Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn
PennKey home page

Strengthening PennKey Project (updated June, 2009)

Introduction
Changes to authentication infrastructure
Tracking of login attempts to PennKey systems
"Two-factor" login
Streamlining of PennKey Setup Code distribution - completed
Introduction of passphrases - on hold
Why the changes

Introduction

Information Systems and Computing, in consultation with the Schools and Centers, has undertaken a multi-pronged initiative to strengthen the authentication mechanisms that protect online applications, services, and information. Updates on the project will be issued as needed, via University publications and other communications vehicles. In the meantime, questions about the Strengthening PennKey initiative should be addressed to STRENGTHEN-PENNKEY@LISTS.UPENN.EDU.

Changes to authentication infrastructure - Q4 2008 - December 21, 2009

Websec, the ISC-developed facility underlying login to PennKey-protected, web-based, applications and services, will be decommissioned in December, 2009. As a replacement for Websec, two technology options used in the education and research communities will be available to web application developers: Penn WebLogin, built on CoSign, and Shibboleth. Their implementation paves the way to future enhancements, such as "two-factor" authentication, described below, and federated authentication (i.e., the use of "home" institution credentials to access resources at another institution), a potential future direction for Penn. PennWebLogin and Shibboleth also provide "single sign-on" to PennKey-protected web applications. Single sign-on (SSO) means that once you've entered your PennKey and password for one application, you can access other PennKey-protected web applications that support SSO for a 10-hour period without re-entering your PennKey and password. A subset of PennKey-protected web applications will not be using SSO; this decision is at the discretion of application owners and their requirement for additional security.

The transition to Penn WebLogin/CoSign and Shibboleth will require modifications by IT staff to all PennKey-protected web applications. As individual applications are modified, users will see new global login and logout screens and processes.

Developers and system administrators who are transitioning their applications from Websec will find documentation and other assistance at http://www.upenn.edu/computing/weblogin.

Tracking of login attempts to PennKey systems - July 2009

A central mechanism to detect multiple authentication attempts using the same PennKey will be implemented to allow ISC Information Security to research and address security breaches. The logs will be used only by ISC Information Security personnel and will be protected under Penn's Policy on Privacy in the Electronic Environment. These measures will enhance our ability to protect data and applications by providing a means of detecting and investigating security incidents that would otherwise not be reported. Implementation is expected in July, 2009.

"Two-factor" authentication - Pilot for FY10

Two-factor authentication refers to the use of a second factor, or piece of information that the user possesses, to supplement reusable PennKey passwords when accessing applications or services. Two-factor authentication is used to provide a higher degree of security. Based on a March 31, 2009 strategy recommendation, two technologies are being explored for pilot implementation: a hardware token that provides the authenticating user with a one-time password, and a phone-based solution using a registered phone to enter a PIN/password.

Streamlining of PennKey Setup Code distribution - Completed, June 2009

The PennKey Setup Code process was set up at a time when few options for truly secure distribution of codes were available, and the majority of users were either on, or soon to be on, campus. As more departments have become interested in offering PennKey services to "non-traditional" constituencies (e.g., alumni), the assumption that an individual will be able to appear in person becomes invalid. The goal of streamlining is to enable remote identity verification to reduce the amount of time to establish a PennKey.

The first phase of the streamlining effort included an extensive survey of peer institutions and other relevant sources to determine how the distribution of credentials is handled, and how to handle identity verification for users not able to appear in person. The second phase, based on the recommendations from Phase 1, was the implementation of remote identity verification for alumni. Using a new system called PennKey ASAP, alumni are able to complete a process to verify their identity and are issued a Setup Code electronically.  They can then use the Setup Code immediately in the existing process to set up a PennKey and password. PennKey ASAP was implemented in June, 2009.

Introduction of passphrases - On indefinite "hold"

Why the changes

Since PennKey was implemented in 2002, the number, variety, and sophistication of security threats and risks have increased. The majority of malware, and an estimated 10% of the world's web sites, now harbor keystroke loggers that can steal passwords on compromised computers. The likelihood of password theft has increased dramatically. More powerful "brute-force" guessing attacks have made short and weak reusable passwords more vulnerable than ever. These and other attacks have become more sophisticated and targeted for financial gain. The increased use of mobile devices and the wide availability of wireless access points that are both unsecured and anonymously managed have increased casual and intentional theft of credentials. To effectively address these threats and protect University assets, data, and reputation, a stronger authentication infrastructure that takes advantage of technical advances in protection and detection is required.

Penn must also position itself for the future. The viability of reusable passwords is coming to an end, so it's essential for Penn to be able to supplement reusable passwords. There is also a rapidly growing demand for managed access to Penn systems and data by large numbers of geographically remote and more loosely-affiliated constituencies, such as admitted students, worldwide alumni, etc. Their identity is harder and/or costlier to verify than that of faculty, staff and students living and working on campus. Finally, with the increase in institutional collaboration and state and federal E-Government initiatives, Penn's authentication infrastructure must be able to support federated identity management with other institutions.

PennKey home page

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions
University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania