MAIS Home

Projects

Two-Factor Authentication in M-Pathways

Two-Factor Consolidated Access

A Roadmap for Consolidated Logical and Physical Access at the University of Michigan

November 1, 2005 (Final)

Kitty Bridges, ITCS; Dan Drumm, MAIS; Rick Hadden, Plant Operations; Paul Howell, ITSS; Judy Hufziger, Mcard; Mike McPherson, Merit; Jim Vibbart, Plant Operations; Bill Wrobleski, MAIS

Purpose

This document is a statement of possibility. The possibility of how authentication, door access, and ID Cards could work together to provide an improved environment for students, staff and faculty of the University of Michigan.

This document is not a project plan, business case, or funding request. It does not lay out the exact steps, deliverables, costs and benefits of each initiative. Instead, this document is a roadmap for the University to use as it makes decisions in the area of logical and physical access. It's a long-term vision to which we believe the University should aspire.

Our hope is that the vision we have defined here will serve as the foundation on which our organizations can plan, a resource for leadership to use as it evaluates alternatives, and the basis of our cooperation in the future.

The Long Term Vision

Over the next five years, we would like to see the many disparate University authentication and access systems converge toward a set of common standards. This convergence would greatly simplify the user experience at the University. If successful, the user experience at the University might be similar to the following scenario:

Upon joining the University, each student, staff, and faculty member receives an Mcard with built-in smart card capabilities. The Mcard would not only be used for some financial transactions on campus, but it would be a place where a person's digital keys are stored for authentication. The card would also include proximity functionality and magnetic stripe capability, allowing it to work with the University's door access systems.

The result would be that a faculty member could wave or swipe his/her MCARD to gain access to his/her office. The faculty member would use the same Mcard to access University computer systems (through a reader, a USB port, or a specialized device to generate a one-time token).

Behind the scenes, for the most part unseen by the faculty member, various technologies are working together. The Card Reader/Door Access System (Plant Operations), Two-Factor Authentication (MAIS), Public Key Infrastructure (ITCS), Cosign (ITCS), Kerberos (ITCS) and the Enterprise Directory (ITCS) are all working together based on agreed upon technical standards and interfaces.

Not only are the technologies integrated, but the University units responsible for the various components have created understandable processes for distribution, revocation, and replacement of cards and other authentication information.

The technologies for this vision all exist today. Some of the technologies are already in place at the University (i.e., Cosign and Kerberos). Other technologies are being implemented by currently active University projects (e.g. Two-Factor Authentication, Card Reader/Door Access Card, Enterprise Directory). Other technologies are being discussed, and projects are likely to be soon undertaken (i.e., smart card technology). It's fair to say that the University is well on its way to constructing all the parts that make up this vision. Our ability to achieve this vision is therefore only limited by our ability to coordinate our work and communicate effectively.

How We Get There

Autonomous but Coordinated Projects

It would be a mistake to try to combine all of these projects, systems and services into one big initiative. The weight and complexity of the overall effort would surely doom it to fail. Conflicting requirements of stakeholders and differing business pressures would create a no-win situation for the University.

Instead, we believe we are best served by several smaller independent projects working on individual parts of the overall vision, but coordinated at a high level. These independent projects should agree on a high-level roadmap which outlines how these technologies will be integrated in the mid-term and long-term. The projects would also set up simple structures to facilitate communication, including regular meetings of key team members.

A Phased Approach

There are many small steps that can move us toward our vision. As long as we are thoughtful and purposeful about the steps we take, we can make continued progress toward our long-term vision.

The exact phases would need to be determined by each project team, but the following calendar describes one way in which progress could be made:

Although none of the projects are totally dependent on the other projects, the failure of any one of the independent projects to deliver its components, would make it impossible for the overall vision to be realized. For example, Two-Factor Authentication and Card Reader/Door Access could eventually leverage the Mcard even if PKI is never successfully deployed. Or Two-Factor Authentication and PKI could use the same security token even if smart chips are never implemented on the Mcard. But in both these situations, the end result would be something less complete than the planned long-term vision.

Processes

Ultimately as these integrated technologies come online, several University business processes will be directly affected. We should expect incremental improvements in processes such as card distribution, digital key distribution and door authorization as each project completes its work.

