- Given the latest NIST draft do we want to deprecate or disallow SMS codes?
- Should there be guidance for “remembered/trusted devices”?
In the new draft 800-63, AAL2 requires multi-factor authentication and requires a user to authenticate fully every 12 hours. In the Duo context, this would require 12 hour "trusted device" settings.
- Any requirements or guidance about written backup codes?
- Specifically, Duo allows for “bypass codes” which can have arbitrary lifetimes AND that can be reused. Is authenticating with a reusable bypass code acceptable?
- Any recommendations that vendors (I’m looking at you Duo…) provide more visibility to client applications as to what mechanism was used for MFA authentication?
- E.g., a campus may allow the use of Duo Bypass codes, or “remember this device”, but the IdP has no way (AFAIK) to see that this was used. So if an IdP wanted to allow reusable Duo Bypass codes for access to some applications but not to others, I don’t think they can.