[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    RE: Google 2sv instead of Duo for MFA in Shibboleth IdP?
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2016-10-21 0:20:59
Message-ID: 9846A6064BD102419D06814DD0D78DE112A5B408 () CIO-TNC-D2MBX02 ! osuad ! osu ! edu
[Download RAW message or body]

> I'm suppressing commentary, just posting the question: has anyone
> compared, evaluated or deployed Google authenticator 2sv and in their IdP
> or know to what extent it would be possible?

AFAIK, that's just OATH, and we're planning to eventually implement it, it just \
didn't make 3.3, Duo was the higher priority both for my campus and the community in \
general. Given a token store / API, the actual flow to implement the login should be \
very simple in 3.3, but per the FIDO conversation I just had with a couple of people \
on the list, there's the question of how the token management/enrollment is done and \
by whom.

I would ask Rich what he meant by "your users will hate you". Is that a reference to \
the point that using the OATH apps like this implies separate registration of the \
authenticator app with each OATH service?

Using Google *authentication* with the IdP is really a different thing entirely. I \
would think that takes some more thought around policy and such since that implies \
using Google accounts directly in place of your own.

-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]