An open discussion list for topics related to the eduGAIN interfederation service.

[Leif Johansson <leifj AT sunet.se>]

On 2019-02-27 13:57, Janos Mohacsi wrote:
> Dear All,
> 
>     What do you think about FIDO2 movement and current SSO systems
> provided by eduGAIN and various federations behind it?
> 
> https://globenewswire.com/news-release/2019/02/25/1741351/0/en/Android-Now-FIDO2-Certified-Accelerating-Global-Migration-Beyond-Passwords.html
> 
> Best Regards,
> 

Here is a short summary of what I said at TIIME about this topic:

- A hard and risky part of an IdP is managing passwords
- SSO is about outsourcing authentiction because passwords are hard
- FIDO (WebAuth) outsources authentication to the client platform
- WebAuth makes authentication worthless as "business case" for an IdP

Hence....

You can only make a continued case for federation if you provide
attributes. There are several examples of that - for instance any
case where there is a need for affiliation (eg for billing).

But if I'm an RP (say a research proxy) and don't get any attributes
I can use, then it is much easier for me to just implement WebAuth
than to continue to haggle with IdP operators.

As the saying goes: its time for the IdP operators to crap or get
off the can in the eScience use case.

        Cheers Leif