An Introduction to PennKey
A key element of online security is the need to protect the passwords
we use to authenticate, or prove, our identity to online systems.
Upon careful evaluation, the University adopted the Kerberos-based
PennKey authentication (identity verification) system in October,
Within the PennKey authentication system, an individual's username
is known as a PennKey. Paired with an associated password, a
PennKey is required to authenticate an individual's identity to many
of Penn's networked systems and services. Note that PennKeys are all lower case, i.e., if a person
whose PennKey is "smith" enters "Smith" or "SMITH",
authentication will fail.
Faculty, staff, and students of the University of Pennsylvania;
employees of the University of Pennsylvania Health System (UPHS);
and sponsored guests who have an official business need for accessing restricted Penn
resources are eligible for a PennKey.
PennKey is the latest evolution of the University's longstanding
commitment to securing critical online services.
requirements for critical services are outlined in the University's
Critical PennNet Host Security Policy, commonly referred to
as the Critical Host policy. One way the policy strives to protect
Penn's systems and services is by mandating that passwords sent
between users and critical host systems be "strongly encrypted,"
or protected by certain ciphering methods, rather than sent
over the network "in clear text." The PennKey authentication
system satisfies this requirement and provides a foundation
for even stronger forms of authentication that may be required
in the future. PennKey authentication is only one of several
forms of secure authentication that meet the Critical Host
policy. Other forms of secure authentication are being used
on campus services as well.
The PennKey system is based on Kerberos, a security technology
developed at MIT. The Kerberos protocol enables
individuals to demonstrate that they are who they claim to be without
ever transmitting passwords over the network, even in encrypted
form. Thus there are fewer opportunities for password theft or unauthorized
access to Penn's network, systems, and confidential or personal
data. Kerberos also lays the foundation for the evolution towards
a "single sign-on" environment over time -- one in which
a user would enter a unique ID and password only once a day in order
to access several different online services.