Session Abstract

Duke University is working toward implementing multifactor authentication in both our Shibbolized web environments and more traditional client-server environments. To some extent, the implementation is driven by the classic enterprise requirements -- transactions that expose the institution to significant risk require higher-assurance authentication than passwords alone can provide. We are mindful of an additional driver, however, in the desire of end users to self-select for heightened security based on their personal comfort levels (and their estimation of their own degree of credential exposure, conditioned by their own individual behaviors and password hygiene). In this session, we will describe our approach to providing flexible multifactor authentication options to both service providers and end-users on campus, potentially demonstrating the model in action. We'll also discuss the challenges and opportunities that may arise with the approach as it expands to address federated use cases as well as local, unfederated use cases.