Autumn flow: MFA and Password interoperability

Cantor, Scott cantor.2 at
Tue Jul 9 12:14:20 EDT 2019

> From your response, is it your opinion that we should use MFA flow for all
> apps, properly bypass the second factor for specific apps, and let the MFA flow
> use the "properly built" merged results to determine if a two-factor step up is
> required?

Yes, there are no easy ways to use the MFA feature other than using it to handle everything, unless the alternatives are totally distinct, X.509 or some such. But more importantly, using the principal machinery is the proper way to control behavior when it comes to services, even if it means building some of the state objects to drive that instead of configuring them normally.

It's possible to control settings dynamically anyway, so if deriving the defaultAuthenticationMethods property had to defer to a web service, better to do that via a lookup strategy function and let the rest of the system ignore how the setting was determined.

The mess is when the user's identity is involved in the decision. Then there are no good answers because it's a messy policy with a messy solution. But it's best to let the MFA flow sort it out in that case. When the service(s) are the only policy input, things are generally clean.

-- Scott

More information about the users mailing list