[DG-Concordia] AuthnContext & PAPE & ICAM
Beach, Michael C
michael.c.beach at boeing.com
Mon Dec 14 20:25:01 EST 2009
+1 for large organizations have multiple LoA. I mentioned once upon a time a key driver is cost. In general higher LoA costs more money, so we only raise LoA where there is a business driver. It is also typically true that higher LoA is less convenient for the user.
Mike Beach, CISSP
Chief Security Designer
Information Security
The Boeing Company
michael.c.beach at boeing.com
-----Original Message-----
From: dg-concordia-bounces at kantarainitiative.org [mailto:dg-concordia-bounces at kantarainitiative.org] On Behalf Of RL 'Bob' Morgan
Sent: Monday, December 14, 2009 5:08 PM
To: Concordials
Subject: Re: [DG-Concordia] AuthnContext & PAPE & ICAM
> The other thing to remember is that the user can't be allowed
> administrative access to the account if they are authenticated at the
> lower LoA without compromising the Higher LoA. That is something I
> would look for as an assessor for a multi LoA IdP.
It is important to distinguish "multiple LoAs for the IdP as a whole, one LoA per user" from "multiple LoAs per user". The former, it seems to me, is going to be the case in any organization of any significant size.
Multiple LoAs per user is definitely trickier and less obviously needed, though still relatively common (e.g. at my university many people have two-factor devices they use for more sensitive apps in addition the plain old username/password they use for all other apps).
I don't know that I agree with your concern above in general, though. Our users have some kinds of "administrative access" to their accounts (update mailing address, eg, or change password) via LoA2 (-equivalent) login.
This doesn't affect the quality of their two-factor (LoA3-equiv) login, as far as I can see.
- RL "Bob"
More information about the DG-Concordia
mailing list