CSS staff suggested that documentation be created to help users understand which MIT Touchstone authentication mechanism should be used, chosen, or preferred by a user. This page is being used to draft and refine that documentation. The page at https://idp.mit.edu/auth-options is intended to provide users with the ability to set their preference for which option will be used by setting a cookie in the users browser. The preference setting will normally be browser and machine specific since it is cookie based.
The https://idp.mit.edu/auth-options page also provides the user with the ability to test the authentication mechanisms prior to setting the preference. The page will be modified to include a link called "How to choose between these options". That link will include the information below.
MIT Touchstone presents a set of choices for a person to make before they can go forward, but it doesn't give them criteria for making the choices. During the pilot MIT Touchstone will offer MIT users the following three authentication mechansims:
- user ID and password
- use existing tickets
- an MIT certificate
User ID and Password
Although the username and password mechanism may be very convenient to use, it is also the mechanism most likely to lead to security concerns.
All users are familiar with web pages that prompt a user for their username and password. This method of authentication is ubiquitious throughout the world. A user should be able to use this mechanism on any computer in the world, be it their office machine, a machine at home, an internet cafe, a kiosk machine in a library, or even any cellphone with a web browser.
The problem is, this option also tends to cause the most security problems.
The MIT Touchstone system is designed to keep a users password away from the web servers which the user is trying to authenticate to. This means that we don't have to worry quite so much about the security of each and every web server which a user might visit while using their MIT identity. When the user sends their password to the MIT Touchstone login server the communication channel protects the information from eavesdroppers by using TLS to encrypt the communications. However, the does not protect the user for all potential methods of attack.
An internet cafe or a kiosk machine may be compromised and have a keystroke sniffer installed on it. In such cases the user that choose MIT Touchstone's username and password authentication method will still be exposing their password to the machine where they are typing the password, before the password ever has chance to be encrypted for transmission.
If a user of this mechanism isn't sure that they should completely trust the machine where the broswer was running then the user should change their password at their next opportunity to use a properly secured machine. User can change their password using a web browser or other native applications. Please see Changing Your Password for more details.
The other disadvantage of the username and password mechanism is that users may be tricked into visiting a different site that looks the same and entering their password at that site. This is commonly called a phishing attack. This type of attack has become very common throughout the world but it is most frequently targted at credit card users and users of online banking systems. If you feel that you have been a victom of a phising attack that looked like the MIT Touchstone site please contact MIT Stopit.
use existing tickets
In many ways this is the most attractive option to use from a security perspective, however, this option is only useful to a relatively small number of computer configurations. It is most useful to users of Athena and WIN.MIT.EDU. However it is not exclusively useful to those users.
Many user may not be aware if they have Kerberos tickets or not. At its best, users may never know that they are using Kerberos.
Kerberos is included in Windows XP and Vista, Mac OS X, Solaris 9 and 10, and most recent Linux distributions. Using this option with MIT Touchstone also requires that the browser supports the feature. This option is supported by many of the major browsers including IE6 and IE7, Mozilla since version 1.72b, Safari, and Firefox. However Opera does not yet support this feature nor do any phone based browsers.
There are two environments at MIT where this option is particularly attractive, these are the Athena computing environment and the WIN.MIT.EDU domain. In each of these environments a user initially logs into their workstation with their Kerberos username and password. When doing so the user obtains a Kerberos ticket which can also be used to obtain additional Kerberos tickets. This is ideal for using the MIT Touchstone "use existing tickets" option. When the user chooses this preference the user will no longer be presented with the MIT Touchstone login server page when trying to access a Touchstone enabled URL. Instead the system will simply perform the authentication quietly behind the scenes and the user will have seamless access to the desired application.
In order to achieve this level of functionality the user will have to perform some initial browser configuration. Information about how to do that can be found at Browser Configuration for Kerberos Tickets.
From a security perspective this option is also quite attractive. This option should never prompt a user for their password, it will only use an existing TGT. If users are prompted for a password when using this option, they should not provide one. Recieving a prompt for a pssword when using this option may indicate that the user has not connected to the correct site and may be the victim of a phising attack.
Another desireable feature of this mechanism is that Kerberos tickets have a limited lifetime. If an attacker is able to steal your tickets then the attacker should only be able to impersonate you for about 10 hours. This is very different than the exposure that can occur if someone steals your MIT certificate. MIT certificates are typically issued for a period up to one year which means that a theif may be able to impersonate your MIT identity for extended period of time if they steal your certificate.
use an MIT certificate
MIT X.509 user certificates have been in use since 1996 at MIT for web authentication. Today they remain the most frequent mechanism for MIT users to authenticate to a broad range of web applications at MIT. Certificates are supported by all of the major web browsers and increasingly they are even supported by browsers on phone and other small mobile devices. Certifcates also avoid many of the security concerns raised by the use of a username and password for web authentication.
However, certificates are not easily installed in many environments such as a kiosk machine or internet cafe. Also installing certificates on machines that are shared between many users also raises some issues since certificates are typically issued with a relatively long lifetime. Users should normally obtain a certificate with a short lifetime if they are using certificates on a shared machine other than within the Athena or WIN.MIT.EDU environments. Users should also be concerned about how the certificates are being stored on a shared machine and ensure that they are not accessible to other users of the shared machine.