Since December 2018 the edu-ID login has supported multi-factor authentication in form of a two-step login that relies on SMS codes. However, receiving one-time SMS codes requires a mobile phone. Not all users want to add a mobile phone number to their edu-ID account. Furthermore, SMS messages generally cannot be securely sent. There is always the risk that somebody else intercepts SMS messages. Some edu-ID users also want to use multi-factor authentication for all their edu-ID logins but without entering a one-time code several times per day.
To address the above issues reported by the community, we extended the edu-ID two-step login in the following three areas…
Category: Digital Identities
Trust & Identity WG Meeting / SWITCH edu-ID Update Event 2019
SWITCH invites you on Wed, 15 May 2019 to the 2nd Trust & Identity WG Meeting combined with the SWITCH edu-ID Update Event in Berne.
Registration is open until Tue, 7. May 2019 and required for logistical reasons.
Refer to the registration page for the draft agenda and schedule.
A longer section of the event is dedicated to SWITCH edu-ID. The heads of IT of University of Lucerne and Distance University will talk about their adoption experience.
Administrators of either an Identity Provider or Service Provider registered in SWITCHaai as well as the SWITCHpki registration authority operators and all persons involved in (future) planning and adoption of SWITCH edu-ID are invited to participate.
What’s the SWITCH Trust & Identity WG?
The SWITCH Trust & Identity WG comprises representatives of all SWITCHaai Participants and SWITCHpki Participants in the SWITCH Community and the Extended SWITCH Community.
This group is informally involved with the further development of SWITCHaai/edu-ID and SWITCHpki and has the opportunity to provide feedback if there are questions or changes upcoming.
Switzerland’s E-ID Law clears further hurdles
Creating a new law is a long journey. We already featured several “making of” stages of the Swiss E-ID Law and the contributions of SWITCH in our E-ID category: consultation of an E-ID Concept in 2015, consultation of an early draft E-ID Law in 2017, publication of proposed law in 2018.
Another hurdle was recently cleared with the National Council approving the proposed law with relatively minor changes in March 2019 (for the interested: this business is referenced under 18.049). A minority wanted to change to government-issued Electronic Identities (eIDs), but the proposed market model was upheld.
Next step is the debate in the Commission of Legal Affairs of the Council of States in April 2019. In the absence of major changes, the law can be put in force in 2021.
Managing User Affiliation with the Organisation Administrator Interface
The edu-ID is a user-centric system in which users generally manage their account data themselves. And yet, some data relates to and is thus asserted by organisations like universities. Therefore, the edu-ID system provides several APIs for organisations so that they can manage data about users they are authoritative for. A new way to manage this data is the edu-ID administration interface for organisations, which is presented in this blog post.
Continue reading “Managing User Affiliation with the Organisation Administrator Interface”
Two or More Factors for edu-ID
A representative from a larger higher education organisation in Switzerland recently stated that they identify roughly 40 compromised user accounts on average per month. Extrapolating this number for all Swiss AAI users, this number would grow to more than 1’000 compromised accounts per month. Many of them are probably not even detected. Many of them probably belong to young students who may not always take proper care of their credentials. But every now and then, also staff members and professors learn about the nightmares of impersonation of their digital identity. So, how can edu-ID support SWITCHaai services to enhance authentication security? Continue reading “Two or More Factors for edu-ID”
E-ID law: SWITCH contributing to parliamentary hearing
At its meeting on 1 June 2018, the Federal Council adopted a dispatch to Parliament containing a draft for an E-ID law (see corresponding press release in DE, FR and IT; for follow-ups see “18.049 Business of the Federal Council”).
The National Council’s legal commission now runs the business. On 15.11.2018, it held a hearing with representatives of industry, public corporations, potential providers of E-ID solutions and interested parties from civil society. As a potential provider, SWITCH was able to take part in this hearing.
This draft E-ID law largely follows the preliminary draft consulted last year (press release with link to consultation report at page bottom). It does not come as a surprise, therefore, that the position of SWITCH expressed towards the preliminary draft also applies to the new draft law – including the criticism voiced therein. Continue reading “E-ID law: SWITCH contributing to parliamentary hearing”
There Can Be Only One!
As a child of the 80’s, of course I have seen the movie “Highlander”. In our “clone wars” (referencing Star Wars) against edu-ID duplicate accounts, I therefore remember the famous high lander quote “there can be only one”. Slightly adapted, this quote fits: “There can be only one edu-ID account per person”. Thanks to the automatic merging process described in this article, we now have the weapon in our hands to reach this goal.
Clone Wars
Duplicate user accounts on a single system are sooner or later causing a nightmare. One ambition of the SWITCH edu-ID has always been the prevention of duplicate user accounts. However, only a few weeks after the edu-ID launch in 2015 we already found indications for a couple of duplicate accounts. How did that come about and what can we do to prevent duplicate accounts?
New article “In The Code: Nur ein Passwort für alles? “
Is one password for everything the right way? Could E-ID be a suitable solution to facilitate users life? Christoph Graf discusses such questions and explains how SWITCH edu-ID fits in the ID landscape and what our expectations about E-ID would be. Read more (in German)
Sending Users on the Right Path
This blog post describes the edu-ID Login Link composer that allows initiating certain processes that an edu-ID user goes through to login, register or complete his user attributes.
In a previous blog post we presented how AAI Service Provider (SP) administrators can customize the edu-ID registration and login pages individually for their service. However, an SP administrator can not only brand the edu-ID pages with a custom logo or custom text but he can also influence the process itself used when users register, login or when they complete their account data. Examples of such process modifications are:
- To send a user automatically to a specific URL after registration or login
- To make a user first provide a specific verified or unverified attribute (e.g. mobile number or home postal address) and then send him back to the service
Both of these example scenarios have been used for instance by the Swissbib service for several months. Swissbib users sometimes have to provide a verified mobile number and/or postal address before they get access to national license content, which – by agreement – should be only available to residents of Switzerland.
So, how can an AAI SP administrator customize the edu-ID processes to implement the above and more scenarios? All that is needed is to send the user on the right path, or rather to the right URL. For all those not wanting to get familiar with the technical details of how these URLs have to be composed to achieve a certain process change, we have created a useful tool that makes the URL generation very easy: The edu-ID Login Link Composer.
The edu-ID Login Link Composer consists of a form with several inputs that are used to generate a link which triggers the requested behaviour. The user then just has to be sent to the generated URL to start the process.
Try out the edu-ID Login Link Composer with your own AAI service.
Identity Management Evolution
What does it take for a university to adopt the SWITCH edu-ID? This is the question SWITCH and seven partners (EPFL, FHNW, UNIFR, UNIGE, UNIL, UNISG and ZHAW) are addressing in the project “Swiss edu-ID Deployment Step 1” as part of swissuniversities’ program «Scientific information». The project advanced nicely and would justify an article on its own. But let’s draw your attention to an interesting side product of this project: we learned how electronic identities are managed in our community – and how the approaches are evolving over time and why.
Consultation on draft of federal E-ID law
At its meeting on 22 February 2017, the Swiss Federal Council opened a consultation on legislation on electronic identification (E-ID law, see announcements: DE, FR, IT). The consultation ended 29 May 2017.
SWITCH participated in this consultation and confirms the importance of a well-functioning and generally accepted E-ID. The identity service SWITCH edu-ID/SWITCHaai could potentially benefit from such an E-ID legislation: either to start offering an E-ID function itself, or by consuming E-ID services. Such use cases – from SWITCH and from other parties – may become important drivers for the spread of E-ID beyond pure e-government applications and for the emergence of an general-purpose E-ID ecosystem.
After evaluating the proposed delivery model in the draft E-ID-law, SWITCH proposes its revision. To ensure swift implementation and to reduce risks and complexity, SWITCH urges that the proposed market model be abandoned in favour of an implementation by the Swiss Confederation itself or by mandating it to a third party.
If the market model is to be pursued nevertheless, SWITCH proposes the use of a multi-stakeholder expert group to resolve the many open questions arising from the draft. If this group can not achieve its objectives, the market model is to be abandoned once and for all in favour of the proposed government-driven implementation model for an E-ID.
You are invited to read the full answer of SWITCH to the consultation (in German): 20170529 Vernehmlassungsantwort SWITCH E-ID-Gesetzesentwurf.
Bye-bye Cloud ID – Welcome SWITCH edu-ID
About 27,000 people have got mailing from the SWITCH edu-ID team April 19:
Instead of their former Cloud ID account, SWITCH edu-ID would be used as from 1st May 2017 in order to access the services SWITCHdrive and SWITCHengines.
But how should the vast majority of those users, who did not already have a SWITCH edu-ID account, come to such an identity?
Changeover without effort for 98% of users
The usual way to generate a SWITCH edu-ID account is self-registration – this in line with the principle of user centrism. However, in this case the new accounts were generated automatically in order to spare users effort.
Users who have linked their SWITCH edu-ID account with their existing AAI account(s) have substantially facilitated proper account assignment and account aggregation during conversion. Continue reading “Bye-bye Cloud ID – Welcome SWITCH edu-ID”
Trust in federated AAI: with a particular attention to SWITCHaai
SWITCHaai has a long and successful history in enabling access to hundreds of mainly academic web resources by reusing the authentication mechanisms at the heart of participating organisations.
When joining the SWITCHaai team a couple of years ago, I noticed two things about trust: a) it was just there, and b) no one talked about it. “Trust is established when no one talks about it anymore” someone said. It made me wonder how such a unique construction could be there and just work. There must have been many detailed questions that had to be resolved to get to that point! My curiosity was piqued, so, I started delving into this fascinating topic. How come all of these many service providers, identity providers, end users, organisations and federation partners, commercial or not, just do what the others would expect from them and don’t break trust?
Let’s start with an overview of the roles within an identity federation and their particular expectations towards each other and the federation as a whole. Continue reading “Trust in federated AAI: with a particular attention to SWITCHaai”
eduKEEP: Promoting the Swiss edu-ID Concept Internationally
With the Swiss edu-ID SWITCH will introduce many new features and enhancements to the already well established SWITCHaai service. However, one aspect is not just an improvement, but rather a paradigm shift: the change from organisation-centric to user-centric identity management.
Continue reading “eduKEEP: Promoting the Swiss edu-ID Concept Internationally”