wonderchook
commented
8 years ago @dpalomino this needs to be in the backlog and will probably getting a higher priority than it seems like it needs due to grant requirements
Open wonderchook opened 8 years ago
wonderchook
commented
8 years ago @dpalomino this needs to be in the backlog and will probably getting a higher priority than it seems like it needs due to grant requirements
dpalomino
commented
8 years ago Hi,
Thanks @wonderchook for the heads-up. Are we thinking in some specific 2FA approaches? Like mobile based authentication for instance? Maybe then the question is if we can assume that all platform users would own mobile devices.
If so, the simplest solution would be SMS or voice authentication. If connectivity is not an issue we could also think on Time-based One-Time Password (TOTP) solutions (like Duo app for instance). However TOTP add some complexity for the user, as they need to install the app, and to use some "hardcoded" verification codes when they change or lose their device.
If mobile is not an option, we could consider the secret questions (where were you born, etc).
wonderchook
commented
8 years ago @dpalomino we haven't thought about specifics on this. The requirement is for "Grantee and Business Partner (client) Administrative Users" but I think if we do this we should make it more useful than that. I was assuming mobile based authentication, likely SMS. Since only super users would be required to use it and it would be opt in for everyone else I think that would be sufficient.
dpalomino
commented
7 years ago Backlog item 12.00.
Multi-factor Authentication for the Grantee and Business Partner (client) Administrative Users, users with privileged access to the application and data, should be challenged for at least two factors of authentication in order to achieve non-repudiation of their identity.