What are the concerns from publishers or libraries about IP authentication? What are trends in authentication systems for enabling remote access to library resources?
From the earliest years of electronic journals, libraries have relied on IP network address recognition as a pragmatic mechanism for identifying authorized users. Reliance on network addresses works relatively well to associate a user with an institution that subscribes to a restricted resource. IP address recognition basically assumes that if a device resides on the campus network, anyone using that device should be allowed to access resources with subscriptions associated with that institution.
This method requires institutions to provide each of their content vendors with a comprehensive list of the IP address ranges associated with their campus. An institution may also provide address ranges for specific departments or schools that independently purchase resources not available to the entire campus.
The process of transmitting IP address ranges to vendors can be complex, given the large number of potential vendors involved and the instability of IP addresses. Technical reconfiguration or expansion of campus network equipment can change the IP address ranges. Some libraries make use of third-party services, such as RedLink, to manage the transmission of IP address ranges to vendors (see https://www .redlink.com).
Authorizing access to resources via IP network, while protecting privacy somewhat, has limitations.
- It provides some anonymity to users, especially on networks with dynamically allocated IP addresses, the predominant practice. Because a device may receive a different IP address each time it restarts, it is difficult to trace a search or the access of a document to a specific individual.
- Even with static IP addresses, It identifies a device, not an individual. This characteristic can also be a benefit since it enables access to walk-in users.
- IP addresses can be spoofed. With available software tools, it is possible to forge communications in a way that assumes a trusted IP address even though it comes from an unauthorized source.
While IP authentication works relatively well for users with devices residing on campus, remote use introduces additional complications. Common approaches to enabling individuals to access IP-restricted resources from off site include Virtual Private Networks (VPN) or proxy services. A VPN inserts an off-site device into the institutional network, providing it with an authorized IP address. It establishes a secure, encrypted tunnel for network traffic between the user's remote computer and the VPN server within the institutional network. Once the VPN session is activated, the device is recognized with an authorized IP address. Proxy servers operate in a similar way, dynamically rewriting the URLs of a restricted resources with an authorized domain name and IP address. EZproxy from OCLC (https://www.oclc.org/ezproxy) has been widely implemented by libraries to enable access to restricted resources. This product can be implemented on a server within the institution's network or as a hosted service by OCLC. OCLC recently announced that it will offer EZproxy as a hosted service only for new sites, but will continue to provide upgrades and support for both local and hosted installations. OCLC also offers EZproxy Analytics, which captures use statistics and generates reports. Proxy services and VPNs require some form of authentication before they are enabled for a remote user. In most cases, they use the institutional authentication service to prompt the user for their username and password or other security credentials. EZproxy, for example, can use all the major authentication methods, including LDAP (Lightweight Directory Access Protocol), SAML (Security Assertion Markup Language), CAS (Central Authentication Service), SIP (Session Initiation Protocol), and Shibboleth.
Proxy servers provide reasonable confidence that the user comes from an authorized institution. But they can also be vulnerable to misuse:
- An open proxy provides access to restricted resources without requiring authentication, usually through misconfiguration. This can also happen through an unauthorized proxy server that an individual might set up to access campus resources. An unofficial or clandestine proxy can open a security vulnerability to the network.
- Individuals may share usernames and passwords, enabling unauthorized access to restricted resources. Previously compromised passwords, social engineering, or intentional sharing can lead to wholesale access to restricted resources. These stolen or borrowed passwords can lead to large-scale extraction of resources that may be ingested into sites such as SCI-HUB. The publishing industry considers SCI-HUB as violating intellectual property laws and a major threat to their business model. Many publishers monitor their document access sites for suspicious highvolume activity and may temporarily disable access for an entire institution until the open proxy or other source of potential leakage has been resolved.
While IP address recognition remains in wide use in the library sphere, most organizations rely on other mechanisms for authentication. Staff member access to institutional resources requires a much more rigorous authentication. Business and consumer services today make use of stringent sign-in methods, employing cryptographic technologies and protocols that provide protection against even the most sophisticated attempts to circumvent. Institutional authentication services can be based on applications such as Microsoft Active Directory.
Two-factor authentication is increasingly implemented. It requires a second layer of confirmation, such as through a code sent to a mobile phone or email address. Even if a username and password combination are compromised, it cannot be used unless the intruder also has access to the user's phone or email account.
Academic campuses and corporations typically implement single sign-on environments, where an individual can gain access to all major applications without having to reenter usernames and passwords. In the library arena, it is expected that an integrated library system, discovery services, and other major applications interact with institutional authentication services rather than maintaining their own database of passwords. Proxy services likewise would rely on the institutional authentication service as they enable a user to gain access to IP-restricted resources. Protocols such as Kerberos, LDAP, or CAS can be implemented to enable diverse applications to operate with the institutional authentication service.
Looking beyond authentication within the institution, many scenarios require authentication of individuals spanning multiple organizations. Example: Organization A wants to provide access to a resource to an individual from institution B. Instead of performing its own authentication of the Institution B user, Organization A only needs assurance that the user has properly signed into Organization B environment. This framework of federated authentication relies on a set of technical protocols, usually SAML, implemented among trusted institutions.
Federated authentication represents a modern and scalable model for enabling access to restricted resources. Educational institutions and publishers can establish trusted relationships among their authentication environments. Based on SAML protocols, a publisher can provide access to resources to authenticated individuals associated with trusted institutions without the need for IP address recognition.
A broad group of stakeholder groups, including NISO, scholarly publishers, and libraries have collaborated to produce an implementation of federated authentication branded as SeamlessAccess (See https://seamlessaccess.org). Seamless Access builds on RA21: Resource Access for the 21st Century and the NISO document “Recommended Practices for Improved Access to Institutionally-Provided Information Resources” (see https://ra21.org). Based on SAML, Seamless Access enables service providers, such as scholarly publishers, to interoperate with authentication services of individual universities, or through collaborative identity federations such as OpenAthens (https://www.openathens.net) or InCommon (https://www.incommon.org).
SeamlessAccess and other SAML implementations raise concerns for patron privacy. In a federated authentication environment, selected attributes about a user are passed from the authentication service and the service provider. To ensure the privacy of individuals accessing resources, it is important to exchange only general descriptive attributes and not any personally identifiable information, such as email address, name, or any unique identifiers. The specific attributes exchanged are not fixed, leaving it to the discretion of the organizations involved. One concern is that attributes set at the institutional level may be inconsistent with library privacy values. SeamlessAccess was designed to respect privacy, though it also depends on institutional implementation.
While federated authentication gains momentum, IP recognition continues to be widely used for access to subscription-based library resources. The move to modern federated authentication services has strong support among large publishers. They are especially interested in more modern and scalable methods to support access to their services. Access to resources based on IP address recognition takes considerable effort to sustain, however, shifting to any new approach will be a slow process. Today SeamlessAccess is well positioned as the way forward.
Yet small publishers may not have the technical capacity to make such a change. Universal support for federated authentication will take many years to develop. Likewise, IP address recognition has become deeply entrenched in library processes. It will likely continue to have a major presence in the library resource ecosystem for a long time to come.