Changes between Version 7 and Version 8 of mfa


Ignore:
Timestamp:
07/02/14 16:11:49 (10 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • mfa

    v7 v8  
    44Two-factor authentication requires users to provide a "second factor" in addition to the correct password to authenticate and gain access to resources.  If your password is "something you know", the second factor can be described as "something you have" such as your working telephone or smartphone.  [In principle the second - or third - factor could be "something you are" such as fingerprint or voiceprint recognition.] 
    55 
    6 The UA Identity Provider is being extended to allow use of two-factor authentication using Duo Security.  When two-factor authentication is invoked (as described below) you will first provide your identifier and UA Password just as you usually do for most applications.  If and only if your password is verified a second screen will ask for the second factor.  That second factor may be one of the following: 
     6The UA Identity Provider has been extended to allow use of two-factor authentication using Duo Security.  When two-factor authentication is invoked (as described below) you will first provide your identifier and UA Password just as you usually do for most applications.  If and only if your password is verified a second screen will ask for the second factor.  That second factor may be one of the following: 
    77 * replying "accept" in a request for access sent to a smartphone app on your registered phone 
    88 * entering a code sent via text to your registered cell phone 
     
    2222(1) A service can request two-factor authentication when relying on the Identity Provider to authenticate users.  It does so by explicitly requesting the two-factor "authnContext" in its request.  An important caveat is that the Identity Provider is not in general guaranteed to honor that request.  The Identity Provider may not be capable of a particular method and default or fall back to some other method.  The Identity Provider will include a precise indication of the method it did use to authenticate the user, but it is up the relying service to verify that the method used provided what that service considers an acceptable method and to respond accordingly.  That is, the SP might deny access altogether if the the authentication method was not that requested, or it may allow access to some portion of the service. 
    2323 
     24The authentication context to request Duo two-factor authentication is: 
     25https://iam.alaska.edu/trac/wiki/mfa 
     26 
    2427(2) An individual user can require two-factor authentication for their identity.  A user desiring higher assurance that others do not impersonate them can indicate that anyone using their UA Username or ID # will be required by the Identity Provider to use 2-factor authentication.  If you invoke this option for your UA identity, anyone attempting to authenticate as you will need not only your UA Username or ID # and your UA Password but access to your registered phone in order to provide the second factor, thus making such impersonation more difficult and less likely. 
     28 
     29Your identity requires Duo two-factor authentication if, and only if, you are designated in the UA Enterprise LDAP ("eDir") to be in the following group: 
     30        cn=security:IdP:require2factor,ou=group,dc=alaska,dc=edu 
     31Currently (in the initial roll-out of two-factor authentication at UA) you can request this group membership and use of !DuoSecurity two-factor authentication by request to IAM (email iam@alaska.edu). 
     32 
     33== Enrolling and configuring your phone or other second factor == 
     34If your authentication invokes two factor authentication (via either of the methods above - because a service requires it or because you are in the security group using two factor) and you have not previously used Duo Security with UA, you will be presented with a page to automatically enroll and designate your phone number to be used for second factor.   
    2535 
    2636== Implementation == 
    2737 
    28 UA IAM is currently (2014Q1) working with Duo Security to provide this capability for two-factor authentication.  We have deployed a proof of concept in a non-production environment that demonstrates the integration with some production services.  Interested UA members may contact iam@alaska.edu for details and to participate in the pilot. 
     38As of 2014-06-25 Duo Security two-factor authentication is integrated with the production UA Identity Provider. 
    2939 
    30 == Implemented contexts using MFA == 
     40The recently announced self-service portal for managing your Duo Security account will be available at some point in the future if requested by users.   
    3141 
    32 == '''[=#MCBDuo2FA MCBDuo2FA: Duo Security 2-factor invoked by Multi-Context Broker]''' == 
    33  
     42https://duosecurity.com/blog/empower-users-and-save-time-with-self-service-portal