SURF is the shared IT organization for research institutes and universities in the Netherlands. The organization helps to connect over 100 different institutions across the country.
The Challenge/ Use Case:
With lots of students and educators that need access, SURF faces multiple challenges.
Since 2007, SURF has been developing and using a service it calls SURFconext, which provides a national identity federation for research and higher education. SURFconext is an identity federation that consists of over 180 different identity providers and it provides a single sign-on (SSO) capability for SURF’s member institutions. SURFconext is based on the SAML 2.0 standard and makes use of OpenID Connect and is used by 1.7 million people across the Netherlands.
Over the last decade, there have been increasingly sensitive workloads and growing security concerns with accessibility. Some member institutions were only enforcing access with basic password authentication and there was a need to introduce multi-factor strong authentication.
How SURF Uses FIDO To Secure Its Users
With multiple member organizations each using various technologies, SURF implemented an add-on service called SURFsecureID.
SURFsecureID is a hosted service that provides multi-factor authentication, with a step-up approach.
“The idea is that users authenticate at their home University using the password and before they are redirected to the service provider they are redirected to us where we require a second factor before sending them off to the service they initially requested,” explained Joost van Dijk, Technical Product Manager at SURF.
The step up authentication approach makes use of FIDO2 standards to help protect SURF’s users.
With FIDO, SURF is now able to provide strong authentication to users across the Netherlands in an approach that helps to improve resiliency and security.
One particular risk that FIDO helps SURF to minimize is that of phishing attacks which has been a growing concern since at least the onset of the pandemic.
“Especially since the COVID crisis began, we’ve seen a lot of phishing campaigns launched against our users and we see FIDO2 as an excellent way to mitigate this threat,” commented Joost van Dijk, Technical Product Manager at SURF.