Re-Verification of User Identities Acquired from Shibboleth


(DRAFT - 6/29/2004 - DW)

One of the issues that has been identified by UC's federated authentication project is the distinction between business and personal applications that may be accessed by someone who has been identified by Shibboleth and a campus's "single sign-on" (SSO) system.  While not always the case, the types of transactions executed by personal applications (e.g., changing one's insurance beneficiaries or displaying tax withholding information) often require a greater degree of protection than business transactions (e.g., making a low-value purchase or reserving a conference room).

This document deals with two areas where work is needed to assure this protection:
  1. UC must set policy standards for campus identity management so that we create a federated infrastructure that can be trusted by arbitrary applications as a source of reliable identity information.  Recommendations for these standards will be one of the outcomes of this project.

    For our pilot project  UC For Yourself (UCFY) and Your Benefits Online (YBO) will verify the campuses' identity management processing by re-registering people the first time they connect via a campus's Origin.  Once standards are in place, though, we do not expect future applications to require these additional checks.

  2. For business applications, it is common practice for a campus to require re-verification of logins only once every few hours to a day.  On the other hand, banks and credit card companies typically time sessions out after a few to several minutes.  They will allow one to browse information that is not personal, but they require a new login before performing "dangerous" operations, such as transferring money among accounts.

    UC's personal applications, such as UCFY and YBO, have much in common with those provided by financial institutions with respect to the protections that are provided.  Because of this, we believe it is appropriate for applications of this kind to perform special identity checks (often called "multi-factor authentication") before performing a dangerous operation.  These issues will be considered as part of the planned integration of UCFY and YBO.

    For our pilot project, however, we are faced with the issue that the first screen that will be displayed after entry from Shibboleth will contain personal information from UCFY and individual control over "dangerous" operations would be difficult to implement.  Because of this, the plan is to prompt the user for the UCFY/YBO PIN on every entry until the UCFY/YBO redesign has been accomplished.