Introduction to the Framework and Background on Authentication

Note to the Reader: This draft paper is being authored by Barry Ribbeck at Rice University and Ann West of EDUCAUSE/Internet2. Please send comments and suggestions to authnframework-comments@internet2.edu.

This Enterprise Authentication Implementation Framework provides a structure and process which higher-education institutions can use to develop their own dynamic planning process or, more simply, a roadmap. In this document, we have included three sections that define terms and provide an introduction to identity and privilege management, the context for our collective thinking on this subject. Topics on this page include:

How to Use This Framework

Take a look at the Venn diagram above labeled with the three factors of Policy and Governance, Technology, Ability to Implement, and the overlapping Crossroads section. Clicking on any one of these areas presents an overview of the section. Associated with each ellipse and presented in the same color background are separate topical papers that address specific issues in more detail.

Above the diagram are audience-tailored tabs that were written by higher-ed leaders in that specific field and present the roles and responsibilities of that function within this new campus-wide context of viewing authentication. That section also provides a specific list of the most important areas to review, when perusing the Framework. To return to this Introduction page, click on the Introduction tab.

If this is your first visit, we suggest you become familiar with the authentication roadmap definition and identity and privilege management process described below and then click on the Crossroads section in the middle of the Venn diagram above. This section presents the overview of the overlapping issues and describes the process for developing your own step-by-step authentication roadmap. Keeping these items in mind, please explore further.

What is an Authentication Roadmap?

An authentication roadmap is a dynamic plan and decision-making and implementing sequence. It is primarily a functional plan that has specific technology, process, and policy components that intersect at appropriate points. Those scheduled for the next year may be well detailed and those farther out "after we finish the core authentication service, we need to start looking at two factor authentication." The roadmap then is also a short-term, fading into a longer-term plan that includes the requirements of the three components and demonstrates how they inter-relate and intersect. It also includes governance involvement with requirements and vetting the requirements creating the policy that would support the roadmap.( See the University of Wisconsin-Madison Roadmap for an example.) It is shaped by an understanding of local culture, and the constraints and opportunities it provides and is usually a mix of the current situation and desired changes.

The roadmap should also be flexible enough to allow re-weighing any requirement's contribution to the over all solution without requiring a reengineering of the processes. It should not be a list of technologies and products, but rather a description of the preferred behaviors that the various constituencies (eg users, sysadmins, auditors, etc) would see from the authentication system. It would say "if we have a choice, we'd rather take these approaches.". This would provide individual project teams with short-term and long-term guidance for when they make decisions regarding identity management services.

Introduction to the Identity and Privilege Management Process

A few key concepts and definitions of the identification / registration/ authentication / authorization space should be addressed first.

Identification is the term generally used to define the process by which information about a person is gathered and used to provide some level of assurance that the person is who she claims to be. Generally, this identity verification takes place within the office that first encounters the individual (Human Resources or Student Services). Furthermore, this is point where the person would be given one or more roles, depending on their intended relationship with the institution, which govern what they are authorized to do or access. (See Authorization below). It is strongly advised that those who manage the authentication systems to understand the processes used to identify and vet people for adding to the source systems.

Registration is the process whereby a person is given (or accepted as in the case of biometric methods) her credentials that she can then use to authenticate. Credentials comprise an identifier or identity token and a shared agreement and process (possibly including a hardware token and/or shared secret) for use later to verify identity. It is important for institutions to establish rules that govern the processes used by the department or office that assigns and distributes credentials.

Once the identity information is gathered and validated to the degree required for the level of assurance needed for a specific role, an identity from the institution may be generated that can be used to authenticate the users to various systems. This would constitute the provisioning aspect of an identity management system and is the connection point between identity management and the authentication system.

Depending on the security requirements and the role(s) the person will assume, this verification process can vary widely. All identity tokens have similar characteristics and serve to associate the person in question with an object in the authentication system(s). See Identifiers, Authentication, and Directories: Best Practices for Higher Education for more information about identifier characteristics.

Authentication is the act of validating that an individual producing a identifier (such as a userid) is the one to whom the identifier was assigned in the registration process. This generally takes three forms using 1) something the person knows, like a password, 2) something the entity carries, like an identity card, or 3) some physical attribute of the entity, like a fingerprint. Authentication does not imply access so additional processes must take place to ensure appropriate access controls.

Authorization is the process of allowing an individual to access resources based on business rules. Once the roles are assigned and an electronic identifier (generally a userid or netid) has been associated with a person, additional information can be gleaned from one or more source systems and may used to support authorization in addition to role. Authorization source data have different characteristics than authentication data as it can, and is expected to, change over time, reflecting their change in position, major, or student status, to name a few.

In summary, these processes of identification, registration, authentication, and authorization are uniquely separate processes that should be tightly linked and controlled in order to have a trusted and robust identity and privilege management system. Understanding the underlying processes and the differences in the processes is critical to managing these types of integrated systems.

Revision 1.0, December 14, 2004