Technical Product Manager, SURF
Scalable, Multi-Factor Authentication in the Netherlands
In this presentation, we will discuss two use-cases for large-scale multi-factor authentication in the Netherlands: one in higher education and research, and one in a government-to-citizen setting.
Passwords are the most horrible and insecure authentication mechanism. It is near impossible to educate users on how to handle them properly, even more so when your user base includes people of all ages and literacy levels. The government of The Netherlands uses an authentication scheme for citizens for all government services called DigiD. This was originally password-based, but is in need of renewal. FIDO2 seems to be the way forward, but there are still challenges to overcome before introducing this at a scale of 17 million people. We need to learn from other organisations’ best practices and are planning to share our own lessons as we learn them.
Research and Education
SURFconext is the national identity federation for research and higher education in the Netherlands, enabling Single Sign On to many services for 1.3 million at universities and other research institutes. With many high-value services, stricter legal requirements with respect to authentication and identity vetting, and an increase in phishing campaigns targeting member organizations, this has also increased a need for strong authentication.
To meet this need, SURF has developed and deployed open source software for introducing multi-factor authentication in a scalable way, using a delegation model for identity vetting, a modular system for adding arbitrary authentication methods, and with minimal requirements for member identity and service providers.
In this presentation, we will discuss our lessons learned with introducing multi-factor authentication in our federation. We will explain how we balance security with user-friendliness, how we protect our members against vendor locks, and maximize interoperability with open standards such as OpenID Connect, SAML 2.0, and FIDO2.