If the University would like to achieve more significant process integration and redesign, then it may be necessary to implement one or more special projects to tie together these complex cross-organization processes. For example, it's possible to imagine processes that would support one-stop for a new employee to get their Mcard, digital keys, and door authorization. This type of process redesign might evolve out of these projects, but it is more likely that an organized project will need to be established to achieve the greatest benefits.

Conceptual Architecture

The long-term vision is based primarily on three points:

• The Mcard is ubiquitous on campus, and in the long-term, it should be used for both computer and physical access.
• The Enterprise Directory will become a key University repository for authorization and access information. The Enterprise Directory will ultimately become the repository for security credentials such as PKI public keys.
• Cosign is the established University standard for Web authentication, and it should be used as the key delivery method for two-factor authentication.

The following diagram illustrates how each of the components rely on each other in the long-term vision:

Barriers to Success

We recognize several barriers that could delay or halt progress on this long-term vision. These include:

Funding Barriers

Not all of the necessary projects have been funded and initiated. These include:

• The Mcard Office has been investigating smart chip technologies but has not yet initiated a project. Costs for smart cards may be prohibitive.
• A Card Reader/Door Access Card Project exists to research access issues, but an implementation project has not been initiated.
• The Enterprise Directory has been funded for its preliminary phase, but funding for the overall directory has not yet been identified.
• A PKI project has been proposed by the IT Commons, but it has not yet been defined and funded.

Organizational Barriers

• Organizational boundaries and conflicts could prevent effective cooperation among the various units. Many of the organizations have never worked together on projects of this complexity and scope. Those that have worked together have had some conflict in the past, so confidence in each other may be eroded.
• Implementing this vision does not require the immediate support or participation of the Medical Center, but its ultimate success will involve the Medical Center's buy-in and support. At this point, it is not clear if this vision would be seen as a priority for the next several years for the Medical Center.
• Integrating processes across organizations is complicated and difficult. Traditionally, we tend to optimize processes by organization. The result is that the overall process may be inefficient. Differing priorities, requirements, and styles often make it difficult to optimize a process across multiple organizations.

Technical Barriers

• Despite its great promise, few institutions have successfully implemented PKI. Logistical problems such as key distribution and revocation have slowed its acceptance. EDUCAUSE has been a long-time proponent of PKI, and recent contractual arrangements between EDUCAUSE and several PKI vendors will help enable PKI deployment, but challenging logistical problems still remain.
• The use of the Mcard for computer authorization will ultimately involve card readers on many University computers. It may take several years for readers to become ubiquitous on campus. In addition, cross-platform compatibility may surface as a challenge as it often does in cross-University technology deployments. Deployment of readers to home machines will also be a likely hurdle.
• Due to vertical integration in the door entry and information technology market spaces, it may be difficult to find a door access system that meets the door control and IT integration requirements of the University. For example, critical door entry requirements may involve lock cylinder, door strikes, control panels, and monitoring systems. It may be difficult to find a system that meets these requirements and also meets the University's requirements for PKI and directory integration.

Other Trends: Cell Phones

Although it might be surprising to many, cell phones have characteristics and features which could be used to support access functions. These characteristics and features include:

• Cell phones are uniquely identified in the world.
• Many people already regularly carry cell phones with them wherever they go.
• Cell phones contain significant computing power.
• Cell phones can support technologies such as proximity services and global positioning.

It's not hard to imagine a person's cell phone automatically communicating with a door lock as the person approaches it. The door might unlock automatically when the person gets within a certain distance. The same might go for computer access. People's digital keys could be stored on their cell phone which is in their pocket, and as they log into the system, the cell phone could automatically exchange authentication information with the computer on which they are working.

While these scenarios are possible, it is not clear to us at this time when or how this functionality will evolve; therefore we have chosen to exclude cell phones from this roadmap at this time. As the University makes decisions regarding logical and physical access in the future, we believe cell phone trends should be taken into consideration, and that cell phone technology should be incorporated in this long-term vision as its use becomes clearer.

Future Uses of Smart Cards

In addition to physical and logical access, smart cards could eventually be used for financial transactions, to store personal information (such as health information) and other uses. As smart cards emerge on campus, a governance process will be needed to oversee the use of the cards and assure that the appropriate stakeholders can set priorities and influence the use of the cards on campus. This may need to include representation from staff, faculty, and students.

Next section: Frequently Asked Questions About Two-Factor Authentication