Thinking about authentication

Five years ago I blogged some thoughts on authentication and how confusing it is.  I thought it might be interesting to revisit this in the light of the recent report sponsored by OpenAthens on “Librarians’ experiences and perceptions of Identity and Access Management”. I also had a long chat with Phil Leahy at UKSG which is always a pleasure.

I broadly agree with the report – everyone wants things to be seamless, no one wants to login, no one wants to understand technical matters / terms.  From my NHS perspective we have pretty much always needed to treat everyone as “offsite” as IP access is rarely an option.  Perhaps the increasing demand evidenced in the wider community will drive some neat solutions?

Challenges of offsite access

I thought it interesting that the library staff felt that offsite access was a bigger challenge to their skills and knowledge than to that of the users and their increasingly complex journeys.  We spend a lot more time worrying about these things than the users! I would expect a somewhat different result if users were asked.

In the solutions section I was excited to see the potential discussed for recognising multiple affiliations – this would be a real game changer (alongside some licence work).  Increased granularity is something we can see coming in the changes to NHS OpenAthens but this needs to be accompanied by changes to allow automated allocation to different permission sets by user type.

In terms of my thoughts from five years ago – how have we done?

Many of the issues remain the same and are tied up in the nature of authentication – people do need to identify themselves and remember their login details.

The change to a two step authentication has been accepted by the users and meets the need to increase control over potential dubious registrations.

Problems with over convoluted login paths remain (and remain within the remit of the publishers who should be doing better) as does inconsistent use of terminology.

A new problem comes from the stricter password rules which place a higher level of security on OpenAthens logins than near any other system I use (numbers and letters, at least 8, no sequences, no “weak” words). The biggest set of problems relate to the implementation of a new self registration form for the NHS (by NICE and outside the control of EduServ).  This fails on multiple browsers and is particularly unhelpful around the password issue simply telling people they have made an error but not what it is or how to fix it.  Moves are underway to sort this but given it has been in excess of four months since the new password rules were introduced a solution is not being rushed.  I feel sorry for EduServ who look bad but cannot resolve it, for people trying to manage registrations and (more than anything) for those trying to register.

So more progress required.

Advertisements