Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] FIDO2 and SSO?

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] FIDO2 and SSO?


Chronological Thread 
  • From: Stefan Winter <stefan.winter AT restena.lu>
  • To: Janos Mohacsi <mohacsi.janos AT kifu.gov.hu>, edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] FIDO2 and SSO?
  • Date: Wed, 27 Feb 2019 14:17:38 +0100

Hi,

>     What do you think about FIDO2 movement and current SSO systems
> provided by eduGAIN and various federations behind it?
>
> https://globenewswire.com/news-release/2019/02/25/1741351/0/en/Android-Now-FIDO2-Certified-Accelerating-Global-Migration-Beyond-Passwords.html

FIDO2 (WebAuthn) and even its predecessor U2F are both very nice
protocols. As a second factor, they are vastly superior to simple OTP
generators because they provide safeguards against online
phishing/skimming attacks.

At RESTENA, we are currently deploying two-factor authentication and are
settling with OTP variants (Yubikey and generic TOTP) *for now*, but
with a hope that we can move on towards U2F / FIDO2 WebAuthn soon.

Right now server-side support seems to be lagging a bit - the popular
privacyIDEA second-factor authentication server supports U2F in a way
that is compatible with Chrome (but not Firefox). The next release has
code to support Firefox as well, and it has a plugin to integrate with
simpleSAMLphp.

So, if all that plays out, I hope that we'll be doingv 2FA with U2F on
our SAML IdPs at least in the mid-term future. And the only thing
holding us back from moving to FIDO2 then is server-side support for that.

Greetings,

Stefan Winter

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

Attachment: 0xC0DE6A358A39DC66.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page