You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Questions for IdPs

Suggest for each area that ask IdPs to rate themselves:

  • Already implemented.
  • Could implement with small amount of manpower.
  • Could implement with significant manpower.
  • Could implement with low-cost system changes.
  • Could implement with high-cost system changes.
  • Would not get approval to make this change (please explain why).

Online survey: http://goo.gl/forms/vprx6EpNSO

1.Identity/account concept

  • Account for an individual person (i.e. there are no shared accounts)?
  • If shared: possible to distinguish between individual and shared accounts?
  • If individual account: traceable? Are identifiers persistent?
  • Which unique identifier?

2.Registration and proof of identity

  • What identity vetting process? Face-to-face or different?
  • Documented?
  • Different validation between student, staff or faculty members? How?

3.Online authentication

  • Passwords?
  • Passwords with quality guarantees? What kind of guarantees?
  • Two factor authentication?
  • If yes, which second factor? Is the eID used?
  • If no two factor authentication: How big would be the cost to provide two factor authentication?

4.Freshness of user data

  • Are accounts closed as an individual departs? How promptly?
  • Is the eduPersonAffiliation value updated as an individual departs? How promptly?

5.Step-up authentication

Step-up authentication means that the user first authenticates with a password, and subsequently with a second factor (such as by an one-time password delivered to his/her cellphone)

  • Would you like to have GÉANT/your NREN to run such a service (if it costs/if it doesn't cost)?
  • How many users would need such a service?

6. Provenance and level of assurance

  • Do you use a level of assurance? Which one?
  • Is the LoA self-asserted?
  • Is everything documented?
  • If not documented: which costs would that be?
  • Internal audits?
  • External audits?
  • If no audits: costs for that?
  • How many users need a (higher) level of assurance?
  • Identity Management Practise Statement?

 

Results

Survey

 

Insights

  • Nick Roy: At Iowa, at one point, I had estimated about USD 2 million and 2,000 hours of staff time across pretty much all of IT to get rid of NTLMv2, and at the time, it would have broken things like printers and network-connected storage with no good replacement solution.  Warren Curry got pretty far down the authentication remediation road and I think had to back out due to some of the issues above.  I think U. Chicago is still working on achieving Silver, but with a second factor.  To date, only Virginia Tech (Mary Dunker) has achieved Silver, and only because they already had multi-factor hardware cryptographic tokens deployed.
  • Tom Barton: 1 year to get an auditor knowing about identity management
  • InCommon Survey
    • Is your institution interested in implemneting either Bronze or Silver? - half yes, half no
    • Are you aware of any SPs that requrire Bronze or Silver? - only 1 yes
    • Does your institution have any users that need access to SPs requirering Bronze or Silver? - only 2 yes
    • Are their services your institution would like to use, but cannot because your IdP lacks a required assurance profile? - no
    • In what circumstances would it be valuable to your organization to be able to self-assert that your operation meets either of these specifications? - looking towards future needs (mostly), ease of obtaining the assurance level, chicken and egg problem, general security audit reporting, with external SPs
    • What specific components do you value the most? - identity vetting: almost all; credential process: half, authentication technology/strength: almost all, attribute assurance: half
    • Are you aware of federated authentication contexts that require or that you think should require multi-factor authentication? - half yes, half no
    • Interested into an InCommon Multi-Factor Authentication Assurance Profile? - mostly yes, others I don't know, 1 no
    • Other assurance profiles? - mostly no, for R&S, trustmarks, NIST, research collaborations
    • Thoughts? - difficulties to get decision makers on board, multi-factor is excellent start, very few auditors understand or are qualified to verify the requirements for InCommon Assurance, big trust issues to overcome, interoperability and intercomparisons with international federations

 

 

  • No labels