Evolution of User Authentication Practices: Moving Beyond IP Filtering

The article explores the obsolescence of IP filtering in user authentication, highlighting the challenges posed by evolving technology and the limitations of IP-based authentication methods. It discusses the shift towards improving user experience and addressing security concerns by focusing on user identity rather than physical location. The need for modern authentication practices, such as institutional credentials and single sign-on solutions, is emphasized to enhance security and convenience for users accessing online resources.

• User Authentication
• Technology Evolution
• Security Concerns
• Modern Practices

rin_fi Follow

Uploaded on Sep 22, 2024 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. IP Filtering is Obsolete Where do we go from here? Rich Wenger, E-Resource Systems Manager MIT Library

2. TOC In the beginning The march of technology Playing games Two broad goals A way forward Page 2

3. In the beginning.. Early days of the internet No portable devices Static IP addresses Unspoken assumptions Page 3

4. The march of technology Portable PCs, laptops, tablets, smart phones DHCP non-static IP addresses Off-campus users Page 4

5. Playing games Virtualization at multiple levels Pretending that nothing had changed VPN and proxy servers Page 5

6. Bottom line The assumption that an IP address = a physical location = an authenticated, authorized user is false. IP filtering is about where a user is (which is completely obscured by proxy servers and VPNs), not who the user is. Page 6

7. Bottom line IP filtering Conflates IP address with location and identity. Creates proprietary portals, the opposite of modern Discovery practices. Is a maintenance nightmare. Is unsecure and easily exploitable. Without IP filtering, Scihub could not exist * * Atypon presentation on Piracy at SSP conference in Boston, June 2017 Page 7

8. Two areas of concern We need to: Improve the user experience. Respond to the security problems. Page 8

9. Improving the user experience The point of referral for authentication must be located at the providers sites, not in our portals. Affiliation defaults must be preserved across browser sessions. All devices must be robustly supported. Page 9

10. Security We need to: Focus on who the patron is, not where they are. Use institutional credentials. Arrest the proliferation of resource-specific userids and passwords. Support SSO across all devices. Page 10

11. A way forward Federated Identity Management, robustly implemented by providers and subscribers. SAML-based systems Ex. Shibboleth, OpenAthens, etc. Federated metadata. Authentication referral at the point of need. Use of institutional credentials. Support for affiliation at multiple institutions. Page 11

12. FIM FIM has been available for many years, but its uptake has been halting and sporadic. Providers and subscribers were/are each waiting for the other to take the initiative. SAML-based systems are becoming ubiquitous, but the quality of implementations varies widely. Page 12

13. RA21 Initiative RA21, a convergence of efforts by STM Scientific, Technical, and Medical publishers PDR Pharma Documentation Ring URA Universal Resource Access Page 13

14. RA21 Initiative RA21 SAML-based Federated ID Management. Authentication at the point of need. Collaboration on a set of recommended best practices for providers and subscribers. Open process. Page 14

15. RA21 Addresses issues important to academic libraries Privacy Walk-ins Protection of personally-identifying history and usage data Uneven quality of some providers SAML implementations Page 15

16. RA21 Improved user experience - Authentication at the point of need - Single Sign On (SSO) - Comprehensive device support - Support for multiple institutional affiliations Page 16

17. RA21 Simplified technical environment - More granular control - Federated metadata - No need to maintain IP ranges with providers - Reduced dependence on proxy servers Page 17

18. RA21 Challenges - Gaining library management s attention to this issue - Getting buy-in and support from campus IT - Resisting fragmentation of effort Page 18

19. RA21 Participants Steering Committee Participants Page 19

20. Case study Improve the user experience of students and researchers https://scholarlykitchen.sspnet.org/2015/11/13/dismantl ing-the-stumbling-blocks-that-impede-researcher-access- to-e-resources/ Page 20

21. A way forward A goal to work toward, NOT an abrupt change Dual stack support for the foreseeable future Libraries need to get involved If we do this carefully and well, it should be minimally disruptive to users. Page 21

22. Finis Rich Wenger rwenger@mit.edu Phone 617-253-0035 Page 22