today's call
  • Date: Tue, 3 May 2016 10:50:58 +0200 (CEST)

On Fri, 29 Apr 2016, Eric Goodman wrote:

> >Do not underestimate the other way around, for example a "second factor"
> >mobile phone, with "first factor" password stored in login forms in the
> >web browser in the phone.
>
> FWIW, we address this point without solving it. In the next two bullets
> after the ones I referred to, we say:
>
> "Additionally, users can take actions that reduce the ability to treat
> otherwise independent factors as “independent”; for example, a user storing
> their software OTP generator on a network device accessible using just the
> “first factor” password.
>
> "The MFA profile does not enumerate specific requirements the institution
> must meet to protect against these forms of authentication dependence, but
> technical restrictions (where feasible) and user education are highly
> recommended to mitigate the risks of users deploying factors in a manner
> that decreases their independence."
>
> Does that more or less addresses your concerns?
>
I agree, it is not a problem to "solve" in this scope. This is a user
education task. I believe it highlights issues to be considered when
selecting second factors.

/Frerik

> --- Eric
>

Fredrik Åslund
----------------------------------
Systemadministratör
IT-stöd och systemutveckling (ITS)
Umeå universitet
901 87 Umeå
----------------------------------
Telefon: +46 (0)90 786 65 43
Mobil: +46 (0)70 303 78 36
----------------------------------

www.its.umu.se


Archive powered by MHonArc 2.6.16.

Top of Page