SURFsecureID: extra security for services with two-factor authentication
With SURFsecureID, you can secure access to online services better through two-factor authentication. Your users log in with a username, password and a second factor. This is an SMS or USB key. SURFsecureID is particularly important for services with sensitive data.
We increasingly use services with sensitive data. For example, eHRM, grade input systems, student information systems and applications with patent sensitive research data or privacy sensitive patient information. For these services, you need stronger forms of login than just a username/password. This helps you to cover the security risks.
Login in 2 steps
With SURFsecureID, you can add an extra security step to your login. After checking username and password, users still need to confirm their identity with an additional step. This can be done via SMS, tiqr tiqr (smartphone app) or Yubikey (USB key). Only after that do they get access. This way, your services are doubly secure: with something the user knows and something the user has. The user can also use this additional authentication tool for multiple services inside and outside your institution.
High level of reliability
SURFsecureID offers you a higher level of reliability than other two-factor authentication solutions. SURFsecureID checks the identity of the user and the second factor chosen before it can be used. Other solutions skip this control. SURFsecureID is thus more in line with international standards and the security guidelines of the Dutch government and the EU.
Strong authentication for all your services
Use SURFsecureID for:
- Services that are operated within your institution
- Cloud services that are not linked to SURFconext
- and for services linked to SURFconext
Services within your institution and services that are not linked to SURFconext
SURFsecureID is only used for the second factor. This is especially interesting if you also use a central (authentication) facility such as ADFS, Citrix or F5 BIGIP. The advantage of the latter option is that your institution can easily and flexibly switch SURFsecureID on or off. This allows you to serve different services and/or groups of users. This facility then handles the first factor itself and, if necessary, uses SURFsecureID for the second factor.
Services linked to SURFconext
For these services, SURFsecureID can handle the entire login, i.e. both the first and the second factor. The first factor (username/password) is via the institution IPP, the second factor via SURFsecureID. Within the service itself, there is no need to set up two-factor authentication; you can choose which factor is needed for secure access when.
What does it mean for users within your institution?
Your users register for their account themselves their phone (via SMS or tiqr app) or Yubikey usb key on a registration portal. The user then has to visit a service desk of your institution once to check his identity. Only then is the phone or USB key active. From that moment on, the user logs in with 2 steps to all services for which you have enabled extra authentication.
We can assist you in rolling out SURFsecureID in your institution. For example, by showing you how other institutions managed. We also have communication tools that help you register users quickly, such as flyers and manuals.
Who's it for?
SURFsecureID is available for all institutions connected to SURF. Do you want to get started with SURFsecureID? Please contact us.
Wat betekent het voor gebruikers binnen je instelling?
Je gebruikers registreren voor hun account zelf hun telefoon (via sms of tiqr-app) of Yubikey usb-sleutel op een registratieportal. De gebruiker gaat daarna 1 keer langs bij een servicedesk van je instelling om zijn identiteit te controleren. Pas daarna is de telefoon of USB-sleutel actief. Vanaf dat moment logt hij met 2 stappen in bij alle diensten waarvoor je extra authenticatie hebt ingeschakeld.
Ondersteuning bij uitrollen
Wij kunnen je helpen bij het uitrollen van SURFsecureID in je instelling, bijvoorbeeld door je te laten zien hoe andere instellingen het hebben aangepakt. Je kunt onze communicatiemiddelen inzetten, om de registratie van gebruikers snel te laten verlopen. Gebruik daarvoor onze flyers en handleidingen.
Advantages of SURFsecureID
- 1 access solution via a trusted partner
- Highly reliable IDs
- All data stored in the Netherlands
- No vendor lock-in
- Open standards and open source
SURFsecureID is beschikbaar voor alle bij SURF aangesloten instellingen. Wil je aan de slag met SURFsecureID? Neem dan contact met ons op.
- Number of users < 1,000 = 257 euros per month, excluding VAT
- Number of users 1,000-5,000 = 460 euros per month, excluding VAT
- Number of users > 5,000 = 1,126 euros per month, excluding VAT
- The number of users within an institution is determined on the basis of the number of authentication means activated.
- The rate involves a flat fee and includes 500 SMS transactions per month.
- Rates do not include the cost of tokens (for more than 500 SMS transactions per month, SURFnet charges 0.055 euros per SMS in addition to the monthly fee and the purchase of Yubikey tokens).
- Technical information about SURFsecureID in the wiki
- SURF Toolbox, a digital kit with various ready-to-use communication tools for SURFsecureID
This is an optional SURF service.