An increasing number of services and universities require edu-ID users to verify their identity with an additional factor in a process called Two-Step Login or Two-Factor Authentication.
One year ago, about 5% of all users had enabled this secure login method. As of today, this number has tripled to 15% of all 930’000 edu-ID users.
This is great news from a security point of view and has led to the following two changes that were introduced end of August 2023.
Just in time for the yearly Trust and Identity Workgroup meeting the barrier was broken mid May. To celebrate the 700’000th edu-ID user account the trust and identity team had, however, to wait a few more weeks, because several team members were on vacation at that time. But it’s never too late for cake 😀
We hope to soon celebrate the cake for 800’000 accounts when University of Zurich, ETHZ, EPFL and other universities adopt edu-ID in the coming months.
Lifelong learning benefits from lifelong user accounts. SWITCH edu-ID accounts are such lifelong user accounts. However, lifelong sometimes does not mean forever, which may be a surprise in this context. Why is that so?
Due to data privacy laws a life long account is – like a lifelong prison sentence – not for all eternity. At some point an account is deleted or archived even though its owner is still alive and well.
After a surprisingly clear defeat of the e-ID proposal in the national referendum early March 2021, the federal administration presented plans for a new attempt a month ago with a discussion paper on the target vision for an e-ID (DE, FR).
SWITCH is taking a stand and handed in a position statement end of September 2021 on this discussion paper in German: Stellungnahme SWITCH Zielbild E-ID final_sig.
Continue reading “Swiss E-ID, take two – SWITCH takes a stand”
On 7 March, Switzerland rejected proposed legislation to establish an e-ID.
As a neutral and independent foundation for Swiss universities, SWITCH has over 20 years’ experience in the field of electronic identities and participated in the process of designing the e-ID. We interviewed Christoph Graf, Programme Manager of SWITCH edu-ID, about the next steps in introducing an e-ID in Switzerland and the role SWITCH can play in this process.
Read more.
Like described in the blog post Sending Users on the Right Path, it sometimes is in everybody’s interest to guide end-users on a certain path to achieve a goal. Such helpful nudges are also used during account creation when end-users choose how to create their SWITCH edu-ID account.
Continue reading “The Right Way to Create an Account”In SWITCH edu-ID the e-mail addresses play a crucial role not only for communication with an edu-ID user but also for authentication. Every e-mail address associated to an edu-ID account also serves as login name. An e-mail address can also be used to reset the password of an edu-ID account. And unless Two-Step login is activated, this would be sufficient to gain control of an account.
Unfortunately, many e-mail addresses don’t belong permanently to the same person. When a student finishes her studies, she will loose her university e-mail address after some time. When a staff member changes jobs, he won’t keep his company e-mail address either.
In case of popular names, some organisations re-assign e-mail addresses to persons with the same name, hopefully only after a long grace-period. If such a “recycled” e-mail address is still associated to a user account of the original holder of this address in a system like SWITCH edu-ID, this might cause severe security problems.
Therefore, SWITCH edu-ID has some automated mechanisms to detect, remove, replace and inform about e-mail addresses that no longer work. How do these processes work?
On August 19, 2020, the Berne University of Teacher Education (PHBern) switched over to SWITCH edu-ID, thus filling the dozen:
More than 8000 students and employees of the PHBern now have an edu-ID account and can use it to access services of their own PH as well as those of other Swiss universities which are open to members of PHBern.
Ulrich Weisenseel, head Services Informatik PHBern, about the planning and adoption:
“When the first planning steps were taken in 2018, the analyses showed that PHBern users accessed more than 100 services via AAI accounts. A picture that looks similar at many universities. University members usually access 10 to 20 times more external than internal services, with the number of logins naturally being highest for the most prominent services such as a university’s own Learning Management System. At PHBern, ILIAS and the intranet “My PHBern” swing out at the top in terms of access numbers.
In December 2020, the Swiss Library Service Platform SLSP goes live[1] after six years of preparation.
From then on, library users will use their SWITCH edu-ID account to register with their research libraries and catalogues. This is expected to affect between 0.5 and 1 million users – especially all Swiss university members.
“In today’s knowledge society, unrestricted and timely access to scientific information is of great importance. By guaranteeing access to diverse information resources, academic libraries play a central role in research and teaching at universities, but also in the lifelong learning of the population. SLSP sees itself as a service provider for all academic libraries and contributes to establishing a seamless flow of information for the knowledge society”.
