Bringing security in Tuakiri to next level

Admin, eRNZ; Mencl, Vladimir

doi:10.6084/m9.figshare.25333153.v1

A1-1 Bringing Security in Tuakiri to Next Level Vladimir-Mencl-Tuakiri.pdf (119.98 kB)

Bringing security in Tuakiri to next level

presentation

posted on 2024-03-04, 09:41 authored by eRNZ AdmineRNZ Admin, Vladimir Mencl

For over a decade, Tuakiri has been providing the NZ R&E community with a way to authenticate users in a trusted way with assurance about the user's attributes, as provided by the user's home organisation. However, in the current state, services consuming a Tuakiri login only get the level of trust at a common baseline. The security requirements are evolving and there is growing demand to bring the security up to a next level on several dimensions - even if applied only to a smaller selection of services and/or users.

Multi-factor authentication (MFA) has become the norm in many authentication scenarios. A number of organisations have enabled MFA also when authenticating users accessing their Tuakiri-connected Identity Provider (IdP). However, to deliver the value of MFA to a service using Tuakiri to authenticate users, we need a common way for SPs to request MFA and for IdPs to confirm MFA was used - and this should be independent of the specific MFA technology used. This need been addressed by the international R&E community with REFEDS MFA [1], and Tuakiri aims to adopt it. Some services need to see the strength of identity-proofing processes the user's identity has been verified to. The IdP can signal this by including relevant attribute values from the REFEDS Assurance Framework [2]. In case a security incident occurs, in the Federated Identity space, it is crucial to coordinate response among the multiple parties involved. The REFEDS SIRTFI framework [3] addresses this and provides a way for individual parties to signal they can follow the response processes outlined. These enhancements would increase the value Tuakiri delivers to the community - and may also become required to access certain services.

This presentation will describe these security-posture improving changes in further detail and will outline what would be required of Tuakiri members to make use of these improvements.

References:
[1] https://refeds.org/profile/mfa
[2] https://refeds.org/assurance
[3] https://refeds.org/sirtfi

ABOUT THE AUTHOR
Dr. Vladimir Mencl has been part of the New Zealand R&E community since 2006 and has been involved in identity and access management projects since the early days of the BeSTGRID project. When the Tuakiri project moved to REANNZ, Vlad joined REANNZ where he is part of the Systems team as a Lead Software Engineer.

For more information about eResearch NZ / eRangahau Aotearoa, visit:
https://eresearchnz.co.nz/