cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Cosign Multi-factor Authentication Spec
- To: "Craig, Wesley D" <wes@xxxxxxxxx>, "Carson, Cassandra" <clcarson@xxxxxxxxxxxx>
- Subject: RE: Cosign Multi-factor Authentication Spec
- From: "Drumm, Daniel" <dgdrumm@xxxxxxxxxxxx>
- Date: Tue, 11 Oct 2005 16:39:34 -0400
- Cc: "Meyer, Seth" <smeyer@xxxxxxxxxxxx>, "Linderman, Mark" <mlinderm@xxxxxxxxxxxx>, "cosign-discuss Discussion" <cosign-discuss@xxxxxxxxx>, <mais.twofact.tech@xxxxxxxxx>, "Dandamudi, Bindu" <bdandamu@xxxxxxxxxxxx>, "Thomas, Katarina" <kkit@xxxxxxxxxxxx>
- Thread-index: AcXOn+FNB79NM2sCT5e0Bo+ac2xEAgAA0G3A
- Thread-topic: Cosign Multi-factor Authentication Spec
Seth mentioned the futility of passing a "OTP=BOGUS" name/value pair
back in the query string from weblogin. It informs the referring filter
that the OTP validation wasn't "real", but there is no way of informing
any further websites of that fact.
Given that, I'm excluding any further mention of distinguishing between
real token use, and an opt-out user.
Instead, this is a question of authorization. If another campus entity
is concerned that they shouldn't trust MAIS users because MAIS users are
allowed to seem as if they used two factors when, in fact, they did not
- then MAIS users should not be included in the authorization layer of
the web app, whatever it happens to be.
Sorry - this doesn't relate to the topic of authentication requirement
by path, but I wanted to mention it.
From: Wesley Craig [mailto:wes@xxxxxxxxx]
Sent: Tuesday, October 11, 2005 4:10 PM
To: Carson, Cassandra
Cc: Meyer, Seth; Linderman, Mark; cosign-discuss Discussion;
mais.twofact.tech@xxxxxxxxx; Dandamudi, Bindu; Thomas, Katarina
Subject: Re: Cosign Multi-factor Authentication Spec
On 11 Oct 2005, at 12:08, Carson, Cassandra wrote:
> Just to be sure....Will this also work in reverse? Meaning the user
> visited henonprodop, but provided their token and then went to
> Since the cookie had the second factor, they would be accepted at
> heprodop and not be prompted to provide the token again.
Yes, that's exactly right.