MFA Interop Working Group

[Eric Goodman <>]

This was my comment to the list:

 

 

It doesn’t literally *break* the InCommon use cases, but it does affect it.

 

I.e., without “Basic” you could still:

 

1)      Request REFEDS MFA and a series of other acceptable methods as defined in OASIS docs (PPT, Kerberos, etc.).  

a.      The InCommon Guidance outlines what we thought was the most likely set of “alternative methods” that would work for most IdPs.

b.      The IdP will respond with some acceptable method (if any are available). Note that Scott’s comment (that I copied directly into the doc) is that this may not *force* MFA enabled users to use MFA, due to the difficulty of strictly applying precedence of AuthnContexts in IdPs when authentication methods are chained (e.g., when Password needs to be done as a prerequisite of Duo 2FA).

 

2)      Request REFEDS MFA and on failure re-request user authentication (or invert the order of operations).

a.      The downside of this is it implies two roundtrips, and so is a little more complicated for the SP user. It could also be significantly uglier for the user (who may be asked to authenticate twice).

 

InCommon [I meant the workgroup, not the organization] also called out that unless there is clear (and accurate) signaling about which IdPs support the profiles, SPs have to be prepared to deal with IdPs that can’t support any of the profiles, which arguably means that the “Basic” profile is “nice” but not “must have”. That was “con” in the discussion about defining a “basic” profile.

 

--- Eric

 

 

 

From: [mailto:] On Behalf Of David Walker
Sent: Tuesday, February 28, 2017 2:39 PM
To:
Subject: Re: [MFA-Interop] FW: [refeds] Consultation: REFEDS MFA Profile

 

Yeah, I wondered about that.  How do the rest of you feel about that?

Nick, do you have any insight as to why it was left out?

David

 

On 02/28/2017 01:39 PM, Nick Roy wrote:

If you feel that the omission of the default context is problematic, please do speak up on this consultation.

Thanks,

Nick

On 2/28/17 2:31 PM, Eric Goodman wrote:

For those of you not separately following on the various REFEDS lists.

 

This is REFEDS (modified) version of our proposed MFA Profile.

 

--- Eric

 

From: []
Sent: Tuesday, February 28, 2017 2:26 AM
To: ;
Subject: [refeds] Consultation: REFEDS MFA Profile

 

Dear All

A consultation on the proposed REFEDS Multi-factor Authentication Profile has opened today.  Full details of the consultation and the text to be reviewed are available at: https://wiki.refeds.org/display/CON/Consultation%3A+REFEDS+MFA+Profile. 

The consultation will close at 17:00 CEST on 27th March 2017.  All comments and discussions on the proposal should be made to the list: .   Comments may be made to the list, added to the change log on the wiki or sent directly to Nicole: .  Comments submitted through other channels will not be considered as part of the consultation. 

As usual, if you have any comments or queries please do let me know.  With many thanks the InCommon, the GÉANT Project and the REFEDS assurance working group for their efforts on this profile to date. 

Best wishes

Nicole

--

Nicole Harris

PROJECT Development Officer

GÉANT - Amsterdam office

T: +31 (0) 20 530 4488

M: +31 (0) 646 105396

Skype: harrisnv

PGP key Fingerprint: FD61 E288 14C7 432E 7AF5 D3B1 FB5B 8024 1BFD 94BB

 

Networks • Services • People

Learn more at www.geant.org

 

GÉANT is the collective trading name of the GÉANT Association in Amsterdam, NL, and of GEANT Limited in Cambridge, UK.

 

The GÉANT Association is a non-profit organisation registered under Dutch law through the Chamber of Commerce in Amsterdam, registration number 40535155.