Authentication

A user, accessing a service must first authenticate at the IdP to prove his or her identity. The edu-ID service currently supports the following authentication methods

1. Password authentication
2. SPNEGO+Kerberos authentication

It is planned to support new passwordless authentication methods with using FIDO2 tokens over WebAuthn protocol in the near future.

Password Authentication

SWITCH edu-ID Password Requirements

• Minimum password length: 10 characters
• Commonly used passwords are forbidden. New prospective passwords are checked against various lists of common passwords
  • check against locally stored list of common passwords (>40'000 words).
  • online check against Pwned Passwords via k-anonymity API (>500 million leaked passwords)

SWITCH edu-ID does not enforce ineffective password limitations. It almost entirely follows the NIST recommendations for memorized secrets (passwords). No periodic password change is required.
The only complexity requirement is that at least two character classes (lowercase letters, uppercase letters, numbers, punctuation) must be present in the password.

Recommendations to Users of SWITCH edu-ID

• Choose a long password (> 15 chars). Read these hints.
• Don't re-use a password across multiple websites
  • Use a password manager (like LastPass, PassSafe, 1Password or KeePass) or
  • use a password scheme

To protect your accounts from phishing and other unauthorized access it is strongly recommended to activate two-step login.

See also Password Policy

SPNEGO+Kerberos Authentication

With SPENGO+Kerberos authentication, the SWITCH edu-ID IdP trusts the Windows PC authentication. This means that a user who has logged in on a Windows PC does not have to log in again on the edu-ID IdP.

SPNEGO+Kerberos authentication is currently under development.

SPENGO+Kerberos Login Flow

1. The user has logged on to Windows on the PC.
2. The user calls an AAI service in the browser and must log on to the IdP.
3. The user chooses to log on with the Windows logon data.
4. The IdP asks the browser to present a Kerberos ticket valid for Windows logon.
5. The IdP checks the ticket and accepts it for authentication.
6. No need to enter username and password.