AARC and GEANT GN4 projects are studying the Service Provider (SP) communities' (such as research infrastructures/communities, e-infrastructures, communities and research centers) requirements on Level of Assurance (LoA). The survey results will serve the future development of federated authentication and authorization where end users' in the set-up where an end user's Home Organisation (e.g. the university or research institute employing the researcher) delivers him/her the authentication credentials and authenticates him/her. The survey results will be published.
1.Introduction to LoA
Narrowly speaking, LoA for user authentication covers two things:
- Identity vetting: how an end user demonstrates his/her identity at the time when s/he receives the authentication credential from his/her Home Organisation (e.g. by presenting government photo-id face-to-face at a registration desk or self-registration on-line with)
- authentication: how an end user proofs his/her identity to his/her Home Organisation's Identity Provider (IdP) server when s/he logs in (e.g. password or multi-factor authentication with a certificate or token)
More widely speaking, LoA can also cover e.g.
- management of credentials (e.g. delivery of credentials to their holder, revocation of credentials)
- information security management of the Home Organisation
- Audits audits of the Home Organisation
Some people also count these in
- quality and freshness of user attributes (self-asserted by the user or Home Organisation vetted)
- Home Organisation's ability and willingness to populate and release the attributes to the SPs
...
2. Questions on the research infrastructures/communities
...
- researchers with a Home Organisation (that operates or potentially operates an IdP)?
- citizen scientists?
- students with a Home Organisation (that operates or potentially operates an IdP)?
- else/what?
If you are a research community
- is affiliation of a researcher (user) with your community typically longer lived than any organizational affiliation or employment, or does community membership stem primarily from organizational affiliation?
- do you consider yourself also as a source of (identity) assurance for your community members?
3.Questions on Identity and Authentication
...
- all user identities (accounts in the Home Organisation) belongs to an individual person (i.e. there are no shared accounts like "libraryuser1". Any robot/automated agent is traceable to a named person)?
- and all users are traceable (i.e. the Home Organization knows who they are and can reach them)?
- and the Home Organisation is willing to collaborate with you if you think their user misbehaves in your service?
- That that you (as an SP) can block him/her from your service?
...
- the Home Organization has a documented identity vetting process (whatever it is) in English and you can study it?
- each Home Organisation has a tag machine-readable tag that indicates how the organization carries out identity proofing and the tag is from a well-defined international vocabulary?
- each user in a Home Organisation has the above tag but different and different end users in the organization same organization can have different tags (depending how their identity was initially proofed)?
- The the identity proofing is done face-to-face based on a government photo-ID or equivalent?
...
- Are password-based authentication good enough for you?
- Or should Should passwords have some kind of quality floor? (What kind of quality floor?)
- Do you need two factor authentication? (What kind of?) Are you willing to share its costs?
3.4.Step-up authentication as a service
...
In larger universities the IdP/IdP IdM gathers users' attributes from several registries (payroll system, CRIS (current research information system), student registry) with varying data quality. Some attributes can even be self-asserted by the user him/herself.
...
- Is it enough for you that a Home Organisation self-asserts that it complies with a certain LoA level?
- Should some external body have some enforcement rights (e.g. Home identity federation can remove “compliant” tag from the Home Organisation if there are doubts that a Home Organisation fails its LoA level)?
Are internal periodic self-assessments needed? Should these be reviewed (or open to review) by e.g. the Home identity federation or federation peers?
- Are internal audits needed where the auditors are from an independent organization unit?
- Are external audits needed? Are you willing to share their costs?
...