|
|
====== Specifications for MFA with IdPv3 ======
|
|
|
# Specifications for MFA with IdPv3 #
|
|
|
|
|
|
A lightweight specification that should get more precise as areas of this project are further explored.
|
|
|
|
|
|
===== User stories =====
|
|
|
## User stories ##
|
|
|
|
|
|
From https://www.mountaingoatsoftware.com/agile/user-stories:
|
|
|
> User stories are short, simple descriptions of a feature told from the perspective of the person who desires the new capability, usually a user or customer of the system. They typically follow a simple template:
|
|
|
>
|
... | ... | @@ -9,7 +11,7 @@ From https://www.mountaingoatsoftware.com/agile/user-stories: |
|
|
>
|
|
|
> User stories are often written on index cards or sticky notes, stored in a shoe box, and arranged on walls or tables to facilitate planning and discussion. As such, they strongly shift the focus from writing about features to discussing them. In fact, these discussions are more important than whatever text is written.
|
|
|
|
|
|
==== End users ====
|
|
|
### End users ###
|
|
|
|
|
|
As a university staff with a smart phone,\\
|
|
|
I want to use the Google Authenticator mobile application when authenticating on the IdP,\\
|
... | ... | @@ -40,7 +42,7 @@ I want to be able to reset my password using a 2FA-protected online self-service |
|
|
so that my password cannot be changed by others.\\
|
|
|
-> process independent of Shibboleth
|
|
|
|
|
|
==== Operators/services ====
|
|
|
### Operators/services ###
|
|
|
|
|
|
As a SP-protected web application operator,\\
|
|
|
I want to force users to authenticate with two factors,\\
|
... | ... | @@ -64,10 +66,16 @@ As a university account administrator,\\ |
|
|
I want to verify user's identities before they can use 2FA,\\
|
|
|
so that I can provide a stronger verification level to applications using 2FA.\\
|
|
|
-> process independent of Shibboleth
|
|
|
===== Architecture =====
|
|
|
|
|
|
## Architecture ##
|
|
|
|
|
|
![idpv3-mfa_architecture](uploads/db3a93905741734390c531f4b3d8381f/idpv3-mfa_architecture.png)
|
|
|
==== Assumptions ====
|
|
|
|
|
|
### Assumptions ###
|
|
|
|
|
|
* There is an "authentication server" outside of the IdP that verifies OTPs and stores token keys. It also supports a user registration process and allows to revoke second factors when required.
|
|
|
* A brief [description of a radius authentication test server](toolbox_archive/description_of_a_radius_authentication_test_server) for an rfc6238 TOTP 2nd factor.
|
|
|
===== Documents =====
|
|
|
[Spécifications UniGE](uploads/682fd6d12b502befb66be5ab1be51941/ge173-specs_pour_gt_mfa.pdf) |
|
|
\ No newline at end of file |
|
|
|
|
|
## Documents ##
|
|
|
|
|
|
[Spécifications UniGE](uploads/682fd6d12b502befb66be5ab1be51941/ge173-specs_pour_gt_mfa.pdf) |