In a previous post – ‘Cosign ‘factors’‘ – I wrote:
“Authorization by factor can be arranged via ‘
AND
‘ and ‘OR
‘ combinations: aCosignRequireFactor
directive which includes multiple factors implies that those factors areAND
‘ed together; multipleCosignRequireFactor
directives areOR
‘ed.”
And, indeed, the “Cosign Multi-Factor Specification, 20 March 2006, Draft 6” contains the following statement:
“Filters may be configured with a list of required authentication factors. For Apache:
CosignRequireFactor UMICH.EDU OTP
or:
CosignRequireFactor LEVEL2
would indicate that either ( UMICH.EDU & OTP ) or just LEVEL2 are required to satisfy the filter’s multi-factor authentication criteria.”
To correct this: my statement regarding the OR
‘ing of multiple CosignRequireFactor
directives was incorrect; and the above-mentioned statement in “Cosign Multi-Factor Specification, 20 March 2006, Draft 6” is possibly misleading.
In fact, currently, the Apache Cosign filter does not allow the specification that a user must satisfy factor A OR
factor B.
Testing shows that, if multiple CosignRequireFactor
directives are declared in any particular case, the most ‘recently defined’ CosignRequireFactor
directive wins.
In fact, this is probably the behaviour that we actually want: it means that a top-level CosignRequireFactor
directive is completely supplanted by one at a lower-level one, rather than being OR
‘ed with the previous declaration. In this way, we can safely enforce ‘stricter’ authentication conditions at the lower level.