A representative from a larger higher education organisation in Switzerland recently stated that they identify roughly 40 compromised user accounts on average per month. Extrapolating this number for all Swiss AAI users, this number would grow to more than 1’000 compromised accounts per month. Many of them are probably not even detected. Many of them probably belong to young students who may not always take proper care of their credentials. But every now and then, also staff members and professors learn about the nightmares of impersonation of their digital identity. So, how can edu-ID support SWITCHaai services to enhance authentication security?
What is a Factor?
Enhancing authentication security can be achieved by requiring more than one factor during authentication. In the context of authentication a factor is either:
- something a user knows, e.g. password or PIN
- something a user has, e.g. a key or device
- something a user is, e.g. physical characteristic like fingerprint or iris
- somewhere a user is, e.g geographical location or network location.
Multi-Factor Authentication (MFA) is about requiring a user to present two or more of these factors to enhance the authentication security. In a federated environment like SWITCHaai, Multi-Factor Authentication can be implemented either at services that need it or at the Identity Provider for all users of an organisation.
Requiring MFA at Service
The vast majority of SWITCHaai users today authenticate with username and password only. However, some SWITCHaai services need more secure authentication. Examples are certain HR services, services processing student grades or also the AAI Resource Registry. These services can implement their own enhanced authentication security on top of the username/password authentication provided by SWITCHaai (first factor) by requiring a second factor (i.e. a one-time code). This approach also works if a user’s Identity Provider does not support MFA. Implementing MFA directly at a service is, however, challenging and puts the burden to the service operator. Therefore, it does not scale well with a growing number of SWITCHaai services.
Requiring MFA at Identity Provider
Instead of implementing Multi-Factor Authentication at services, it would be more efficient to implement it at all Identity Providers because there are more than 1’300 services in SWITCHaai but less than 70 Identity Providers.
Unfortunately, very few SWITCHaai Identity Providers have supported MFA so far. Too few to use it more widely across organisation boundaries. The low adoption of Multi-Factor Authentication likely had to do with the considerable efforts required to deploy it. The technical effort is one thing, but also the non-technical efforts can be considerable. E.g. creating processes to deploy and revoke second factors, or to adapt the helpdesk processes and train users as well as staff members.
Two-Step Login for edu-ID
The two previous chapters showed that implementing multi-factor authentication does not scale well when it is implemented at services and too few Swiss Higher Education institutions have implemented it at their Identity Provider in the past to be usable. Therefore, the edu-ID steps in to introduce Multi-Factor Authentication for its users.
In December 2018 the SWITCH edu-ID started to support Multi-Factor Authentication. For end-users this feature is called “Two-Step Login”. How does it work? All edu-ID Users can enable Two-Step Login on their My edu-ID page to protect their edu-ID account. SWITCHaai services can modify their configuration to require users to enable Two-Step Login before they access the service. To enable Two-Step Login, a user first needs to add a mobile phone number to which a verification code is sent. Additionally, the user is instructed to safely store a set of recovery codes. The recovery codes allows users to regain access to their account in case their mobile phone is not available (e.g. forgotten at home, replaced, lost, stolen or broken).
Once Two-Step Login is initialized, in a first step a user needs to authenticate – like he normally does – with username/password. In a second step the user is asked to enter a one-time code that is sent as SMS message to the registered mobile phone.
Very soon, also time-based one-time passwords (TOTP) will be supported alternatively to SMS codes. This method is more secure and does not require a network connection on the mobile compared to sending codes via SMS. On the other hand a user then needs to install an app on his mobile phone or desktop computer to generate the one-time codes.
How Services can Use Two-Step Login
All users can optionally enable Two-Step Login to protect their edu-ID account. Once enabled, access to the My edu-ID page will require Two-Step Login. However, SWITCHaai services can also require a user to use Two-Step Login. A SWITCHaai service can signal that it wants users authenticated with Two-Step Login by requesting a specific SAML Authentication Context Class. But how to signal this? In 2018, the academic identity federations world-wide have agreed to use the REFEDS Multi-Factor Authentication (REFEDS MFA) profile to express that users were authenticated better than just with username and password. More details on how to configure a service to require Two-Step Login are available on Two-Step Login documentation for SWITCHaai Service Provider administrators.
Alternatively, the edu-ID Identity Provider can also enforce that Two-Step Login is used for certain services without these services having to request the above-mentioned REFEDS MFA authentication context class. Currently, this needs manual configuration applied by SWITCH, however, it might soon be possible to request Two-Step Login for a service directly in the AAI Resource Registry. This way no changes are required on the service side to enforce MFA login, provided the service has only edu-ID users.
Third Factor is for Free!
Why does the title of this blog post imply that edu-ID supports more than two factors? It turns out that it would have been relatively easy for a SWITCHaai service to support Multi-Factor Authentication already before the Two-Step Login was introduced for edu-ID users. With a simple web server directive, the (network) location of a user can also be used when evaluating the access control rules. For an example of how to implement a three-factor authentication, see the last section of the Two-Step Login documentation.
Credits: Image with two locks under (CC BY 2.0) by frankieleon.