Versions Compared

Version Old Version 6 New Version 7
Changes made by

mhodges

mhodges

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ITS Technical Architecture - Brick   

...

Primary Architect:  Michael Hodges

 Description:     

Authentication establishes the identity of the person using an online services. 

...

  • Passwords are failing as a sole line of defense.  Higher Ed is moving toward a common set of tools and practices for supporting multi-factor authentication: <https://wiki.cohortium.internet2.edu/confluence/x/YgBL>.

  • FIDO alliance is developing complementary international standards for MFA: UAF (passwordless) and U2F (2nd factor):
    <https://fidoalliance.org/about/overview/>
    <https://fidoalliance.org/assets/downloads/FIDO-U2F-UAF-Tutorial-v1.pdf>

  • Issuers of public credentials (Google, Yahoo, Linkedin) allow individuals to opt-in to MFA if they would like a higher level of security.  At some point the UH user community should also expect that they can select a stronger level of authentication for their personal authentication needs.

  • Multi-Factor Authentication integration was incorporated into the Shibboleth v2 Identity Provider Service (IdP) May of 2014 and is known as the multi-context broker (MCB).  Work is underway to incorporate this functionality into CAS, which will allow us to roll out this functionality to our entire UH developer community.  

  • Federated Service Provider (Federated SP) is complementary Shibboleth technology.  Currently UH applications developers do not write applications that support federated authentication.  In the future select applications may require this functionality.  UH users of these applications would experience the CAS user interface, so it would be seamless.  Other users would experience the login user interface from their home institutions.

  • Increasingly, authentication to cyberinfrastructure for research and scholarship is Shibboleth enabled.  The Incommon Federation has created a new Research and Scholarship (R&S) category to which UH’s Shibboleth IdP has been registered.  As new services register as a R&S service provider they automatically support authentication with UH credentials.

  • The InCommon Federation has a multi-year plan to require the Bronze level of assurance as the minimal level of assurance.  This is in step with similar plans by the Federal Government, its agencies and its laboratories, some of which are also InCommon Federation members.  A gap analysis has been performed to determine what UH would need to do in order to be able to assert the Bronze level of assurance with its Shibboleth IdP.  Implementing multi-factor authentication will address the most challenging of the Bronze deficiencies noted by the gap analysis report.

...