Foto van een vrouw die een mobiele telefoon vasthoudt en achter haar laptop zit.
Case study

UU and HZ: Multi-factor authentication ensures low-threshold security of services behind SURFconext

SURFconext enables institutions to use their own multi-factor authentication (MFA) to secure access to cloud services. Users can use a single MFA system to access both internal services and those accessed via SURFconext. Machiel van Bokhoven and Peter Scheeren (UU) and Eddy van Loo (HZ) share their experiences.

"MFA is essential”

At both institutions, the need to secure services properly is strongly felt. "MFA is essential for institutions," says Van Loo (HZ University of Applied Sciences). "It is increasingly common for accounts to be hacked or taken down, as at Maastricht University for example. Accounts are of course secured by the username and password, but we see that the average user loosely handles this, for example by always using the same password. MFA makes accounts a lot safer."

MFA for services behind SURFconext can be turned on or off per service

Both institutions have their own MFA solution that is integrated in their own identity provider. In Zeeland this is Azure MFA, while Utrecht works with Micro Focus NetIQ. "We had already implemented our own solution a number of years ago, which enabled us to secure a large number of services," says Van Bokhoven (Utrecht University). "Until recently, it was not possible to secure SURFconext services in the same way. We wanted to make those services accessible too, but we didn't want to saddle users with a new MFA method. SURF's solution allows us to turn the option for MFA on and off for each service, which gives us a lot of freedom. When we saw that, we thought: we're going to use it.

Advantage of linking own MFA : not saddling users with an extra MFA method

What is the advantage of the MFA solution that the two institutions have now chosen? "We want to always offer the users the same solution for MFA," Scheeren (UU) says. "With this solution, it is no different for the users from when they access an internal UU service."

"This solution from SURF allows us to turn the option for MFA on and off for each service, which gives a lot of freedom."
Machiel van Bokhoven, Utrecht University

Apps and tokens as a second factor

Depending on the identity provider, the MFA solution can be implemented in different ways. In Utrecht, users can choose between the NetIQ app (recommended), another app such as Google Authenticator and a hardware token, the YubiKey (a USB stick). "Until recently, we also worked with SMS," adds Scheeren, "but we stopped doing that because of the costs." In Zeeland, too, most users get their authentication via an app; in addition, a hardware token is available, in this case a key ring that generates a code (`TOTP').  "It was a precondition for us that hardware token could be used for devices without USB input," says Van Loo. "This meant that SURFsecureID - SURF's MFA solution - was dropped as a possible MFA solution, because at that time, the hardware tokens it supported were all USB-based."

Implementation went smoothly

Both parties found that implementing the MFA link with SURFconext went very smoothly. "SURF has a wiki with information about this solution that is very clear, and we've also been in contact with SURF's technical team," says Van Bokhoven. "We did do a pilot, but actually it was clear with a few emails back and forth. It worked pretty quickly as it was supposed to." Van Loo also experienced few technical problems: "We first implemented Azure MFA in a pilot, separate from SURFconext. At some point we had that running, and then SURF offered to add the MFA application to the SURFconext link. All we have to do is indicate to SURF which services we want to apply MFA for, and they'll turn it on."

"All we have to do is indicate to SURF for which services behind SURFconext we want to apply MFA, and then they turn it on."
Eddy van Loo, HZ University of Applied Sciences

Number of services with MFA increasing

The number of services using MFA is steadily increasing at both institutions. "We now use the MFA solution for about six or seven services, for example for accessing research publications via SURFconext," says Scheeren. In the beginning, users were sometimes reluctant, but that has passed. Many lecturers and researchers who want to use a service already come up with a request for MFA themselves; we don't have to push that anymore." Van Loo also has good experiences: "We started with financial services and we gradually expanded the portfolio, for example with Osiris for our education administration. We are now working on Office 365 for staff, students can optionally use MFA. Eventually, you want to move towards a situation where as many services as possible are secured with MFA."

Both institutions indicate that it is very easy to switch a service on or off: "An e-mail to SURF is sufficient, then it is arranged within a day," says Van Bokhoven. "The option is not yet in the SURF dashboard, but we understand that is on the planning."

Users are positive

In both Zeeland and Utrecht, experiences so far have been positive. "The inconvenience for users is limited," says Van Loo. "Once you have logged in to a service that requires MFA and then you log in to another service, you don't have to re-enter a second factor. We see very little resistance, the experience in the organisation is very positive. All the media reports about hacking and ransomware have also contributed to this."

Van Bokhoven has also heard little criticism: "In terms of MFA, there is no difference between the services we offer via SURFconext and our other applications. The user experience is exactly the same."

"With this solution where you use your own MFA solution for services connected to SURFconext, it is no different for the users than if they were accessing an internal service."
Peter Scheeren, Utrecht University

Tips for institutions that have not yet implemented MFA

Finally, the interviewees have a tip for institutions that have not yet implemented MFA and want to take the step. Van Loo stresses the need for a pilot: "Start step-by-step, implement MFA via an DTAP (Develop, Test, Accept) environment. Van Bokhoven adds a very practical tip: "Contact SURF and see what the possibilities are. That can save you a lot of time."


Besides setting up MFA for services connected to SURFconext, whereby institutions can link up their own MFA solution, SURF also offers MFA as a service: SURFsecureID. As well as relieving you of the burden of all the infrastructure involved in using and administering tokens, an important advantage of this MFA solution is the higher level of reliability: SURFsecureID checks the identity of the user and the extra factor selected before the user is granted access to the service.

Read more about SURFsecureID

Foto van Thijs Kinkhorst

Thijs Kinkhorst


This article is relevant to