Main Nav

Good Day,

 

We’re looking at our requirements for Two-Factor Auth in regards to several situations where we host web services offered to third parties. 

 

One solution that we wouldn’t mind trying to adopt is a SAML based solution so we could pick people to federate with that may already have a 2FA SAML implementation at their home institution.     One challenge we have is provisioning/funding issuing authentication tokens to these downstream third parties that have no local SAML/2FA solution.    In looking at the InCommon DUoSecurity offering, we’re still left with buying a token for each 3rd party and (probably more importantly) being responsible for token issuance.

 

http://www.protectnetwork.org/solutions/public-sso-cloud got mentioned as a possible soltion but I don’t see anyone like them offering 2FA.

 

Has anyone found a provider for outsourcing this two factor authentication of third parties?

 

Thanks,

Chris

--

Chris Green

UAB Information Security, 205-975-0842

 

Comments

If you're targeting InCommon schools, Duo Security (http://www.incommon.org/duo/) via Net+ might be an option? I can't tell from the brief information on the Net+ site if they could provide what you're looking for, but it seems at least worth a question to the vendor to see how deep their InCommon support actually goes.. 

-- 
Paul Erickson
Enterprise Architect
Information Services
University of Nebraska–Lincoln

tel:402 472 1657
http://is.unl.edu/        mailto:phe@unl.edu

Together, making the vision of UNL come alive through technology leadership

From: Chris Green <cmgreen@UAB.EDU>
Reply-To: EDUCAUSE Identity Management constituent group <IDM@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, 15 November, 2012 09:03
To: EDUCAUSE Identity Management constituent group <IDM@LISTSERV.EDUCAUSE.EDU>
Subject: Two-Factor Auth/ SAML / Third-Parties

Good Day,

 

We’re looking at our requirements for Two-Factor Auth in regards to several situations where we host web services offered to third parties. 

 

One solution that we wouldn’t mind trying to adopt is a SAML based solution so we could pick people to federate with that may already have a 2FA SAML implementation at their home institution.     One challenge we have is provisioning/funding issuing authentication tokens to these downstream third parties that have no local SAML/2FA solution.    In looking at the InCommon DUoSecurity offering, we’re still left with buying a token for each 3rd party and (probably more importantly) being responsible for token issuance.

 

http://www.protectnetwork.org/solutions/public-sso-cloud got mentioned as a possible soltion but I don’t see anyone like them offering 2FA.

 

Has anyone found a provider for outsourcing this two factor authentication of third parties?

 

Thanks,

Chris

--

Chris Green

UAB Information Security, 205-975-0842

 

Sorry, re-read your message and realized Duo was the one you're already looked at.
Need more coffee. :)

Approachable/usable 2FA in a federated environment is certainly a major gap that begs a solution.

-- 
Paul Erickson
Enterprise Architect
Information Services
University of Nebraska–Lincoln

tel:402 472 1657
http://is.unl.edu/        mailto:phe@unl.edu

Together, making the vision of UNL come alive through technology leadership

From: Chris Green <cmgreen@UAB.EDU>
Reply-To: EDUCAUSE Identity Management constituent group <IDM@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, 15 November, 2012 09:03
To: EDUCAUSE Identity Management constituent group <IDM@LISTSERV.EDUCAUSE.EDU>
Subject: Two-Factor Auth/ SAML / Third-Parties

Good Day,

 

We’re looking at our requirements for Two-Factor Auth in regards to several situations where we host web services offered to third parties. 

 

One solution that we wouldn’t mind trying to adopt is a SAML based solution so we could pick people to federate with that may already have a 2FA SAML implementation at their home institution.     One challenge we have is provisioning/funding issuing authentication tokens to these downstream third parties that have no local SAML/2FA solution.    In looking at the InCommon DUoSecurity offering, we’re still left with buying a token for each 3rd party and (probably more importantly) being responsible for token issuance.

 

http://www.protectnetwork.org/solutions/public-sso-cloud got mentioned as a possible soltion but I don’t see anyone like them offering 2FA.

 

Has anyone found a provider for outsourcing this two factor authentication of third parties?

 

Thanks,

Chris

--

Chris Green

UAB Information Security, 205-975-0842

 

Google offers 2FA.  Not sure if Google would work for your use case but the mobile app is free.

 

On 11/15/2012 12:21 PM, Tom Scavo wrote: > There's no shortage of SAML-based identity providers (IdPs) in higher > ed but you won't find many that can authenticate their users with two > factors. Even if they did, there's no standard way for those IdPs to > communicate back to the service that 2FA did in fact occur. (Since 2FA > technology is not widely deployed, there's no incentive to standardize > the protocol bits.) Our goal would be to validate each IdP is backed up by 2FA at setup. The problem we have is the application we are hosting has a hard two factor auth requirement and are looking for some way to issue tokens to a third party, preferably outsourced so we can pass the cost on directly to the application sponsor that don't fit the standard employee/staff/student licensing models. The thinking was that if we treated the application as a SAML SP, we can then front-end our own IdP function with the local two-factor solution and then bless the remote 2FA IdP on an as needed basis. Thanks, Chris
Message from caleb.racey@newcastle.ac.uk

I know you asked about outsourced 2factor auth but it’s worth being aware of the tiqr open source “pin via smartphone” project https://tiqr.org/   I’ve tried out the demo and the app and it looks a useful 2nd factor auth technique.

 

Regards

 

Cal

 

Caleb racey

ISS

Newcastle University  

 

 

 

 

Message from leifj@sunet.se

On 11/16/2012 12:30 PM, caleb racey wrote:

I know you asked about outsourced 2factor auth but it’s worth being aware of the tiqr open source “pin via smartphone” project https://tiqr.org/   I’ve tried out the demo and the app and it looks a useful 2nd factor auth technique.

 

Regards

 

Cal

 

Caleb racey

ISS

Newcastle University  

 

 

unitedid.org is aiming for an outsourced 2nd factor service. I can provide a handshake
on request. I know SURFnet is testing their stuff right now.

        Cheers Leif

 

 

You mentioned funding issues, but is anyone using SecureAuth?  This is something I had looked at a couple years ago and it seemed like a really good SSO/2FA/SAML/Mobile Apps based solution.

-Paul