Andy Cowling wrote: > Michael Ströder wrote: >> It seems I don't understand your issue. >> [..] >> If you already successfully authenticated the user via X509Check why do >> you present a login form? >> > Our company does not consider this a strong enough authentication method > for our intranet. Whilst it might be unusual for a certificate to be > compromised, in a big company we cannot guarantee that some employees > won't make the mistake of storing their key with an empty password on a > memory stick. Requiring the user to also enter the correct username and > password provides a greater level of security.
Hmm, but entering username and password is also rather weak, especially when doing it from unknown browsers. If you really need two-factor authc you should issue X.509 certs for keys generated on smartcards protected by a PIN or something like RSA SecurID (AFAICT the latter can be integrated with CAS via RADIUS). Ciao, Michael. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
