is there a class of users who would always log-in at a higher LOA?
Within the IdP enterprise, I'd guess not (i.e. even those users that
require higher LOA credentials would also have a lower LOA mate) but
perhaps not for federated actions at an SP?
Paul
On 12/14/2009 8:08 PM, RL 'Bob' Morgan wrote:
The other thing to remember is that the user
can't be allowed administrative access to the account if they are
authenticated at the lower LoA without compromising the Higher LoA.
That is something I would look for as an assessor for a multi LoA IdP.
It is important to distinguish "multiple LoAs for the IdP as a whole,
one LoA per user" from "multiple LoAs per user". The former, it seems
to me, is going to be the case in any organization of any significant
size. Multiple LoAs per user is definitely trickier and less obviously
needed, though still relatively common (e.g. at my university many
people have two-factor devices they use for more sensitive apps in
addition the plain old username/password they use for all other apps).
I don't know that I agree with your concern above in general, though.
Our users have some kinds of "administrative access" to their accounts
(update mailing address, eg, or change password) via LoA2 (-equivalent)
login. This doesn't affect the quality of their two-factor (LoA3-equiv)
login, as far as I can see.
- RL "Bob"
_______________________________________________
DG-Concordia mailing list
DG-Concordia@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/dg-concordia