2013-08-19 - Product and Vendor Issues Subgroup Notes
Date and Time |
August 19, 2013, 2:00-3:00 ET |
Agenda and Meeting Materials |
Action Items
- Tom Scavo will report about this meeting to the full Cohortium on 8/21/2013.
- David Walker will draft straw man white paper, based on this call, for discussion in our next call.
Highlights
- We discussed product evaluation criteria as a product of our group, using The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes as a starting point.
- We will discuss non-password solutions in general, not specifically multi-factor solutions.
- Yubikey and Duo, for example, are single-factor solutions that can be combined with a password or other single-factor to achieve multi-factor.
- Recent versions of NIST 800-63 allow certain single-factor, non-password authentication schemes to be used at LoA-2.
- The evaluation criteria in The Quest to Replace Passwords are useful, but there are others we should add.
- Tom Scavo will distribute some thoughts he's had about additional criteria.
- Applicability to well-known assurance profiles.
- Environments that the product can be integrated into. "Environments" include things like:
- Web/browser applications
- Microsoft AD
- Globus
- Unix shell
- VPN
- Mobile
- VPN and Mobile are difficult, as there are no predominant standards for integration.
- Mobile is also difficult because of the lack of common physical interfaces. NFC and OTP are possibilities, as is the use of a second network-attached device.
- Can your access device be considered a second factor? It is "something you have," but there are numerous security issues.
- We will discuss non-password solutions in general, not specifically multi-factor solutions.