Pilot service for Yubikey two-factor authentication

November 22, 2015

Cosign ‘factors’ – a correction

Filed under: Pilot service for Yubikey two-factor authentication — idurkacz @ 3:12 pm
Tags: ,

In a previous post – ‘Cosign ‘factors’‘ – I wrote:

“Authorization by factor can be arranged via ‘AND‘ and ‘OR‘ combinations: a CosignRequireFactor directive which includes multiple factors implies that those factors are AND‘ed together; multiple CosignRequireFactor directives are OR‘ed.”

And, indeed, the “Cosign Multi-Factor Specification, 20 March 2006, Draft 6” contains the following statement:

“Filters may be configured with a list of required authentication factors. For Apache:

CosignRequireFactor UMICH.EDU OTP

or:

CosignRequireFactor LEVEL2

would indicate that either ( UMICH.EDU & OTP ) or just LEVEL2 are required to satisfy the filter’s multi-factor authentication criteria.”

To correct this: my statement regarding the OR‘ing of multiple CosignRequireFactor directives was incorrect; and the above-mentioned statement in “Cosign Multi-Factor Specification, 20 March 2006, Draft 6” is possibly misleading.

In fact, currently, the Apache Cosign filter does not allow the specification that a user must satisfy factor A OR factor B.

Testing shows that, if multiple CosignRequireFactor directives are declared in any particular case, the most ‘recently defined’ CosignRequireFactor directive wins.

In fact, this is probably the behaviour that we actually want: it means that a top-level CosignRequireFactor directive is completely supplanted by one at a lower-level one, rather than being OR‘ed with the previous declaration. In this way, we can safely enforce ‘stricter’ authentication conditions at the lower level.

Theme: Rubric.