You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

What this is:  The OSIdM4HE work has identified "Authentication" as a significant element of an IAM system. Unlike the other areas, a team to look at authentication-related requirements and gaps is still to be convened.  This page collects some initial items in this area to invite further discussion and participation, and eventual formation of a subteam and workstream.

Authentication Functional Model Concepts

account, subscriber

credentials, credential assignment, credential store

authentication service

authentication protocols, federated authentication

password-based authentication

strong authentication, PKI, two-factor, hard/soft tokens

web-redirect-based authentication

password management, key management

monitoring and risk-based authentication

assurance

Authentication System Requirements / Gaps / Opportunities

password management: A collection of utilities dealing with password changing.

  • Initial account/password setup
  • Web-based user password change: strength meter, dictionary checking, etc
  • Web-based user forgotten-password reset: question&answer, SMS, knowledge-based, etc
  • Helpdesk-based user password reset: logging, mail trail, etc
  • Password policy management: notifications, service shutoff, role-based strength enforcement, etc
  • Propagation of changed passwords to multiple credential stores (maybe via standard provisioning)

strong authentication: 

  • 2- (or multi-) factor: integration of token/SMS/etc schemes into web signon, other authn services (eg Kerberos, AD)
  • PKI: cert issuance and management, client tools, policy management, integration, etc etc

risk-based authentication: methods used by large-scale consumer and commercial sites to reduce password theft and abuse.

  • Real-time monitoring of authentication service logs looking for guessing, logins from unusual locations, etc
  • Use of long-term cookies, net addresses, etc to better identify clients
  • CAPTCHAs, email callbacks, etc to respond to monitor-based threats

mobile authentication: Authentication methods tailored to the needs of mobile devices

  • Small display size, low bandwidth, non-browser mobile apps all make traditional web signon systems not work well with mobile devices.
  • OAuth, other?

process authentication: Authentication methods tailored to the needs of processes and software clients.

  • PKI, OAuth, other?
  • methods to manage accountability of processes similarly to persons (linkage to registries, orgs)

social identity:  social2SAML web authentication gateway

account linking: Tools and patterns for applications to deal with users with many accounts/logins.

eduroam:  eduroam is a world-wide federation supporting wireless network access using RADIUS, EAP, and 802.1x technology. eduroam-US is the US participant.

  • FreeRADIUS deployment for eduroam-US
  • EAP methods and authn infrastructure

non-web federated authentication: Moonshot, SAML-ECP, etc

Commonly-used OS/HE Authentication Service Component Products

MIT Kerberos, Heimdal

CAS, Shibboleth, simpleSAMLphp

LDAP directory (OpenLDAP, etc etc)

FreeRADIUS

(Active Directory)

(anything in PKI?  InCommon cert service?)

Other Potential Products

CAS-PM  for password management

  • No labels