Is multi factor authentication practical/feasible?

[John Gateley]

Disclaimer: I work for Auth0 (now Okta)

On 7/3/22 9:40 AM, Paul Kudla (SCOM.CA Internet Services Inc.) wrote:
>
> It seems any kind of dual auth will need a security app running on 
> YOUR server saving toikens, logins etc etc

Not necessarily. With Auth0, the IDP runs on Auth0's server.
You are responsible for storing ID tokens, access tokens, and refresh 
tokens in your app.
There are ways of doing this fairly securely, even with desktop apps or 
mobile
devices, where you don't have a secure backend.

>
> this is what lead to microsoft, gmail etc having their own api which 
> will only work for them

If I understand this correctly, Google et al provide an MFA API for apps 
that want to handle
auth themselves, instead of going the OIDC/OAuth2/SAML route. They also 
provide standards
based protocols, like OIDC.

That's what I was hinting at above - adopting OIDC makes things easier 
than trying to bolt
on security (via some MFA API).

>
> this is also (mainly because of https authing the device) what makes 
> it hard to proxy oauth2 etc

This is definitely a pain point. You can either open up a browser from 
the device, or on constrained
devices, use device flow (display a URL, user visits that URL on their 
laptop, device grabs confirmation
from the IDP that they did). Neither one is completely elegant, but 
opening a browser on a mobile
device is far less intrusive than you might think.

>
> 5.7. Authenticating using C.A.S.
> ...
>
> basically the reality is every server will have it's own token base 
> etc thus preventing any kind of a standard.

I'm not familiar with C.A.S. I don't have any clients that I know of 
using it, so I can't comment on it.
But the JWT token spec is now common, and is a standard. Also the SAML spec.
I see more OIDC, but also a lot of SAML.

Happy IAM Sunday to you too!

j