Federated Multifactor Authentication Ready to Use
The wait is over! The ability to perform multifactor authentication in a federated context is now a reality.
Multifactor authentication (MFA) is defined as authenticating by using more than one of the following types of factors – something you know, something you have, something you are. An example would be entering a password (something you know) and also entering a code that has been sent to your cellphone (something you have) when prompted to login to an application.
Until now, a service provider operating in a federated environment and wanting to require the users of an application to authenticate with multi-factor, had no way to ask for that. Likewise, an identity provider in the federation had no way to communicate to services that a user had, in fact, authenticated using more than one factor.
In 2016, the InCommon Assurance Advisory Committee chartered an MFA Working Group and charged the group with creating an interoperability profile that would specify how the community (IdPs and SPs) could communicate MFA in a standard, mutually understood way.
The resulting profile is fairly simple and has only three requirements that must be met in order to assert the use of multifactor.
- The authentication of the user's current session must have used a combination of at least two distinct types of factors.
- The factors must be independent.
- The combination of the factors must mitigate risks related to non-real-time attacks such as phishing, offline cracking, online guessing and theft of a (single) factor. More specific guidance about the risks that must be mitigated and about what constitutes an acceptable “second factor” is provided in companion documents to the profile.
Following the completion of the work of the MFA Interoperability Profile Working Group, the MFA Profile was taken under consideration by the international community via the REFEDS (Research and Education FEDerations) group. After a slight modification to the profile and a period of community consultation, the REFEDS Steering Committee voted to adopt the profile in June 2017.
So, how do you take advantage of this new capability?
The method for communicating multi-factor authentication is a SAML authentication context. Adherence to the profile is self-determined and self-asserted. The REFEDS profile that has been adopted is live and ready for implementation at https://refeds.org/profile/mfa.
What are you waiting for?