MFA Interop Working Group

[Fredrik Åslund <>]

On Fri, 29 Apr 2016, Eric Goodman wrote:

> >Do not underestimate the other way around, for example a "second factor"
> >mobile phone, with "first factor" password stored in login forms in the 
> >web browser in the phone.
>   
> FWIW, we address this point without solving it. In the next two bullets 
> after the ones I referred to, we say:
> 
> "Additionally, users can take actions that reduce the ability to treat 
> otherwise independent factors as “independent”; for example, a user storing 
> their software OTP generator on a network device accessible using just the 
> “first factor” password. 
> 
> "The MFA profile does not enumerate specific requirements the institution 
> must meet to protect against these forms of authentication dependence, but 
> technical restrictions (where feasible) and user education are highly 
> recommended to mitigate the risks of users deploying factors in a manner 
> that decreases their independence."
> 
> Does that more or less addresses your concerns?
> 
I agree, it is not a problem to "solve" in this scope. This is a user 
education task. I believe it highlights issues to be considered when 
selecting second factors.

/Frerik

> --- Eric
> 

Fredrik Åslund
----------------------------------
Systemadministratör
IT-stöd och systemutveckling (ITS)
Umeå universitet
901 87 Umeå
----------------------------------
Telefon: +46 (0)90 786 65 43
Mobil:   +46 (0)70 303 78 36
----------------------------------

www.its.umu.se