Extra protection for online services with a second factor
Extra security for sensitive data
Institutions are increasingly using services that involve sensitive data, such as eHRM, grade administration systems, student information systems and applications involving patent-sensitive research data or privacy-sensitive patient information. To cover the security risks, these services require stronger forms of login than just a username/password combination.
SURFsecureID adds an additional layer of security to the login process. After completing the standard username/password check, the user is only able to access the secure area once they have confirmed their identity through an extra step: a SMS text message, via tiqr (smartphone app) or using a Yubikey (USB key). This secures your services in two different ways, namely by using something that the user knows and something that the user has. What's more, users can reuse this means of authentication to access multiple services both within, and outside their own institution.
High level of assurance
SURFsecureID provides higher level of assurance than other two-factor authentication solutions. SURFsecureID checks the identity of the users and the selected second factor before they can be used. Other solutions skip this step. As a result, SURFsecureID is more in line with international standards and security guidelines issued by the Dutch government and the EU.
Strong authentication for all your services
SURFsecureID is intended for services within the institution, cloud services not connected to SURFconext, and services that are connected to SURFconext.
Services within your institution and services not connected to SURFconext
In this case, SURFsecureID is used for the second factor only. This is of particular interest when combined with a central (authentication) facility such as ADFS, Citrix or F5 BIGIP. The benefit of this option comes from the institution being able to enable or disable SURFsecureID easily and as required, for example for different services and/or groups of users. This facility handles the first factor itself and applies SURFsecureID for the second factor where necessary.
Services connected to SURFconext
For these services, SURFsecureID can take care of the entire login process, i.e. both the first and second factor. The first factor check (username/password) is performed via the institution's IdP; the second factor check is performed via SURFsecureID. The service itself does not need to configure the two-factor authentication process and is free to choose which factor is required at what time in order to provide secure access.
What does this mean for users?
Your users must register their phone (via SMS or the tiqr app) or Yubikey USB key for their account on a registration portal. Then, the user must visit one of your institution's service desks to confirm their identity. Only then will the user's phone or USB key be activated. From that point on, the user can log in to any service that you have configured as requiring additional authentication using the two-step procedure.
SURF can help you with the SURFsecureID roll-out. We can share the experiences of other institutions and provide resources such as flyers and user guides to speed up the user registration process.
Who is it for?
SURFsecureID is available for all institutions connected to SURF. If you want to take advantage of SURFsecureID, please get in touch with us.
- Number of users < 1,000 = EUR 257 per month, excluding VAT
- Number of users 1,000-5,000 = EUR 460 per month, excluding VAT
- Number of users > 5,000 = EUR 1,126 per month, excluding VAT
- The number of users in an institution is determined based on the number of activated tokens.
- This is a flat-rate charge and includes 500 SMS text message transactions per month.
- Charges exclude the cost of tokens where relevant (for more than 500 SMS text message transactions a month, SURFnet charges EUR 0.055 per SMS text message on top of the monthly fee and the purchase of Yubikey tokens).
- Technical information about SURFsecureID op the wiki
- SURF-toolbox, a digital kit containing various ready-to-use communication tools for SURFsecureID