Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn


Saturday, February 24, 2018

  New Resources
Security Logging Service
Travel Tips for Data Security
Free Security/Privacy Training Resources
Two-step verification
Combating Malware
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Wireless Networking
  Best Practices
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
  More in-depth information for
Local support providers
System administrators
  Security initiatives
Critical Component compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
  Related links
Electronic privacy
Worms, trojans, backdoors

Authentication and Authorization initiatives

Authentication is the process of confirming a user's identity. Authorization determines what services and access a user is authorized for.

Multi-factor Authentication

A pilot of two-factor authentication began in Summer 2013. For more information and to join the pilot, visit the Two-Step Verification service page. Here is a talk describing the pilot, as presented at a recent Security Liaisons meeting.


Penn's campus-wide authentication system is PennKey (link to PennKey supports two authentication protocols: Kerberos and RADIUS.

PennKey uses PennNames to ensure a single campus-wide namespace (i.e. to avoid different people being assigned the same user ID.) Developers and systems administrators creating accounts and IDs for new users are strongly encouraged to use the PennNames service, and avoid creating numerous different IDs for people.

Campus web developers who want to use PennKey to authenticate users to their web-based applications may use Penn's Web Security Module. The Web Security Module allows application developers to require successful PennKey authentication and provides the user's PennID for use in determining whether or not the user is authorized for the application.

PennKey and the Web Security module are authentication systems only. PennKeys are issued to a wide range of individuals, including Faculty, Staff, Students, Guests, Visiting Scholars to list just a few. So possession of a PennKey alone tells the application owner nothing about what the end user is authorized to do. Application developers must make sure that after authenticating users, then determine whether or not the user is authorized to use their application.


Authorization is usually done in one of two different ways. Often, a user's affiliation can be used to determine whether or not they are authorized to use an application or service. Biographical/Demographic data such as a user's affiliation (e.g. faculty/student/staff) or School/Department can be used to make authorization decisions. In other cases, there is no single piece of Bio/Demo data that can be used to make an authorization decision, but rather authorization is based on "need to know" For example, authorization for access to the minutes of a Dean search committee would be based on the list of all committee members. Such lists are known as Access Control Lists, or ACLs.

It is the responsibility of application developers to ensure proper authorization is performed before granting access to sensitive applications.

Last updated: Friday, December 6, 2013

Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania