Versions Compared

Old Version 2

changes.mady.by.user Mary Dunker

Saved on

compared with

New Version Current

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

Introduction

This document is intended to aid institutions aspiring to meet the requirements of the InCommon Federation's Identity Assurance Profile (IAP) for Silver level of assurance using muilti-factor implementations. Only sections of the IAP where there is a challenge unique to multi-factor are specifically addressed.

IAP sections discussed in this document:

  • 4.2.3 Credential Technology
    • 4.2.3.1 Credential Unique Identifier
    • 4.2.3.2 Resistance to Guessing Authentication Secret
    • 4.2.3.3 Strong Resistance to Guessting Authentication Secret
    • 4.2.3.4 Stored AUthentication Secrets
    • 4.2.3.5 Protected Authentication Secrets
  • 4.2.6.1 Identity Record Qualification

For more information about the InCommon Assurance program, terms and definitions, and links to the IAP and IAAF documents and the FAQ, see the Assurance Resources section

Preamble

Some institutions are exploring using multi-factor authentication technologies to meet InCommon Silver standards. Motivators include deficiencies in processes for identity proofing, insecure methods for distributing credentials, and non-compliant passwords for existing credentials. Implementing multi-factor in a way that complies with Silver will help improve processes and security.

Wiki MarkupUsing multi-factor technologies to meet InCommon Silver requirements is a challenge because the IAP is designed to address credentials based on an Authentication Secret used for authentication of the subject to the IdP. A typical Authentication Secret is _something you know_ such as a password or passphrase. Additional factors - _something you have_ or _something you are_ \- are not addressed in the IAP. Section 4.2.3 of the IAP states, "If other Credentials are used to authenticate the Subject to the IdP, they must meet or exceed the effect of these requirements," and there are several references to NIST \[SP 800-63\] throughout this section. Therefore, institutions may wish to seek guidance from NIST \[SP 800-63\] to justify assertions that their multi-factor implementation meets or exceeds the requirements. Tokens commonly used as _something you have_ for multi-factor authentication are:

  • Out-of-band tokens
  • One-time password devices
  • X.509 digital certificates, either stored in software or on a hardware device

...

Identity Assurance Profile (IAP) is designed to address credentials based on an Authentication Secret used for authentication of the subject to the IdP. A typical Authentication Secret is something you know such as a password or passphrase. Additional factors—something you have or something you are—are not addressed in the IAP. Section 4.2.3 of the IAP states, "If other Credentials are used to authenticate the Subject to the IdP, they must meet or exceed the effect of these requirements." Since there are several references to NIST [SP 800-63] throughout this section, institutions may wish to seek guidance from that NIST publication to justify assertions that their multi-factor deployment meets or exceeds the requirements.

...

Multi-factor Deployment Examples

...

...

Include Page
footer
footer