06 - Safe and secure authentication mechanism in consideration of the convenience of users

Takuya Matsuhira, Yoshiya Kasahara, and Yoshihiro Takata (Kanazawa University , Japan) Motonori Nakamura, Kazu Yamaji, and Takeshi Nishimura, (National Institute of Informatics, Japan)

We have integrated authentication infrastructure in Kanazawa University. We named it KU-SSO (Kanazawa University Single-Sign On) and KU-SSO is based on Shibboleth. We have started full-scale operation from March 2010. Currently, we have shibbolized 28 information systems. All SPs of KU-SSO permit access from the campus network. But many SPs of KU-SSO don't permit access from outside of the campus network. Because the IdP of KU-SSO is operated by only password authentication method. So we thought that it is necessary to introduce a multi-factor authentication. But generally, multi-factor authentication takes time than password authentication and if users don't have a specific possession (Smartphone,IC card, and so on), they can't authenticate. So, it’s difficult to replace password authentication method with multi-factor authentication method completely. Therefore, we considered a mechanism that doesn't always require multi-factor authentication, and requires multi-factor authentication only under specific conditions. We have developed "Authentication method selection mechanism". This mechanism is that IdP can present the authentication method from the several methods depending on requesting of SP. And we have implemented it as a plug-in of Shibboleth IdP. By applying this mechanism, SPs which are sufficient at current authentication level are supported by the password authentication (Level1), and SPs which require high level are supported by multi-factor authentication (Level2 above). In addition, SP can require different authentication method in accordance with the IP address of the user. Furthermore, if the user succeeded in the high level authentication once, then the low level authentication is required by the other SP, it treats as single sign-on.

Download file