MFA - Design Security Question

[lveitch]

Hey everyone! I had a question regarding MFA and the security that Duende has built into it. I have to follow NIST 800-63B and NIST 800-131 guidelines for implementations regarding MFA. I currently have IdentityServer7 and would love to utilize the MFA that is part of the system but I cant find any documentation about how the MFA was built to see if it aligns with those guidelines.

Can anyone elaborate more on how the MFA was built? (things like how the secret key is stored, what algorithm is used to generate the key, its minimum strength, does it use approved block cipher or hash function to combine the key and nonce in a secure manner, FIPS 140-2 compliant, customization of rate throttling, etc.)

[wcabus]

IdentityServer does not have any MFA-related functionality built-in: IdentityServer is an OAuth 2.0 and OpenID Connect framework. Any user login functionality, where MFA would come into play, is either done through ASP.NET Core Identity, a custom sign-in implementation or an external identity provider like e.g. Google or Microsoft Entra ID.

Are you currently evaluating any user management systems which potentially include MFA? If so, could you have a look at this poll and perhaps even reach out to us via our contact form?

[lveitch]

You would be right @wcabus ; that is completely my missreading and misunderstanding. Identity CAN use MFA but must come from another aspect as the ones you mentioned. I do apologize for my misunderstanding of that and do appreciate you clarifying that for me!