Enforce MFA for federated IDPs
ndk at signet.id
Fri May 3 16:03:00 EDT 2019
> My question is, is it possible that an IdP authenticates a user by
> username and password but returns an assertion with
> authnContext="https://refeds.org/profile/mfa"? How do we prohibit that?
You really can't. If the IdP lies to you, the IdP lies to you, and the general remediation is to stop the IdP from lying to you. Having a third party like a federation vouch for an IdP's capability to perform MFA would give you something to cross-check against, which I suppose is another minor advantage to the model, but it wouldn't stop a verified IdP from expressing password-based authentication as MFA.
More information about the users