Grid-based two-factor authentication comes to campus cards
25 September, 2006
category: Biometrics, Education, Library
Sweden’s Göteborg University deploys a visual challenge and response solution from Entrust
By Andy Williams, Contributing Editor
You log in with your password, then you’re met with another screen with the following: A3, F4, J5. No, you’re not playing Bingo. It’s part of an authentication system created by Dallas, Texas-based Entrust. To supply the correct answers to A3, F4 and J5, you need a grid supplied by the company. It’s a security solution that one Swedish university has chosen to protect its student records.
“Grid authentication is about an X-Y coordinate lookup system,” said Steve Neville, senior manager of ID products and solutions for Entrust, Inc. a secure digital identity provider. “It’s like reading a map and it’s about being able to respond to the random challenges of a coordinate on a grid.”
To help prevent attacks on student data and protect the records of its 60,000 students and faculty while facilitating access for authorized parties, Göteborg University in Sweden recently implemented Entrust’s IdentityGuard. The campus, one of the largest in Scandinavia, joins a Tokyo college and “several others across Europe (that) are using it for their students and faculty also,” said Mr. Neville.
A cost-conscious option for multi-factor authentication
The two-factor authentication system requires a password, plus the grid that’s often printed on the back of a student’s or faculty member’s identification card, said Mr. Neville. It’s a standard student card that’s usable not only for identification but for other things, like accessing foodservice.
“Some organizations provide more flexibility and allow their customers to print out the grids, or store them and send them, via SMS, to their phone,” he added.
Either way, the grid is useless without the password and the password useless without the grid. The grid is the ‘something you have’ and the password is the ‘something you know’ in the multi-factor authentication scenario.
This kind of authentication “has been a bit more accepted in the rest of the world than North America,” he said. “North America has always lagged in deployment of second factor authentication. In Europe it’s been accepted and understood as a requirement for many years. I expect to see these things in North America take hold there soon.”
“We wanted an authentication solution that would provide strong security but also would be easy to use for our students and faculty and also be economical to manage,” said Sven-Elof Kristenson, IT manager at Göteborg University. “Because we can combine the Entrust IdentityGuard grid authentication capability with the identity cards we already issue to our students and faculty at the beginning of the school term, it fit seamlessly into our existing system and will give us the ability to make even more services available online for everyone.”
The university also chose IdentityGuard because its grid authentication capability can be used to access records, file storage, reports, e-mail and calendar functions, said Mr. Neville. “It was a natural choice for stronger authentication. Ease of integration and usability also were factors that led to the decision to implement Entrust IdentityGuard.”
Adding ‘machine fingerprinting’ to the grid authentication
“ID Guard in and of itself is a platform for authentication,” said Mr. Neville. It comes in six different flavors–authentication options–ranging from the non-intrusive like machine fingerprinting and grid authentication to one-time password tokens, he added.
“One of the reasons Göteborg liked grid authentication is that it also delivers the flexibility to input other types of authentication. Inside our license model we don’t force them to track which authentication they’re using. They can choose which ones they want to use to protect student data,” said Mr. Neville.
A risk can be assigned to student data to determine the type of authentication needed, he added. “It can be a simple process, like this type of information requires the grid and machine authentication. For students, the grid is totally fine because they’re roaming around,” said Mr. Neville.
ID Guard is a “software server based product that can also provide strong authentication for remote access,” he added.
“What we’ve done is open platform. We support adding different authenticators. You can add machine fingerprinting, literally being able to capture parameters of an individual machine such as its IP address and its browser settings. If that person is coming in from a registered machine, on subsequent authentications it can transparently check.” If not, he’ll be prompted for more security, such as a password.
“It’s all about increasing the security of a machine without affecting the user,” said Mr. Neville.
“When they (Göteborg University officials) were looking at security solutions, they were very sensitive to cost and how much change would be required. They looked at ID Guard as a very attractive solution versus one that could only be deployed to faculty alone because of the cost. It was also something they found very unique and something they could trust.”