[DG-Concordia] AuthnContext & PAPE & ICAM
Paul Madsen
paulmadsen at rogers.com
Tue Dec 15 12:44:18 EST 2009
is there a class of users who would always log-in at a higher LOA?
Within the IdP enterprise, I'd guess not (i.e. even those users that
require higher LOA credentials would also have a lower LOA mate) but
perhaps not for federated actions at an SP?
Paul
On 12/14/2009 8:08 PM, RL 'Bob' Morgan wrote:
>
>> The other thing to remember is that the user can't be allowed
>> administrative access to the account if they are authenticated at the
>> lower LoA without compromising the Higher LoA. That is something I
>> would look for as an assessor for a multi LoA IdP.
>
> It is important to distinguish "multiple LoAs for the IdP as a whole,
> one LoA per user" from "multiple LoAs per user". The former, it seems
> to me, is going to be the case in any organization of any significant
> size. Multiple LoAs per user is definitely trickier and less obviously
> needed, though still relatively common (e.g. at my university many
> people have two-factor devices they use for more sensitive apps in
> addition the plain old username/password they use for all other apps).
>
> I don't know that I agree with your concern above in general, though.
> Our users have some kinds of "administrative access" to their accounts
> (update mailing address, eg, or change password) via LoA2
> (-equivalent) login. This doesn't affect the quality of their
> two-factor (LoA3-equiv) login, as far as I can see.
>
> - RL "Bob"
>
>
> _______________________________________________
> DG-Concordia mailing list
> DG-Concordia at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/dg-concordia
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/dg-concordia/attachments/20091215/b016ba25/attachment.html
More information about the DG-Concordia
mailing list