Adopting OIDC Standard For MFA

This article has been indexed from The Duo Blog

This blog is part of an ongoing blog series for Duo’s Universal Prompt Project. The project is a major re-architecture and redesign of the Duo multi-factor authentication experience. In this post, we’d like to discuss a “behind the scenes” change we’ve made that helps achieve the overall project goals — improving security and delivering a better user experience. The change involves adopting the OpenID Connect (OIDC) standard to integrate with supported applications to deliver the prompt for MFA. But before jumping into the details, it might help to understand the open standards in discussion.

Understanding OAuth 2.0 Framework and OIDC Protocol

Problem to solve: Apps and services need a way to share data with each other

Years ago (back in the early 2010s!), applications shared sensitive information by asking users to enter their credentials from one application into another. Many applications offered services which would tie together functionality from other sites. For example, mobile applications such as Yelp requested your Gmail address book to encourage more signups by emailing your contact list on your behalf. Similarly, budgeting applications like Mint.com needed access to your banking credentials to help track your spending, and website developers wanted ways to post users’ tweets on their own websites.

These were all great services that provided benefits to everyday users, but users needed to share their username and passwords with these services to realize those benefits. Sharing credentials or passwords with multiple applications not only increases the risk of a compromise (yes, that same password you also use for online banking), but also gives third-party applications full access to your account.

This is a big no-no! Once credentials are compromised, hackers can take over user accounts; even change the passwords and lock users out. Even today, according to Verizon’s 2020 Data Breach Report, 37% of credential theft breaches use stolen or weak credentials. 

The main problem to solve here was authorization — in particular, how can we verify that an application or service is au

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: Adopting OIDC Standard For MFA