Notes from the 8/7/2013 Cohortium Meeting
Date and Time |
August 7, 2013, 2:00p-3:00p EDT |
Agenda and Meeting Materials |
|
Recording |
Action Items
- (No action items.)
Highlights
- Current status of the Shibboleth Enhancement project for support of MFA and multiple authentication contexts is available at https://spaces.at.internet2.edu/x/LgFtAg.
- Reports from recent subgroup meetings:
- 2013-07-31 - Business Case Subgroup Notes - David Sherry
- 2013-08-02 - Deployment Strategies Subgroup Notes - David Scuffham
- 2013-08-05 - Product and Vendor Issues Subgroup Notes - Mike Wiseman
- TomS: Looking at vendors is important, but it also makes sense to look at categories of technology (e.g., OTP, SMS).
- Gabor Eszes @ Old Dominion Univ: Is compatibility with existing industry standardization efforts in scope for the Product & Vendor Issues subgroup?
- Paul Howell - University of Michigan: Is there a reference ranking products/technolgies by trusworthiness?
- Rob Carter gave a presentation of Duke University's MFA management and lost token recovery approach
- Duke had push back to deploying a single MFA technology, so they started on a path of implementing multiple systems, but later moved to Duo, as it is a single system that accommodates tokens, such as Yubikey, in addition to their native phone client.
- Users can opt in to require MFA for selected web sites, but not all. Also, some sites require MFA, independent of a user's preference, and some users are always required to use MFA. Grouper is used to keep track of all of this.
- Test and role accounts are allowed to be impersonated by authorized people.
- Duke's implementation focused on authentication strength, not assurance, so they didn't modify their registration processes for MFA.
- Temporary alternative passcodes can be used when tokens are lost. The passcodes are good for 72 hours, are based on security questions, and can be attempted only three times in a day. Not all SPs allow use of the temporary passcodes.