An open discussion list for topics related to the eduGAIN interfederation service.

[Leif Johansson <leifj AT sunet.se>]

On 2019-02-27 14:17, Stefan Winter wrote:
> Hi,
> 
>>     What do you think about FIDO2 movement and current SSO systems
>> provided by eduGAIN and various federations behind it?
>>
>> https://globenewswire.com/news-release/2019/02/25/1741351/0/en/Android-Now-FIDO2-Certified-Accelerating-Global-Migration-Beyond-Passwords.html
> 
> FIDO2 (WebAuthn) and even its predecessor U2F are both very nice
> protocols. As a second factor, they are vastly superior to simple OTP
> generators because they provide safeguards against online
> phishing/skimming attacks.
> 
> At RESTENA, we are currently deploying two-factor authentication and are
> settling with OTP variants (Yubikey and generic TOTP) *for now*, but
> with a hope that we can move on towards U2F / FIDO2 WebAuthn soon.

FTR I strongly advise against anyone implementing "classic" OTP
at this point. There are active and highly automated attacks being
mounted all the time against such systems.

> 
> Right now server-side support seems to be lagging a bit - the popular
> privacyIDEA second-factor authentication server supports U2F in a way
> that is compatible with Chrome (but not Firefox). The next release has
> code to support Firefox as well, and it has a plugin to integrate with
> simpleSAMLphp.

You don't need much server-side to do WebAuth. All you have to do is to
store a public key somewhere in your user store. You can probably figure
that out without handholding :-)

> 
> So, if all that plays out, I hope that we'll be doingv 2FA with U2F on
> our SAML IdPs at least in the mid-term future. And the only thing
> holding us back from moving to FIDO2 then is server-side support for that.
> 
> Greetings,
> 
> Stefan Winter
>

Attachment: signature.asc
Description: OpenPGP digital signature