Your company usually holds meetings with partners, suppliers, or consultants in the meeting rooms on the 1st floor, a public workspace isolated from the internal network. However, employees need to connect their devices to the internal network for business purpose. You are evaluating VPN solutions that use the multi-factor authentication (MFA) to address this issue. Which of the following authentication mechanisms best meets your requirement?
D. OIDC (OpenID Connect)
C. Smart card with the user’s private key protected by a cognitive password
D. SAML (Security Assertion Markup Language)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. EAP-TLS.
EAP-TLS and Smartcard/PIN
With a client-side certificate, a compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side certificate; indeed, a password is not even needed, as it is only used to encrypt the client-side certificate for storage. The highest security available is when the “private keys” of client-side certificate are housed in smart cards. This is because there is no way to steal a client-side certificate’s corresponding private key from a smart card without stealing the card itself. It is more likely that the physical theft of a smart card would be noticed (and the smart card immediately revoked) than a (typical) password theft would be noticed. In addition, the private key on a smart card is typically encrypted using a PIN that only the owner of the smart card knows, minimizing its utility for a thief even before the card has been reported stolen and revoked.
A cognitive password is a series of questions with the answers predefined by the subject. It’s commonly used as an alternative or compensation to the normal username/password authentication when a user forgot his or her password. Authentication systems often ask questions like:
- What is your favorite animal?
- What is your town of birth?
- What is your favorite sport?
- What is the name of your first pet?
SAML and OIDC
SAML and OIDC are message standards used to convey identity information (subject, attribute, and authorization decision) and protocols to exchange messages. SAML describes the identity information in XML, while OIDC does that in JWT (JSON Web Token).
They support single sign-on across enterprises or security domains. SAML addresses multiple-domain single sign-on and identity federation among web applications, while OIDC supports both web applications and mobile apps.
- EAP-TLS supports certificates that can be stored in smart cards with private keys protected by PINs. Smart cards are something you have, while PINs are something you know. This meets the requirement of multi-factor authentication.
- A smart card with the user’s private key doesn’t support a cognitive password.
- SAML or OIDC addresses multiple-domain single sign-on and identity federation in web applications or mobile apps. They do describe the authentication context in SAML asserts or OIDC token, but they don’t support VPN or multi-factor authentication directly.