MIT Case Study Notes Paul B. Hill Technical and Policy Requirements for Authentication Arising in Interboundary Work MIT Case Study Notes Paul B. Hill

Setting context MIT is a private institution We don’t have a medical school… We are a Sakai partner… We have one Kerberos realm that is accepted by the financial system … Virtually all users have X.509 certificates… We have researchers at many medical schools and hospitals But the business school created its own LMS X.509 certificates are used for web authentication. Not for SMIME, not for long term encryption, not for VPN authentication, not for PKINIT, no use of tokens for multifactor authentication 9/11/2019 2

Kerberos is Primary authentication for… Initial login on many machines Email IM (Jabber and Zephyr) SAP financial system File systems Remote shells All Library Journals MIT theses (non-MIT personnel are charged for access) WebSIS – Online Student Information System Lotteries – Campus ‘lotteries’ e.g., Housing, Phys.Ed. Obtaining an MIT user certificate Educational discounts for computer purchases Access to MIT-only web pages Ability to download MIT licensed software Sloan’s web portal 9/11/2019 3

Identifiers at MIT MIT ID card MIT ID number Athena Kerberos principal name X.509 certificates for users UUID WIN SID WIN Kerberos principal name IDs created by Departments, Labs, and Centers (DLCs) 9/11/2019 4

Who can get an MIT ID card? Incoming Students Special and Cross-Registered Students Employees Spouses and Partners Alumni Visiting Scholars and Post-Doctoral Associates Unofficial Members of the MIT community E.g. contractor http://web.mit.edu/mitcard/getcard.html 9/11/2019 5

Who can get an MIT ID number? Issuers Human Resources Registrar IS&T Accounts office Students, Faculty, Staff, Contractors, Visiting Scholars, Post-Doctoral Associates, Affiliates, Contractors, Guests 9/11/2019 6

What is an MIT ID number The MIT ID number is a unique identifier for people in MIT Information Technology (I/T) systems. Having an MIT ID number does not in itself provide any status, relationship, access, responsibility, or privileges. These are conferred and defined by the Institute business processes for which I/T systems exist. Thus who has an MIT ID number is defined by the MIT businesses. The system of record of all MIT ID numbers is the MIT ID server operated by IS&T. 9/11/2019 7

Who can get an Athena Kerberos ID? All MIT community members (faculty, students, and staff) are entitled to have a Kerberos ID. If you know your MIT ID number, you can obtain a Kerberos ID via the web “A sponsored guest account is required for voucher or temp staff, former students or staff who are no longer eligible but need continuing access to their account, as well as visitors who need an MIT electronic identity” Account can be sponsored by any current member of the MIT faculty or staff, but not students Guest accounts are valid for up to 2 years and easily renewed 9/11/2019 8

Sponsoring a guest account 9/11/2019 9

Deactivation MIT ID cards expire MIT ID numbers are immutable and do not expire Athena Kerberos principal names do get deactivated 9/11/2019 10

How Kerberos IDs are deactivated Automatically in January after the graduation of a student in the prior year. Manually when notice is received from HR that an employee has been terminated. Manually when a guest’s sponsor does not respond to a renewal request. Almost never for faculty. 9/11/2019 11

Existing Kerberos demographics on campus (2005) Current (MIT Fact Book ‘05) Number with Kerberos IDs Faculty 983 2473 Staff 9780 11156 Undergrad 4136 4697 Grad 6184 6777 Guest -- 2415 Other* 988 Total of 28,506 IDs as of 2/13/2005 9/11/2019 12

*other Other includes vouchers/temp (308), system accounts (245), pre-frosh (142), random project staff (214), etc. 9/11/2019 13

Re-use or re-assignment MIT ID numbers do not get reassigned MIT ID numbers should get re-used by the same person (transitions or returns) Kerberos names used to get re-used and re-assigned, they no longer do 9/11/2019 14

Identity at MIT People who have MIT Kerberos IDs – 28,500 [Ovals not to scale] People who have MIT Kerberos IDs – 28,500 People who are MIT employees, students, or “official” visitors – approx. 21,000 Small number of people who probably exist but we don’t know about (maybe null set) Approx. 3400 people who are “sponsored” but with unknown affiliation Hundreds of graduate students, plus a few staff who never got Kerberos IDs Former students, staff, etc. who still have Kerberos IDs – approx 2500 People who have MIT ID numbers (includes former students, spouses, alums, etc.) – 113,800 9/11/2019 15

Getting started at MIT…post-docs and employees MIT ID number Your ID number is automatically generated when Human Resources processes the paperwork for your appointment. Your appointment papers are handled by the department/lab/center where you will be working. Account registration page will ask these users for their MIT ID number and their name 9/11/2019 16

Getting started at MIT …students Student receives “MIT Kerberos / Athena Account Coupon” upon acceptance. An assigned MIT ID number Six unique keywords that the student will use to initially authenticate to the registration server Instructions on how to use this information with the registration service to obtain a Kerberos principal name and choose a password 9/11/2019 17

Getting started at MIT…guests Sponsor submits name, reason, and birth date to accounts office. Guest is provided with MIT ID number and directed to account registration page User is prompted for name and MIT ID number 9/11/2019 18

Practices Password expiration – we don’t on most accounts Password reset Photo ID in person at the account office Self service via web form Exceptional cases have been done over the phone Password analysis and policy KDC evaluates the password (dictionary, history) https://wserv.mit.edu/fcgi-bin/cpw 9/11/2019 19