A Vendor-Independent MFA Management Console

This is a collection of raw materials related to the Cohortium's discussion of a vendor-independent management console for multi-factor authentication.  NOTHING IS FINAL; it's all DRAFT.

Background Material

• Nick Roy's Duo Security Net+ Service Offering / Experience and Feedback Sought
• 2014-01-10 - Technology Issues Subgroup Notes
• 2014-01-17 - Deployment Strategies Subgroup Notes
• 2014-01-24 - Technology Issues Subgroup Notes
• Selections from Bruce Vincent's "Duo enhancement interest?" Email Thread

Functionality

• Vendor-independent MFA management
  • Enrollment
  • Credential reset
  • Disable credentials
  • Activate and deactivate additional devices
  • Self service
  • SAML SSO
• Role-based access control
  • Delegation of authority for subsets of the community
  • Delegation of device management (only) to help desk
  • Delegation of functions such as purchasing devices to Purchasing office, college/depts

• AD Integration (perhaps not all "management console" issues...)
  • Advance their ADFS integration to ADFS 3.0's new multi-factor provider capability
  • Move ADFS support beyond only supporting Office 365 as a service provider
  • Add to their workstation interactive logon security provider approach (they call it RDP but it's really just hooking interactive logons) by:
    • providing AD integrated 2 factor, i.e. add an option that verification is tied to a user certificate that AD holds and results in a group being added to the logon token (as spelled out here: http://technet.microsoft.com/en-us/library/dd378897(v=WS.10).aspx)
    • providing logon over the network types of Windows logons, i.e. secure network access to specific Windows servers (this appears possible by proxying via using their RRAS solution, but it'd be nice to have something simpler)
    • add support for "run as" for their "RDP" solution

Design

• MFA Management Enhancement to IdMS.pdf