It depends on what admin access they have. I have seen IdP where you can do a password reset and get in with your password and change the phone number for your second factor. I would not personally accredit that IdP as two factor. It is possible to do safely, but the assessor will need to look for those sorts of loopholes. You don't want to know what LoA I would give UW. Good thing I am not one of the assessors, otherwise people wouldn't make LoA 1:) John B. On 2009-12-14, at 10:08 PM, RL 'Bob' Morgan wrote:
The other thing to remember is that the user can't be allowed administrative access to the account if they are authenticated at the lower LoA without compromising the Higher LoA. That is something I would look for as an assessor for a multi LoA IdP.
It is important to distinguish "multiple LoAs for the IdP as a whole, one LoA per user" from "multiple LoAs per user". The former, it seems to me, is going to be the case in any organization of any significant size. Multiple LoAs per user is definitely trickier and less obviously needed, though still relatively common (e.g. at my university many people have two-factor devices they use for more sensitive apps in addition the plain old username/password they use for all other apps).
I don't know that I agree with your concern above in general, though. Our users have some kinds of "administrative access" to their accounts (update mailing address, eg, or change password) via LoA2 (-equivalent) login. This doesn't affect the quality of their two-factor (LoA3-equiv) login, as far as I can see.
- RL "Bob" _______________________________________________ DG-Concordia mailing list DG-Concordia@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/dg-concordia