What this is: The OSIdM4HE work has identified "Authentication" as a significant element of an IAM system. Unlike the other areas, a team to look at authentication-related requirements and gaps is still to be convened. This page collects some initial items in this area to invite further discussion and participation, and eventual formation of a subteam and workstream.
Authentication Functional Model Concepts
account, subscriber
credentials, credential assignment, credential store
authentication service
authentication protocols, federated authentication
password-based authentication
strong authentication, PKI, two-factor, hard/soft tokens
web-redirect-based authentication
password management, key management
monitoring and risk-based authentication
assurance
Authentication System Requirements / Gaps / Opportunities
password management: A collection of utilities dealing with password changing.
- Web-based user password change: strength meter, dictionary checking, etc
- Web-based user forgotten-password reset: question&answer, SMS, knowledge-based, etc
- Helpdesk-based user password reset: logging, mail trail, etc
- Password policy management: notifications, service shutoff, role-based strength enforcement, etc
strong authentication:
- 2- (or multi-) factor: integration of token/SMS/etc schemes into web signon, other authn services (eg Kerberos, AD)
- PKI: cert issuance and management, client tools, policy management, integration, etc etc
risk-based authentication: methods used by large-scale consumer and commercial sites to reduce password theft and abuse.
- Real-time monitoring of authentication service logs looking for guessing, logins from unusual locations, etc
- Use of long-term cookies, net addresses, etc to better identify clients
- CAPTCHAs, email callbacks, etc to respond to monitor-based threats
mobile authentication: Authentication methods tailored to the needs of mobile devices
- OAuth, other?
process authentication: Authentication methods tailored to the needs of processes and software clients.
- PKI, OAuth, other?
- methods to manage accountability of processes similarly to persons (linkage to registries, orgs)
social identity: social2SAML web authentication gateway
account linking: Tools and patterns for applications to deal with users with many accounts/logins.
eduroam: eduroam is a world-wide federation supporting wireless network access using RADIUS, EAP, and 802.1x technology. eduroam-US is the US participant.
- FreeRADIUS deployment for eduroam-US
- EAP methods and authn infrastructure
non-web federated authentication: Moonshot, SAML-ECP, etc
Commonly-used OS/HE Authentication Service Component Products
MIT Kerberos, Heimdal
CAS, Shibboleth, simpleSAMLphp
LDAP directory (OpenLDAP, etc etc)
FreeRADIUS
(Active Directory)
(anything in PKI? InCommon cert service?)