SURFsecureID: extra security for services with two-factor authentication

SURFsecureID makes access to online services more secure through multi-factor authentication. Users log in with a user name and password and with a second factor: an SMS, a USB key, a mobile app (tiqr) or their Microsoft token. SURFsecureID is highly suitable for services involving sensitive data, and for preventing abuse of accounts.

hand raakt iPad aan

Innovating SURFsecureID

How do you verify identity remotely? How do you combine SURFsecureID and MS Azure multifactor authentication (MFA)? We have investigated several solutions. In 2020 we are working on a proof of concept 'Remote Identification' and running a pilot 'Azure MFA as an authentication tool'.

Remote identification

How do you check identities remotely? Very relevant if you can't pass a service desk yourself to get identified, for example when working abroad. Fortunately, identification can be done remotely or online in different ways. We call this remote vetting. We had the nfc-app, iDIN and IRMA researched on their advantages and disadvantages. In 2020 we will look at a proof of concept to see how we can integrate these into SURFsecureID.

Combining SURFsecureID and Microsoft Azure Multi-Factor Authentication

Institutions that want to shield applications with two-factor authentication (2FA) doubt SURFsecureID or deploy MS Azure Multi-Factor Authentication (MFA). They want their users to use only one 2FA tool, or are uncertain about applications that are linked to Azure Active Directory in combination with SURFsecureID.

One 2nd factor for the user

Azure MFA and SURFsecureID each support different types of 2FA resources. For users this is awkward and confusing. For example, for one application you have the Microsoft Authenticator app and for another you have the tiqr app.

We want an institution to use both Azure MFA and SURFsecureID, with only one 2FA resource. If you use one of the Azure MFA tools (such as the Microsoft Authenticator app), you can also register this tool in SURFsecureID. This way you only have one 2FA resource that you use for Azure MFA or SURFsecureID.

Want to read more? Peter Clijsters wrote the blog "Combining SURFsecureID and Microsoft Azure MFA" (in Dutch).

Testing Azure MFA as an authentication tool?

You can now test Azure MFA as an authentication tool! We would like to hear if it meets your expectations, and investigate if there are specific ADFS or Azure MFA configurations we should pay attention to. Want to help?

Help out with testing

Stronger two-factor authentication with FIDO2 token

SURFsecureID adds login with a physical FIDO2 token to two-factor authentication. A hardware token makes login more secure by the extra security layer next to a password and works with usb, nfc, or bluetooth. All your login details are safe on this layer and it strengthens your identity. Activate your token and log in.

Secure login

FIDO2 keys use public key cryptography: the server where you log in only stores a non secret key. The secret key is secured with special hardware. For authentication, only this secret key digitally signs messages to the server. The non secret key known on the server checks the authenticity of the signatures in these messages, but cannot generate signatures itself.

And Phising?

You are automatically protected against phishing when you log in with an FIDO2 token. When you register on a particular website, your token generates a public/private key pair specifically for that site. If you log in later with the same token, the browser ensures that the same key is used as the one you registered with. The server can then check whether a phishing site is active.

What to do next

Logging in with an FIDO2 token is safer, easier, more widely supported and more affordable. There is plenty of choice in tokens and increasingly better support in browsers. Still we have to wait for support on websites and improvement of credential management on these tokens. Soon that will change!

Read more about logging in with two factor authentication and a FIDO2 token in the blogpost of Joost.