...
FIDO: ForgeRock member of the FIDO alliance.
- Windows 10 supported
- Firefox has related support
-------------------------------------------------------------------------------------------------------------------
Q: Who's doing MFA today?
A: Belgium government issued all citizens smart card readers and smart cards
OATH: Can use FR authenticator or 3rd party. But not main topic of conversation for now!
ForgeRock Push Notification auth module discussed. Registered via QR to exchange a shared secret.
Q: Support for non-QR. Eg blind user, no camera.
A: If on a phone it will redirect and bypass QR. Screen reader for visually impaired should be able to detect the button.
Use account lockout to prevent message "spamming".
Demo: Pasword-login based on two chains. Combines push auth and persistent cookie. Also uses "onFail" in first chain to redirect to second chain.
S1: persistent cookie (requisite) -> push auth (sufficient) -> LDAP (required). Also onFail -> http;///..../openam/login?service=chain2
S2: LDAP (requisite) -> persistent cookie store (option)- > push reg (options) -> piush auth (sufficient)
Q: Can SNS setup be better integrated with EC2?
A: No, but good enhancement request
Q: Plans for push authorisation?
A: Roadmap item for 1st person authz (end-user). Longer term - 3rd person authz.
Q: Possible using step-up?
A: Not really, it's not atomic.
MFA Selector - part way through chain, allow user to select auth options. No support currently. Likely to be available with authentication trees later. Possible today using scripted.
FIDO - Windows 10 has support. ForgeRock are members of FIDO Alliance. Polling for opinions.