Re: Cosign Multi-factor Authentication Spec

[Wesley Craig <wes@xxxxxxxxx>]

On 11 Oct 2005, at 16:39, Drumm, Daniel wrote:
> Seth mentioned the futility of passing a "OTP=BOGUS" name/value pair
> back in the query string from weblogin. It informs the referring  
> filter
> that the OTP validation wasn't "real", but there is no way of  
> informing
> any further websites of that fact.

There seems to be some confusion, here.

Nothing like OTP=BOGUS is passed on any query string.  A protected  
application might pass "factors=OTP" on the query string.  The UI  
would present OTP as a requirement.  The PAM implementation in the  
spec is sensitive to the return value "user_unknown", and appends  
some string ("-junk" in the example in the spec) to the factor.  The  
browser would then be redirected back to whatever URL the application  
gave as "referring-url".

Back in the application, the filter gets back from the server which  
factors, if any, have succeeded.  One such factor might be "OTP- 
junk".  The filter may have the option "CosignIgnoreFactorSuffix" set  
to "-junk", in which case "OTP-junk" and "OTP" would seem to be  
equivalent to the filter.  If "CosignIgnoreFactorSuffix" wasn't set,  
the filter is able to count "OTP-junk" and "OTP" as different.

:wes