| Table of Contents |
|---|
When users access online services, they want to be confident that their data and services are secure and their privacy is protected. Institutions and Service Providers that offer online services also need to verify a user's identity to make sure only the right users are accessing the right information. That is why identity assurance is needed.
...
It is assumed that proper measures are taken to prevent authentication protocol threats such as eavesdropping, man-in-the-middle, replaying, and hijacking. Attacks are not limited to the authentication protocol itself. Other attacks include the use of malicious code to compromise authentication tokens, insider threats to compromise authentication tokens, social engineering to get a subscriber to reveal his password to the attacker, "shoulder“shoulder-surfing"surfing”, fooling claimants into using an insecure protocol, when they think that they are using a secure protocol, or intentionally denying ever having registered by subscribers who deliberately compromise their tokens.
...
Several attributes provided by the IdP (e.g. first and last name, e-mail address) will be validated during registration and identification. In theory a LoA could be assigned to these attributes, which in attribute-based access control scenario's scenario’s could make authorization more reliable. There are however some arguments against doing this:
- Mixing attributes with different LoA's LoA’s is complex
- There is no suitable way to express differing LoA's LoA’s for attributes in SAML assertions
- The registration process will be more complex
Because of these arguments SURFconext Strong Authentication solely focuses on authentication LoA.
...