For organizations running modern, functioning PKI, can mTLS be used as SSO mechanism?



  • I am trying to determine best practices for implementing a webapp running in an extremely tight PKI environment. Assume:

    1. Yubikey like devices that have Certs with reasonable expiration dates
    2. The organization has proper certificate revocation mechanisms
    3. Certs provide username and access-role information
    4. Browsers implement mTLS and pass the correct cert

    My question is, should I just trust the certificate being passed by the browser and skip typical 'Login' prompts?

    I understand a TOTP prompt could enhance this, but would trusting the certificate be a good enough baseline?

    Any reference to back up your answers would be appreciated.



  • Modern theory of authentication is that a human user should pass a challenge from two (or all three) of the following catagories:

    1. Something you know (ie password)
    2. Something you have (ie yubikey, OTP app, etc)
    3. Something you are (biometric, fingerprint, etc)

    Certificate-based mTLS (with a proper CA as you describe) provides a very strong challenge #2, but modern theory probably still recommends a password. If the client prompts for a password to use the certificate on connection (like an SSH key does), then maybe you are meeting this at an organizational level and the server does not need to enforce it.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2