SURF is the shared IT organization for research institutes and universities in the Netherlands. The organization helps to connect over 100 different institutions across the country.
The Challenge/ Use Case:
With lots of students and educators that need access, SURF faces multiple challenges.
Since 2007, SURF has been developing and using a service it calls SURFconext, which provides a national identity federation for research and higher education. SURFconext is an identity federation that consists of over 180 different identity providers and it provides a single sign-on (SSO) capability for SURF’s member institutions. SURFconext is based on the SAML 2.0 standard and makes use of OpenID Connect and is used by 1.7 million people across the Netherlands.
Over the last decade, there have been increasingly sensitive workloads and growing security concerns with accessibility. Some member institutions were only enforcing access with basic password authentication and there was a need to introduce multi-factor strong authentication.
How SURF Uses FIDO To Secure Its Users
With multiple member organizations each using various technologies, SURF implemented an add-on service called SURFsecureID.
SURFsecureID is a hosted service that provides multi-factor authentication, with a step-up approach.
“The idea is that users authenticate at their home University using the password and before they are redirected to the service provider they are redirected to us where we require a second factor before sending them off to the service they initially requested,” explained Joost van Dijk, Technical Product Manager at SURF.
The step up authentication approach makes use of FIDO 2 standards to help protect SURF’s users