Shibboleth Developers

[Chad La Joie <>]

Peter Schober wrote:
> * Chad La Joie 
> <>
>  [2009-02-26 13:58]:
>> forceauthn is a joke with anything other than OTP the like.
> 
> Are you referring to this specific case or to forceAuthn in general?

forceAuthn in general.  Most people, I suspect, think this means the
user actually authenticated again.  However, a huge number of users save
username/passwords in their browsers or use some plugin so that they
don't have to re-enter this information.  Using client-certs, which is
what a number of people recommend, doesn't fair any better because
browser and the OS love to cache pin numbers and various other things so
that users don't have to enter them over and over.  SPENGO works the
same way, it just derives new tickets from your existing TGT.

So, you have no way of knowing, in most cases, whether the user was
actually forced to re-authenticate or not.  If you can't know if the
data is accurate then basing any decision upon that data seems like a
bad idea.

The only to really be sure is to use something that can't be cached like
that.  Something like OTPs or RSA SecurID or the like.

-- 
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch