RE: Cosign Multi-factor Authentication Spec

["Meyer, Seth" <smeyer@xxxxxxxxxxxx>]

Wes,

Thanks! I am glad we cleared that up. The "-fakedout" parameter is
passed on the back-channel, not on the query string. I assume we all
want to proceed with this design. Sorry, all, for any confusion I
inadvertently caused.

Seth 

-----Original Message-----
From: Wesley Craig [mailto:wes@xxxxxxxxx] 
Sent: Tuesday, October 11, 2005 8:04 PM
To: Drumm, Daniel
Cc: Carson, Cassandra; Meyer, Seth; Linderman, Mark; cosign-discuss
Discussion; mais.twofact.tech@xxxxxxxxx; Dandamudi, Bindu; Thomas,
Katarina
Subject: Re: Cosign Multi-factor Authentication Spec

On 11 Oct 2005, at 16:39, Drumm, Daniel wrote:
> Seth mentioned the futility of passing a "OTP=BOGUS" name/value pair 
> back in the query string from weblogin. It informs the referring 
> filter that the OTP validation wasn't "real", but there is no way of 
> informing any further websites of that fact.

There seems to be some confusion, here.

Nothing like OTP=BOGUS is passed on any query string.  A protected
application might pass "factors=OTP" on the query string.  The UI would
present OTP as a requirement.  The PAM implementation in the spec is
sensitive to the return value "user_unknown", and appends some string
("-junk" in the example in the spec) to the factor.  The browser would
then be redirected back to whatever URL the application gave as
"referring-url".

Back in the application, the filter gets back from the server which
factors, if any, have succeeded.  One such factor might be "OTP- junk".
The filter may have the option "CosignIgnoreFactorSuffix" set to
"-junk", in which case "OTP-junk" and "OTP" would seem to be equivalent
to the filter.  If "CosignIgnoreFactorSuffix" wasn't set, the filter is
able to count "OTP-junk" and "OTP" as different.

:wes