Menu
▾
▴
Re: [Unity-idm-discuss] Improvements MFA
|
From: Krzysztof B. <kb...@un...> - 2023-01-30 08:35:57
|
Hi Sander, First of all thank you for that email. We will internally talk about it more after the next release is out, but please find below some quick comments. W dniu 25.01.2023 o 08:56, Sander Apweiler pisze: > for the usage of MFA we want to provide some feedback. Some of this > things you already know. > > - If OTP is wrong I have to redo the whole authentication. This feels a > little bit annoying. On other platforms you just have to reenter the > OTP, but not username & password. Makes sense, though is more complex: this behavior makes sense for OTP and maybe SMS as second factor, but completely not if say hardware token (fido2) is used as second factor. But worth considering as credential dependent behavior. Shouldn't be big deal to be implemented. > - Signalling MFA usage to SPs in common ways. There are already some > common ways to signal the usage of MFA usage to services. This are the > AuthnContextClassRef in SAML and the acr claim in OIDC. It would be > great if this is supported by unity, too. > - Proxying the MFA information from upstream IdP. If the upstram IdP > already enables MFA and send the usage to services, MFA at unity does > not increase the security anymore. Especially it the second factor is > the same OTP generator. So it would be greate if there is a way to > transfer the information to the SPs of unity. I know we can build a > workaround but as you already mentioned storing information in unity to > session bound attributes is not the best way. > - If the user enables MFA in unity but the upstream IdP already > preformed MFA, is would be great if there is a way for admins to > configure if unity performs MFA or not and just proxies the > information. As mentioned before there is no benefit if the second > factor is the same. All 3 points above are mostly clear and true - a missing functionality in Unity. > - Have an additional authentication flow policy "step_up" which does > not fall back to never, if the user has no MFA configured, but just > prohibits the operation/login. Here I'm not sure if I understand. Do you mean that user needs to provide two factors and if has only one set up then the authN fails? Isn't that possible today? > - Have different session lifetime for user who performed MFA. Since the > MFA gives a better trust about the user account is not compromised, it > would be nice if we can increase the session time for those user who > authenticated with MFA. This would be a benefit for those, who are > doing the additional step. Here I don't think this is a correct approach. What is the liking between LoA and session lifetime? If any I'd say it is opposite: if you are strongly authenticated, then you may potentially gain access to more resources, and so your session should be shorter. But essentially I'd say there should be no dependency here. Thank you a lot, Krzysztof |
