A solution for supporting MFA in Shibboleth IdPs in
accordance with REFEDS MFA Profile
MICHELLE WANGHAM
Coordinator of the Identity Management Technical Committee, RNP (Brazilian NREN)
[ 2 ]
• Motivation and Objectives
• Current Implemented 2FA technologies
• Solution Architecture
✓ Authentication flows
✓ Second factor Lifecycle management
• Work in progress
• Concluding Remarks
TABLE OF CONTENTS
[ 3 ]
MOTIVATION
[ 4 ]
MOTIVATION
✓ easy-to-guess passwords
✓ same password in multiple accounts
✓ write the passwords
✓ shoulder surfing
✓ phishing
✓ social engineering
✓ brute force attacks
✓ and purchase of leaked passwords
[ 5 ]
• Password-based credentials are the most used in Academic Federations
• Federated SSO facilitates the job of the attackers
• Multi-factor authentication (MFA) emerges as a solution
✓ Authentication process robustness
✓ The most cost-effective mechanisms
• REFEDS: MFA Profile
✓ Requirements that an authentication event must meet in order to
communicate the usage of MFA.
✓ A SAML authentication context for expressing this in SAML.
MOTIVATION
[ 6 ]
OBJECTIVES
A complete open source solution to offer MFA – based on the REFEDS
MFA profile – for Shibboleth Identity Providers
✓ Open Innovation Research and Development project funded by RNP
✓ First year: developed a prototype and evaluated it in a testbed (GIdLab)
✓ Second year: working on the pilot together with four institutions
✓ 2020: CAFe IdPs
[ 7 ]
Our Solution Features
Usability
Loose coupling
• Easy to install and update our code on current Shibboleth IdP
Modular
• Easy to activate/deactivate second-factor technologies
• Easy to add new second-factor technologies
• Persistent layer allows different database implementations
Interoperability
security
usability
[ 8 ]
• One-Time Password (OTP): used with a
TOTP mobile app (Google Authenticator,
Authy, etc.)
• Phone prompt: app (Android) with a
simple yes/no dialog
• FIDO2 (WebAuthn): usb token
• Backup codes: last resource before
contacting IT support.
Current
Implemented 2FA
technologies
[ 9 ]
• One-Time Password (OTP)
Current
Implemented 2FA
technologies
✓ Users must have a smartphone; but it does not require Internet connection
✓ A lot of users already use OTP applications on their smartphones
[ 10 ]
• Phone prompt: app (Android)
with a simple yes/no dialog
Current
Implemented 2FA
technologies
✓ It is more user friendly compared to the OTP solution
✓ Users must have a smartphone or smartwatch with Internet connection
[ 11 ]
• FIDO2 (WebAuthn): usb token
✓ It offers the best usability and the most secure among the previous options.
[ 12 ]
• Multi-Factor Provider (MFaP) is a Java
application that can be deployed by the
same Java application server where
Shibboleth IdP has been deployed
✓ It could be in a different java application
server
• The interaction between IdP and MFaP is
done by using an IdP Authentication Flow
✓ MFaP offers a RESTful API that can be
consumed only by its IdP
SOLUTION ARCHITECTURE
[ 13 ]
• MFaP install script: automates the installation task ( a set of questions)
• Customized script for CAFe IdM Virtual Machine
✓ Ubuntu + Shibboleth IdP 3.3.1 + breduperson
✓ User Manual to install (Portuguese)
• Documentation to develop new 2FA technologies and integrated them to
the MFaP (Portuguese)
• MFaP upgrade: using a specific script written to the update
MFaP Installation and Upgrade
[ 14 ]
Authentication flow using Phone prompt
[ 15 ]
UML Component Diagram
[ 16 ]
• Binding: the user can enable one or more technologies to act as his/her extra
factor
• Replacing: the user can change the current second factor at any time
• Revocation: the user can delete the current second factor at any time
Lifecycle management of second factor (Self-service)
Backup codes are automatically generated when the user enables the
second factor authentication (10 codes can be used only once)
[ 17 ]
Dashboard (Portuguese)
[ 18 ]
• Pilot Evaluation
• Dashboard improvements: allows user to register more than one USB token
FIDO2
• Browser cookies to keep MFA session
• Phone Prompt for iOS
• MFaP Install script
• Internationalization
WORK IN PROGRESS
[ 19 ]
• Open source MFA solution based on the REFEDS MFA profile for Shibboleth
Identity Provider.
• Chosen 2FA technologies balance between usability and robustness
• Works on different scenarios: a smartphone and internet, smartphone without
internet connection and without a smartphone
• Our Solution can be extended with new technologies to act as extra
authentication factor.
CONCLUDING REMARKS
[ 20 ]
• Coordinators
✓ Emerson Mello (IFSC): Principal Investigator
✓ Carlos Eduardo da Silva (UFRN)
✓ Michelle Wangham (UNIVALI)
• Developers
✓ Bruno Bristot Loli
✓ Felipe Passos Cardoso
✓ Gabriela Cavalcanti da Silva
✓ Samuel Bristot Loli
✓ Shirlei Aparecida de Chaves
GT-Ampto Team
• R&D Director
✓ Iara Machado
• R&D Manager
✓ André Marins
• R&D Coordinator
✓ Clayton Reis
MICHELLE WANGHAM - [email protected]
Thank you! Questions?
Top Related