...
- SURFnet Step-up Authentication-as-a-Service: A study of the architecture and processes.
Attachments patterns rapport.* The need for stronger forms of authentication is felt by Identity Providers (IdP) within the SURFconext federation. A business case analysis performed by SURFnet in Q2 2012 shows a clear need among SURFnet’s constituency to address this need by introducing a service in the SURFconext environment that offers strong authentication on top of the existing identity hosted by a user’s home institution. This report is a study of the architectural and procedural aspects of introducing such a service.
A number of current and near future use cases (described in Chapter 1) have emerged for which username/password is no longer sufficient. These use cases are in the areas of student information systems, administrative systems, and in collaborative research in which privacy sensitive and/or medical data is handled. The need for better authentication can be effectively addressed by introducing a SURFnet operated service (referred to as “SURFsure” in this report) offering technical and organisational assistance to the IdPs.
Handling different Levels of Assurance (LoA, the confidence relying parties can have in the authenticity of an identity) within a federation must be based on open and accepted standards. While some of these standards are still under development, it is already possible to make future-proof choices for standards defining the semantics and communication of the LoA. The SURFsure service architecture described in Chapter 2 supports the signaling of the LoA within the SURFconext federation while at the same time remaining loosely coupled to SURFconext.
Higher Education Specific
- Information Security Guide: Effective Practices and Solutions for Higher Education: Two-Factor Authentication (2011)
About halfway through this document, one will find the Results from the 2011 Internet2/InCommon Survey on Campus Use of Two-Factor Authentication.
- Multifactor Authentication Approaches and Multifactor for InCommon Silver (2012)
Multifactor authentication (also referred to as two-factor authentication) adds another level of complexity and security to a password-only arrangement. Interest in multifactor continues to grow, as some federal agencies move in that direction. InCommon has added service offerings in this area, as well, and some schools now plan to use a second factor as a way to meet the requirements of the InCommon Silver Assurance Profile. Join our speakers to learn the basics about multifactor authentication, the pros and cons of different approaches to multifactor, and how one campus plans to use this approach for InCommon Silver
...
MFA Technologies and whitepapers
- Information Security Guide: Effective Practices and Solutions for Higher Education: Two-Factor Authentication (2011)
The first half of this document describes what two/multi-factor authentication is, and provides a reasonably extensive summary of all of the methods and technologies to providing additional authentication factors, including security tokens, smart cards, biometrics, and "second channel authentication - mobile phone-based" approaches.
- Duo Security: Top 7 Reasons Companies Don’t Use Two-Factor Authentication (Dec 2012)
In the spirit of year-end reviewing and wrapping up, we’ve been conferring with the ghosts of security trends past, present, and future. One of the most notable trends we’ve seen is that 2012 was the year in which two-factor authentication really broke out of the security community and became part of the broader conversation about everyone’s online account security.
Just to illustrate, the Google Trends graph to the right shows search interest over time in the phrase “two factor authentication.” That spike in August 2012 is Mat Honan’s well-chronicled epic account hack and since then the baseline level of interest in two-factor authentication has been nearly twice as high as it was before.
Knowing what we all know now about how vulnerable our digital lives and our personal and company data are to hacking and account takeover, the key question really isn’t “Why do companies need to add two-factor authentication?” but “Why hasn’t every company added it already?“
Here’s a roundup of seven of the objections to implementing two-factor authentication that we routinely hear. If any of these sound like your company, talk to us about how easy two-factor authentication can be.
...