- Given the latest NIST draft do we want to deprecate or disallow SMS codes?
- Should there be guidance for “remembered/trusted devices”?
- Any requirements or guidance about written backup codes?
- Specifically, Duo allows for “bypass codes” which can have arbitrary lifetimes AND that can be reused. Is authenticating with a reusable bypass code acceptable?
- Any recommendations that vendors (I’m looking at you Duo…) provide more visibility to client applications as to what mechanism was used for MFA authentication?
- E.g., a campus may allow the use of Duo Bypass codes, or “remember this device”, but the IdP has no way (AFAIK) to see that this was used. So if an IdP wanted to allow reusable Duo Bypass codes for access to some applications but not to others, I don’t think they can.
Overview
Content Tools