Authentication and Authorization initiatives
Authentication is the process of confirming a user's identity. Authorization
determines what services and access a user is authorized for.
A pilot of two-factor authentication began in Summer 2013. For more information
and to join the pilot, visit the Two-Step Verification service page.
is a talk describing the pilot, as presented at a recent Security Liaisons
Penn's campus-wide authentication system is PennKey (link to www.upenn.edu/computing/pennkey.
PennKey supports two authentication protocols: Kerberos and RADIUS.
PennKey uses PennNames to ensure a single
campus-wide namespace (i.e. to avoid different people being assigned the same
user ID.) Developers and systems administrators creating accounts and IDs for
new users are strongly encouraged to use the PennNames service, and avoid creating
numerous different IDs for people.
Campus web developers who want to use PennKey to authenticate users to their
web-based applications may use Penn's
Web Security Module. The Web Security Module allows application developers
to require successful PennKey authentication and provides the user's PennID
for use in determining whether or not the user is authorized for the application.
PennKey and the Web Security module are authentication systems only. PennKeys
are issued to a wide range of individuals, including Faculty, Staff, Students,
Guests, Visiting Scholars to list just a few. So possession of a PennKey alone
tells the application owner nothing about what the end user is authorized to
do. Application developers must make sure that after authenticating users, then
determine whether or not the user is authorized to use their application.
Authorization is usually done in one of two different ways. Often, a user's
affiliation can be used to determine whether or not they are authorized to use
an application or service. Biographical/Demographic data such as a user's affiliation
(e.g. faculty/student/staff) or School/Department can be used to make authorization
decisions. In other cases, there is no single piece of Bio/Demo data that can
be used to make an authorization decision, but rather authorization is based
on "need to know" For example, authorization for access to the minutes of a
Dean search committee would be based on the list of all committee members. Such
lists are known as Access Control Lists, or ACLs.
It is the responsibility of application developers to ensure proper authorization
is performed before granting access to sensitive applications.
Last updated: Friday, December 6, 2013