Questions for IdPs
Suggest for each area that ask IdPs to rate themselves:
- Already implemented.
- Could implement with small amount of manpower.
- Could implement with significant manpower.
- Could implement with low-cost system changes.
- Could implement with high-cost system changes.
- Would not get approval to make this change (please explain why).
1.Identity/account concept
- Account for an individual person (i.e. there are no shared accounts)?
- If shared: possible to distinguish between individual and shared accounts?
- If individual account: traceable? Are identifiers persistent?
- Which unique identifier?
2.Registration and proof of identity
- What identity vetting process? Face-to-face or different?
- Documented?
- Different validation between student, staff or faculty members? How?
3.Online authentication
- Passwords?
- Passwords with quality guarantees? What kind of guarantees?
- Two factor authentication?
- If yes, which second factor? Is the eID used?
- If no two factor authentication: How big would be the cost to provide two factor authentication?
4.Freshness of user data
- Are accounts closed as an individual departs? How promptly?
- Is the eduPersonAffiliation value updated as an individual departs? How promptly?
5.Step-up authentication
Step-up authentication means that the user first authenticates with a password, and subsequently with a second factor (such as by an one-time password delivered to his/her cellphone)
- Would you like to have GÉANT/your NREN to run such a service (if it costs/if it doesn't cost)?
- How many users would need such a service?
6. Provenance and level of assurance
- Do you use a level of assurance? Which one?
- Is the LoA self-asserted?
- Is everything documented?
- If not documented: which costs would that be?
- Internal audits?
- External audits?
- If no audits: costs for that?
- How many users need a (higher) level of assurance?
- Identity Management Practise Statement?
Results
Survey
Insights
- Nick Roy: At Iowa, at one point, I had estimated about USD 2 million and 2,000 hours of staff time across pretty much all of IT to get rid of NTLMv2, and at the time, it would have broken things like printers and network-connected storage with no good replacement solution. Warren Curry got pretty far down the authentication remediation road and I think had to back out due to some of the issues above. I think U. Chicago is still working on achieving Silver, but with a second factor. To date, only Virginia Tech (Mary Dunker) has achieved Silver, and only because they already had multi-factor hardware cryptographic tokens deployed.
- Tom Barton: 1 year to get an auditor knowing about identity management