Another MFA question

31 views
Skip to first unread message

Dmytro Havrylov

unread,
Apr 6, 2017, 5:01:42 AM4/6/17
to CAS Community
Hello community!

Does anyone know if CAS can continue MFA even if first factor failed? Means the authorization will fail at the end of the authorization process and not after the first failed step...

Thank you
Dimitri

Andrew Morgan

unread,
Apr 6, 2017, 10:49:07 AM4/6/17
to CAS Community
When both first and second factors have succeeded, *then* you can perform
authorization. How can you perform authorization before you have
established the identity of the subject?

Andy

inat...@gmail.com

unread,
Apr 6, 2017, 12:31:43 PM4/6/17
to cas-user, cas-...@apereo.org, mor...@orst.edu
Maybe I wrote it in the wrong way. I will give an example: you are using LDAP+GAUTH  MFA. The you log in using CAS you will get first form where you need to supply your LDAP credentials. On the next page CAS will ask you for your GAUTH number... By default if you supply wrong LDAP password your authentication process will break and you will see an authorization error. You will never get to the GAUTH page if your first authorization fails. Exactly this is not allowed. User should not know which step failed. He needs to go through the whole process to get the result.

Andrew Morgan

unread,
Apr 6, 2017, 1:03:30 PM4/6/17
to cas-...@apereo.org, cas-user
I understand. A similar example is that a simple username/password
authentication prompt should return the same result when a bad username is
used as when a bad password is used, and the time taken should be the
same. The purpose is to prevent attackers from discovering if the
username is valid.

In your example, you want to prevent an attacker from discovering if the
password is bad? An implementation that behaved this way could present
three fields on the login form:

username:
password:
gauth code:

I'm not sure if this is the correct security approach. For example,
Google's 2-step authentication doesn't work this way. They separate each
step. First I must authenticate with a password, *then* it asks me for my
code. In Google's case, they need to be 2 separate steps in order for the
"remember this device" funcationality to work. They can't display all
three fields on the login form if they don't actually need the code.

From a user's perspective, it would be strange to silently accept the bad
password and present the form to enter the code. The user would think
their password was correct.

Interesting thoughts! I'm not sure what CAS is capable of doing in this
case.

Andy
Reply all
Reply to author
Forward
0 new messages