Leveraging Varying Level of Assurance
March 9, 2006 | 2 Comments
In higher education we all seem to struggle, at least a bit, with coupling together our many varied web services and applications. Part of the difficulty I see is the varied needs for how secure each of the services we delever need to be.
A common reaction to this is to lock things down tightly, requiring your users to reauthenticate on a regular basis to access even the most trivial of services. In this situation users feel encumbered by the security and are less satisfied using these services. Face it, who doesn’t love sites that know who we are and let us do the things we expect when we go back? (ex. Wordpress, Gmail, Flickr, Amazon, etc)
For the purposes of this article, I am defining level of assurance as how sure we are that the user on the other end of the browser is who we think they are.
I imagine an ideal situation where we identify a required level of assurance for each service, then check against an appropriate indicator.
A preliminary structure for varying levels of assurance:
| LOA | Who/How? | Example Services |
|---|---|---|
| Level 0 | Anonymous | Homepage, various public facing pages, etc |
| Level 1 | Long term cookie | Targeted Announcements, News Reader, Personalized Content, Bookmarks, etc |
| Level 2 | Active browser session or desktop domain login |
Email, Learning Management System, Calendar, Groups Tool, etc |
| Level 3 | 30 minute session | Financial Information, Grades, Address Information, etc |
| Level 4 | Every usage | Password change, others? |
In this scenario, users would be asked for credentials less frequently for less secure needs. This in turn encourages them to use many of these types of applications more frequently. In those less secure applications, “ticklers” can be placed encouraging them to register for classes, update address information, or check in on classes in the learning management system all as appropriate. This allows us to draw users into the more secure areas just like Amazon draws us into making a purchase, but always allows us to place things in our shopping cart.
Tags: browser, higher education, identity, identity management, level of assurance, loa, password, portal, session