Versions Compared

Old Version 25

changes.mady.by.user Sebas Veeke

Saved on

compared with

New Version Current

changes.mady.by.user Peter Clijsters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

borderColor#4fb3cf
bgColor#ffffff
titleColor#ffffff
titleBGColor#4fb3cf
borderWidth2
borderStylesolid

...

SURFsecureID gives institutions secure access to

...

services

...

. Better security is particularly critical for

...

services handling

...

sensitive data

...

.

...

Such services require stronger forms of authentication than a username and password in order to limit the risk of

...

security incidents.

The availability of Strong Authentication functionality enables institutions to enforce strong authentication for cloud services linked to SURFconext. SURFconext acts as a link between the institutions and service providers. Institutions can select the services they wish to secure with stronger authentication.

...

Institutions can use SURFsecureID in two ways. Both can be used at the same time:

  1. In addition to an existing institutional login. SURFsecureID is only used for the 2nd factor. This is especially interesting for use by a central (authentication) facility such as ADFS, Citrix or F5 BIGIP. This facility handles the 1st factor itself and calls SURFsecureID for the 2nd factor if necessary. This makes strong authentication available for a range of internal and external (cloud) services. This option is also called Second Factor Only, especially in the more technical documentation.
    Image Added

  2. For a (cloud) service. The service outsources the complete login (ie both the 1st and the 2nd factor) to SURFconext. The 1st factor (username / password) via the IdP and the 2nd factor via the available SURFsecureID tokens.

    The service (Service Provider, or SP) is connected to SURFconext which is configured to call SURFsecureID for this service. This makes it especially easy for services already connected to SURFconext to use SURFsecureID as this is transparant for the service. The service can use either SAML or OpenID Connect to connect to SURFconext. You can make use of step-up policies in SURFconext to only request SURFsecureID for specific users (attribute based) or locations (IP adres based). Also, the service can request a specific LoA level in the request to SURFconext (NB: before june 2021, this was only possible when the service was connected to SURFsecureID directly).

    Image Added

SURFsecureID gives access to services via five different types of tokens: SMS, Tiqr (smartphone app)

...

, Azure MFA, YubiKey (USB hardware token) or FIDO2 token. An institution can choose which tokens they want to allow for their users. Users first log in with their institutional account and

...

are then prompted to confirm their identity with

...

their token. In this way there is a second layer of security

...

.

SURFsecureID is available at an additional fee for all institutions connected to SURFconext.

How does

...

token registration work?

...

An institution can either allow their users to perform self-service token registration, or have a servicedesk validate the user's identity before a token can be used. These different processes result in a different level of assurance (LoA) for the registered token.

Self-service token registration:

  1. The user registers his preferred token (SMS, Tiqr, Azure MFA, Yubikey or FIDO2) in the registration portal
  2. The user registers a recovery method (SMS or recovery code).
  3. Now the user can log in to any service with a level of assurance lower or equal to LoA1.5.

Token registration via the institution's servicedesk:

  1. The user registers his preferred token (SMS, Tiqr, Azure MFA, Yubikey or FIDO2) in the registration portal
  2. User must visit his institution's service desk

...

  1. to have an

...

  1. authorised employee verify his identity

...

  1. .
  2. This employee will

...

  1. bind

...

  1. the user's token to his account.

...

  1. After that the user's

...

  1. token will be activated.

...

  1. Now the user can log in to any

...

SURFconext Strong Authentication supports three different types of tokens: SMS, Tiqr, YubiKey.

Section
Column
width50%
Panel
borderColor#4fb3cf
bgColor#FFFFFF
titleColor#ffffff
titleBGColor#4fb3cf
borderWidth2
titleTiqr
borderStylesolid
Column
width80%

Tiqr

  • NB: Available in fall 2015
  • Authentication app for Apple iOS and Android smartphones
  • Smartphone must have camera and active internet connection.
  • User must download Tiqr app for iOS or Android
  • A Tiqr account for SURFconext Strong Authentication must be created for future login
  • User authenticates with app-specific PIN code after receiving a push-notification on their phone
  • If push-notifications are disabled a QR code must scanned to authenticate.
Column
width20%

Image Removed

Column
width50%
Panel
borderColor#4fb3cf
bgColor#FFFFFF
titleColor#ffffff
titleBGColor#4fb3cf
borderWidth2
titleSMS
borderStylesolid
Column
width80%
  • Suited for all types of mobile phones (work or private) that can receive SMS
  • User receives a one-time password (OTP) via SMS
  • First 500 SMS transactions per month per institution are included
  • All SMS transactions that exceed 500/month will be charged at €0,06 (VAT excluded)
Column
width20%

Image Removed

 

 

 

 

Column
width30%
Panel
borderColor#4fb3cf
bgColor#FFFFFF
titleColor#ffffff
titleBGColor#4fb3cf
borderWidth2
borderStylesolid
Column
width80%

YubiKey

  • Users will need a YubiKey hardware token (Standard, Edge or Neo).
  • Users will need a device with a USB-port when authenticating.
Column
width20%

Image Removed

Section

The architecture of the SURFconext Strong Authentication is designed as such that SURFnet can add other authentication tokens in the future. If such a need arises within member institutions, SURFnet will first research technical capabilities of other token solutions and perform a cost-benefit analysis, before deciding if adding the extra token to SURFconext is indeed feasible. Please note that SURFconext Strong Authentication is designed to facilitate strong authentication for cloud applications. As such, for any new token solution to be connected to SURFconext Strong Authentication, SAML2.0 compliancy and cloud based are necessary prerequisites.

Our roadmap already foresees in some activities in 2016 and beyond to explore the possibilities to add other authentication tokens to SURFconext Strong Authentication.

 

 

 

 

...

  1. service with a level of assurance lower or equal to LoA2 or LoA3 (depending on the registered token).