Abstract
The federated identity model provides a solution for user authentication across multiple administrative domains. The academic federations, such as the Brazilian federation, are examples of this model in practice. The majority of institutions that participate in academic federations employ password-based authentication for their users, with an attacker only needing to find out one password in order to personify the user in all federated service providers. Multi-factor authentication emerges as a solution to increase the robustness of the authentication process. This article aims to introduce a comprehensive and open source solution to offer multi-factor authentication for Shibboleth Identity Providers. Based on the Multi-factor Authentication Profile standard, our solution provides three extra second factors (One-Time Password, FIDO2 and Phone Prompt). The solution has been deployed in the Brazilian academic federation, where it was evaluated using functional and integration testing, as well as security and case study analysis.
Highlights
Identity proofing establishes that a subject is who they claim to be
We developed a MFaProviderIdP library to be deployed in the Shibboleth Identity Provider (IdP), which is used by IdP authentication flows to invoke the Multi-Factor Provider (MFaP) application
The MFaP is based on Security Assertion Markup Language (SAML) Multi-factor authentication (MFA) Profile to extend the IdP authentication flows and it can be integrated to existing IdPs
Summary
Identity proofing establishes that a subject is who they claim to be. Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid credentials associated with that subject’s digital identity [1].The classic paradigm for authentication systems identifies three categories of authentication [1]: something you know (e.g., a password); something you have (e.g., a hardware token); something you are (e.g., a fingerprint); and in [2] someone you know (e.g., social network). Identity proofing establishes that a subject is who they claim to be. Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid credentials associated with that subject’s digital identity [1]. The classic paradigm for authentication systems identifies three categories of authentication [1]: something you know (e.g., a password); something you have (e.g., a hardware token); something you are (e.g., a fingerprint); and in [2] someone you know (e.g., social network). There are advantages and drawbacks for each of the above categories that can deny legitimate user access. Passwords can be forgotten, smart cards misplaced and biometrics can become temporarily unavailable, such as, loss of voice or poor quality fingerprint. Biometrics is not secure if used as a single authentication factor since it can be replicated (an attacker may obtain a copy of the subscriber’s fingerprint and build a replica) [2]
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
