Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] FIDO2 and SSO?

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] FIDO2 and SSO?


Chronological Thread 
  • From: Leif Johansson <leifj AT sunet.se>
  • To: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] FIDO2 and SSO?
  • Date: Wed, 27 Feb 2019 14:33:30 +0100
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (2048-bit key) header.d=sunet-se.20150623.gappssmtp.com

On 2019-02-27 13:57, Janos Mohacsi wrote:
> Dear All,
>
>     What do you think about FIDO2 movement and current SSO systems
> provided by eduGAIN and various federations behind it?
>
> https://globenewswire.com/news-release/2019/02/25/1741351/0/en/Android-Now-FIDO2-Certified-Accelerating-Global-Migration-Beyond-Passwords.html
>
> Best Regards,
>

Here is a short summary of what I said at TIIME about this topic:

- A hard and risky part of an IdP is managing passwords
- SSO is about outsourcing authentiction because passwords are hard
- FIDO (WebAuth) outsources authentication to the client platform
- WebAuth makes authentication worthless as "business case" for an IdP

Hence....

You can only make a continued case for federation if you provide
attributes. There are several examples of that - for instance any
case where there is a need for affiliation (eg for billing).

But if I'm an RP (say a research proxy) and don't get any attributes
I can use, then it is much easier for me to just implement WebAuth
than to continue to haggle with IdP operators.

As the saying goes: its time for the IdP operators to crap or get
off the can in the eScience use case.

Cheers Leif



Archive powered by MHonArc 2.6.19.

Top of Page