On Thu, 6 Apr 2017, [email protected] wrote:
Maybe I wrote it in the wrong way. I will give an example: you are using
LDAP+GAUTH MFA. The you log in using CAS you will get first form where you
need to supply your LDAP credentials. On the next page CAS will ask you for
your GAUTH number... By default if you supply wrong LDAP password your
authentication process will break and you will see an authorization error.
You will never get to the GAUTH page if your first authorization fails.
Exactly this is not allowed. User should not know which step failed. He
needs to go through the whole process to get the result.
I understand. A similar example is that a simple username/password
authentication prompt should return the same result when a bad username is
used as when a bad password is used, and the time taken should be the
same. The purpose is to prevent attackers from discovering if the
username is valid.
In your example, you want to prevent an attacker from discovering if the
password is bad? An implementation that behaved this way could present
three fields on the login form:
username:
password:
gauth code:
I'm not sure if this is the correct security approach. For example,
Google's 2-step authentication doesn't work this way. They separate each
step. First I must authenticate with a password, *then* it asks me for my
code. In Google's case, they need to be 2 separate steps in order for the
"remember this device" funcationality to work. They can't display all
three fields on the login form if they don't actually need the code.
From a user's perspective, it would be strange to silently accept the bad
password and present the form to enter the code. The user would think
their password was correct.
Interesting thoughts! I'm not sure what CAS is capable of doing in this
case.
Andy
