2013-08-16 - Deployment Strategies Subgroup Notes

Date and Time

August 16, 2013, 2:00-3:00 ET

Agenda and Meeting Materials

2013-08-16 - Deployment Strategies Subgroup Agenda

Action Items

Highlights

  • The group agreed that Alternative Strategies When Multi-Factor Tokens Are Not Available is ready for review with the full Cohortium.  Mike Grady will review Duke's strategy with respect to our framework.
  • We continued the discussion of initial deployment strategies for MFA that started in 2013-08-09 - Technology Issues Subgroup Notes.
    • The University of Washington started their use of MFA on their mainframe, then in the web SSO.  We may want to add another category to our (future) white paper for deploying on a single platform that runs multiple applications.
    • Nobody was aware of "whole hog" strategies that either required MFA of everyone, or enabled it for all applications (so that applications could choose to use it), but those are options.
    • There was a question of cost effectiveness, particularly of "whole hog" approaches.  The definition of "effective" is, of course, a local one, but we hope the Cohortium can help institutions make that determination.  We can also highlight short vs. long term cost strategies.  For example, it is probably more cost effective in the long term to integrate MFA into an SSO initially; it does, though, probably cost more in the short term.
  • No labels

1 Comment

  1. trscavo@internet2.edu

    FWIW, I'm not sure I agree "it is probably more cost effective in the long term to integrate MFA into an SSO initially." For example, it is remarkably easy to deploy a cloud-based solution like Duo or Toopher, each of which requires a straightforward integration with a modern REST-based API. They even provide wrapper scripts in a variety of scripting languages. (Duo makes these wrapper scripts available as open source on github.) It's really not very difficult to do this integration numerous times at various service points. I'm not saying you should, but it's very tempting, given how easy it is.

    So I don't think the cost of deployment is what drives the need for SSO. If not deployment cost, then what? In a word, usability.

    The usability of the Duo solution is state-of-the-art, while the usability of Toopher is even better (since you don't even have to take your device out of your pocket), but the usability of MFA is clearly greater than password alone. So we need SSO for MFA for the same reason we need SSO for password alone. Usability.