UC Davis is looking into making it easier for computer users to manage their multiple Login IDs and passwords. As computer usage continues to expand, so does the number of ways users identify themselves with various kinds of passwords as they enter an array of available computer applications. “Keeping login secure and user passwords straight should be as simple and efficient as possible,” says Robert Ono, IT

Security Coordinator for UC Davis.

Who Are You? What Are You Allowed to Do?

Since the early days of computing, operating system and application developers have struggled with providing methods to permit or deny user access to computer and network resources. The process consists of two steps – authentication

Previous Issues Log on Safely Identity theft Obtain a Password & Logon ID MyUCDavis New Business Architecture AATP Project PDF

and authorization. Authentication allows verification of an identity credential (often a password) supplied by an end-user. For example, upon logging on to a system, authentication is the process asking a person to identify herself or himself with a username and password. Next, the authorization process determines which features the person is allowed to access, based on his or her authentication credentials. For instance, in the campus Web portal, MyUCDavis, each user is authorized to see certain features, based on his/her role on campus (instructors see course management tools, students see course registration options, etc.).

Making Login Easy with Common Authentication Services

Given that many applications require some sort of authentication, it is to user and campus advantage to support common authentication services, since they simplify the process altogether. “Common authentication services would make it possible for technologists to weave multiple systems so users see fewer kinds of login prompts and need to remember fewer passwords,” says Ono. Otherwise, we would all have to carry around a notebook storing the long list of each and every one of our user accounts and passwords. Not only would common authentication service make logins easier, it could also ease other authentication processes, such as the one used to grant physical access to buildings, for example.

The New Business Architecture (NBA) initiative of the University of California also recognizes the value of a single process for Web-based authentication. In recognition of the need to support common

authentication services and the NBA vision, Information and Educational Technology (IET) initiated a project to develop a common authentication strategy for the campus computing environment.

During the spring and fall of 2002, the project members met with technology specialists throughout the UC Davis community and with leading vendors of authentication technology. The discussions led to the formation of a list of long-term requirements necessary for UC Davis to fully support common authentication services. The project team was also able to examine alternative ways for the campus to meet these requirements.

Stronger Passwords Have Priority

In the December final report, the project team recommended the continued expansion of the campus Web-based authentication system, known as Distauth (click here for more information). The team specifically recommended that the expansion efforts include the development and support of authentication levels. In addition to regular passwords, some systems require hard tokens (a series of number combinations entered into and retrieved from a calculator-like device) or biometric identification (a digital scan of a user’s fingerprint, iris, or vocal timbre). Under the proposed approach, use of a stronger credential, such as a hard token, could be accepted for the applications that require a lower level of authentication, such as a password. Thus, users would have to bother with only one mechanism for all the computing applications they sign in to.

Expanding Secure Login to Outside Users

In addition, the project team recommended that the campus further explore the advantages and disadvantages of expanding campus authentication services to accept what is known as federated authentication service. Federated authentication service permits individuals without campus computing accounts—such as prospective student applicants, parents and alumni—to access secure Web material using some other form of commonly-accepted user identification. In addition to this effort, the team recommended that the campus continue to participate in UC-wide and other higher education efforts to develop Web-based single sign-on systems.

The recommendations are currently being reviewed. IET is prioritizing and identifying the resources necessary to implement the recommendations. The team's report is available online.

Questions should be addressed to Robert Ono at raono@ucdavis.edu.