Question about Shibboleth and MFA - Google Authenticator

[Tom Scavo]

On Mon, Feb 18, 2019 at 1:23 PM Greg Haverkamp <gahaverkamp at lbl.gov> wrote:
>
> On Sat, Feb 16, 2019 at 5:31 AM Tom Scavo <trscavo at gmail.com> wrote:
>>
>> On Fri, Feb 15, 2019 at 7:45 PM Greg Haverkamp <gahaverkamp at lbl.gov> wrote:
>> >
>> > at the time, we had to meet some  NIST 800-63-2 LoA 3 requirements, which we could accomplish with some tweaks to LinOTP (which Duo at the time could not meet).
>>
>> OTP is not resistant to verifier impersonation so by itself it does
>> not satisfy Authenticator Assurance Level 3 (as it's now called by
>> NIST). Duo Push is not resistant to verifier impersonation either.
>
> Alright.  But I didn’t say anything about 800-63-3, nor did I say anything about “by itself”.  (And, no, LoA 3 is not now called AAL3 if your requirement is specifically written as being 800-63-2.)

That is technically correct but I didn't want a casual reader to come
away from your comment thinking that OTP protects against all threats
because it does not. For example, password + OTP does not protect
against an active man-in-the-middle, which puts the SSO session cookie
at risk.

> It’s not terribly relevant to Shibboleth, anyway, as I had no requirement to claim Shibboleth (and all of the assertion-related stuff) at LoA 3.  But I did have other systems that required authentication at LoA 3, and Duo was insufficient. Since I’m not a Duo customer, I haven’t taken the time to figure out where Duo Push lands these days.

Sure, but Duo is popular here, hence my earlier remark. For the
archive, it turns out that Duo Push is only slightly better than OTP
with respect to an active man-in-the-middle since the push app
displays the location of the user. I doubt ANY push implementation
does better than that (but I can't be sure since push authentication
is proprietary).

Anyway, if I were in Melvin's shoes, and I couldn't afford Duo, yeah,
I'd be looking for a stopgap too.

Tom