Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


FIDO: ForgeRock member of the FIDO alliance.
- Windows 10 supported
- Firefox has related support


Q: Who's doing MFA today?
A: Belgium government issued all citizens smart card readers and smart cards

OATH: Can use FR authenticator or 3rd party. But not main topic of conversation for now!

ForgeRock Push Notification auth module discussed. Registered via QR to exchange a shared secret.

Q: Support for non-QR. Eg blind user, no camera.
A: If on a phone it will redirect and bypass QR. Screen reader for visually impaired should be able to detect the button.

Use account lockout to prevent message "spamming".

Demo: Pasword-login based on two chains. Combines push auth and persistent cookie. Also uses "onFail" in first chain to redirect to second chain.

S1: persistent cookie (requisite) -> push auth (sufficient) -> LDAP (required). Also onFail -> http;///..../openam/login?service=chain2

S2: LDAP (requisite) -> persistent cookie store (option)- > push reg (options) -> piush auth (sufficient)

Q: Can SNS setup be better integrated with EC2?
A: No, but good enhancement request

Q: Plans for push authorisation?
A: Roadmap item for 1st person authz (end-user). Longer term - 3rd person authz.

Q: Possible using step-up?
A: Not really, it's not atomic.

MFA Selector - part way through chain, allow user to select auth options. No support currently. Likely to be available with authentication trees later. Possible today using scripted.

FIDO - Windows 10 has support. ForgeRock are members of FIDO Alliance. Polling for opinions.