Continue reading “SWITCH edu-ID as door opener for libraries”
After reaching 100’000 accounts in March 2019, we were able to report 150’000 accounts eight months later. And today, I have the pleasure to announce that SWITCH edu-ID counts now over 200’000th accounts.
Of course, we intented to stick with our tradition to celebrate new landmarks with a cake featuring the number of accounts and a photo with the team behind the SWITCH edu-ID. The cake was already ordered… and if things went as planned, you would now find its picture in this post.
But we needed to bring our plans in line with the measures against COVID-19. Therefore, we had to cancel the cake and change the way the team photo was taken.
For the time being – and if we trust the figures published by the WHO – we can still claim that there are more confirmed identities in the SWITCH edu-ID than there are confirmed COVID-19 cases worldwide (184’975).
Since a few months now, edu-ID users can secure their account with multi-factor authentication (Two-Step Login). However, currently 99.5% of all edu-ID accounts still rely exclusively on username and password authentication. It is unlikely to quickly change soon in the near future, despite the death of the password has been announced time and time again. The password remains the easiest, best known and – in many cases – the cheapest authentication solution. Therefore, the edu-ID team invests a lot of effort into assisting users to choose a strong password and to store it securely. Continue reading “Secrets of the edu-ID passwords”
Openness is one of the promises made by SWITCH edu-ID. In recent years, universities have increasingly opened up to additional user groups such as continuing education students or MOOC participants. Cooperation with external parties is becoming increasingly important overall, be it with other universities, research institutions or partners from the private sector. Academic institutions are expanding their offerings, and not every person who makes use of university services has to become an official member of the university.
However, most service providers do not simply want to blindly trust a self-declared identity that users bring with them (i.e. a “naked” edu-ID).
There are many reasons why one wants to protect applications and content from unauthorized access, e.g. to prevent data theft or manipulation or to comply with data protection or license regulations. And if abuse has taken place despite all precautions, one wants to be able to find out who one can hold liable for damages. Of course, this can be difficult with unchecked identities, even if the majority of users behave correctly and have provided the correct personal data for their digital identity. So is this a reason not to trust edu-ID identities?
Continue reading “NOT for university members only”
Since December 2018 the edu-ID login has supported multi-factor authentication in form of a two-step login that relies on SMS codes. However, receiving one-time SMS codes requires a mobile phone. Not all users want to add a mobile phone number to their edu-ID account. Furthermore, SMS messages generally cannot be securely sent. There is always the risk that somebody else intercepts SMS messages. Some edu-ID users also want to use multi-factor authentication for all their edu-ID logins but without entering a one-time code several times per day.
To address the above issues reported by the community, we extended the edu-ID two-step login in the following three areas…
SWITCH invites you on Wed, 15 May 2019 to the 2nd Trust & Identity WG Meeting combined with the SWITCH edu-ID Update Event in Berne.
Registration is open until Tue, 7. May 2019 and required for logistical reasons.
Refer to the registration page for the draft agenda and schedule.
A longer section of the event is dedicated to SWITCH edu-ID. The heads of IT of University of Lucerne and Distance University will talk about their adoption experience.
Administrators of either an Identity Provider or Service Provider registered in SWITCHaai as well as the SWITCHpki registration authority operators and all persons involved in (future) planning and adoption of SWITCH edu-ID are invited to participate.
What’s the SWITCH Trust & Identity WG?
The SWITCH Trust & Identity WG comprises representatives of all SWITCHaai Participants and SWITCHpki Participants in the SWITCH Community and the Extended SWITCH Community.
This group is informally involved with the further development of SWITCHaai/edu-ID and SWITCHpki and has the opportunity to provide feedback if there are questions or changes upcoming.
Creating a new law is a long journey. We already featured several “making of” stages of the Swiss E-ID Law and the contributions of SWITCH in our E-ID category: consultation of an E-ID Concept in 2015, consultation of an early draft E-ID Law in 2017, publication of proposed law in 2018.
Another hurdle was recently cleared with the National Council approving the proposed law with relatively minor changes in March 2019 (for the interested: this business is referenced under 18.049). A minority wanted to change to government-issued Electronic Identities (eIDs), but the proposed market model was upheld.
Next step is the debate in the Commission of Legal Affairs of the Council of States in April 2019. In the absence of major changes, the law can be put in force in 2021.