Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] FIDO2 and SSO?

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] FIDO2 and SSO?


Chronological Thread 
  • From: Leif Johansson <leifj AT sunet.se>
  • To: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] FIDO2 and SSO?
  • Date: Wed, 27 Feb 2019 14:36:00 +0100
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (2048-bit key) header.d=sunet-se.20150623.gappssmtp.com

On 2019-02-27 14:17, Stefan Winter wrote:
> Hi,
>
>>     What do you think about FIDO2 movement and current SSO systems
>> provided by eduGAIN and various federations behind it?
>>
>> https://globenewswire.com/news-release/2019/02/25/1741351/0/en/Android-Now-FIDO2-Certified-Accelerating-Global-Migration-Beyond-Passwords.html
>
> FIDO2 (WebAuthn) and even its predecessor U2F are both very nice
> protocols. As a second factor, they are vastly superior to simple OTP
> generators because they provide safeguards against online
> phishing/skimming attacks.
>
> At RESTENA, we are currently deploying two-factor authentication and are
> settling with OTP variants (Yubikey and generic TOTP) *for now*, but
> with a hope that we can move on towards U2F / FIDO2 WebAuthn soon.

FTR I strongly advise against anyone implementing "classic" OTP
at this point. There are active and highly automated attacks being
mounted all the time against such systems.

>
> Right now server-side support seems to be lagging a bit - the popular
> privacyIDEA second-factor authentication server supports U2F in a way
> that is compatible with Chrome (but not Firefox). The next release has
> code to support Firefox as well, and it has a plugin to integrate with
> simpleSAMLphp.

You don't need much server-side to do WebAuth. All you have to do is to
store a public key somewhere in your user store. You can probably figure
that out without handholding :-)

>
> So, if all that plays out, I hope that we'll be doingv 2FA with U2F on
> our SAML IdPs at least in the mid-term future. And the only thing
> holding us back from moving to FIDO2 then is server-side support for that.
>
> Greetings,
>
> Stefan Winter
>


Attachment: signature.asc
Description: OpenPGP digital signature




Archive powered by MHonArc 2.6.19.

Top of Page