Until now, most institutions in Dutch higher education and research have used username/password authentication for their users to access cloud services. For services that handle sensitive data, such as grades in a student information system or salary data of employees in a HR system, preventiing unauthorized access is crucial. Stronger authentication solutions than plain username/ password combinations are then a prerequisite. After all, appearing on the cover of the newspaper with screaming headlines like ‘exam results fraud at Dutch university x’ or ‘medical data of patients leaked’ after passwords were stolen, is the worst nightmare of every CIO in Dutch higher education and research.
Although institutions feel the need for strong authentication, they experience barriers that hinder the introduction of strong authentication solutions in their organization. Most solutions are considered expensive and complex, needing a lot of integration effort with identity provider software, and bearing the risk of vendor lock-in. The continuous tension between security, usability and ‘deployability’ explains to a certain extent the low adoption rate of alternative (stronger) web authentication methods in Dutch higher education and research. SURFnet wants to take away those barriers, by introducing step-up authentication functionality to its SURFconext service.
SURFconext is a cloud service integration platform that connects over 300 cloud services, such as Google Apps for Education, Sharepoint, Cisco WebEx et cetera, to enable secure access for 1 million end-users of 120+ institutions in Dutch higher education and research, based on their institutional account. By expanding SURFconext with a centrally operated service for step-up authentication, it becomes possible to combine the username/password facilitated by the user’s home institution with a second factor (for instance, a token). Instead of point-to-point strong authentication solutions between identity providers and service providers, possibly with multiple tokens for different services, SURFnet will enable a generic solution in which users can re-use the same second authentication token (SMS, Tiqr or Yubikey) for different service providers.
In recent small-scale pilots with key customers, a prototype of the step-up authentication service was used, to evaluate the end-to-end process of token enrollment and the end-user experience of step-up authentication. So far the results of these pilots are promising. They show that the step-up authentication service is indeed a reliable, easy to use and scalable solution that fits the needs of institutions and their users. In the months to come, SURFnet will further develop the prototype of the service to a production-ready service. This will be done in close collaboration with key customers, to make sure that the service meets the specific needs of universities, academic hospitals, research institutions etc. By making step-up authentication easy and convenient, yet secure and affordable, SURFnet will aim to take trusted cross-institutional collaboration to the next level.
Eefje van der Harst