1. Authentication - an overview of Hybrid Library requirements Jonathan Eaton eLib Concertation Day - Authentication 10th March 1999 Project HeadLine

2. Presentation Overview u Why access control is problematic for all electronic information ‘stakeholders’ u Understanding different access needs u Criteria for authentication initiatives u Towards an authentication model u Authentication requirements summary

3. Common Hybrid Library goals u Hybrid Library systems typically comprise – a user centred, Web-based “managed environment” u aim to provide single access point to diverse resources in range of media formats u extend management controls; minimise access discontinuities for users

4. Electronic Access Issues... u do we have barriers or controls? u Internet promises seamless access u fragmented & weak control mechanisms – “password proliferation” a curse – IP filtering excludes valid (remote) users! – “islands” of user attributes data u a new “inter-organisational” era (Lynch) – supersedes older password model...

5. A Continuum of Access Needs u Different stakeholder perspectives – user wants unrestricted access – librarian wants managed access – vendor wants validated access u access rights derive from community membership(s) u range of physical and virtual locations u a “single (secure) sign-on” entry point

6. Authentication & Authorisation u Authentication defines who you are u Authorisation determines what you can do or what you can access, once authenticated u Hybrid Library systems will demand – interoperation AND separation between user attributes and resource metadata databases – finer controls to model increasingly complex relationships

7. Authentication issues… u Single sign-on goal further complicates authentication issues u User identities and access rights typically fragmented on service-by-service basis u access scenario complexities – personal AND generic identities – personal, customised use of services – multiple “identities” in single session – where is locus of control?

8. Some evaluation criteria u national authentication infrastructure (e.g. ATHENS) should – integrate academic & commercial sources – supply local & central management controls – offer bridge to future standards/protocols – flexibly incorporate user attributes & resources metadata – use architecture that permits levels of resource access granularity

9. Towards an authentication model u access control must be flexible; managed u must reflect degrees of indirection in real- world contractual relationships, e.g. – publisher content aggregator – content aggregator library – library user u resource compendium and user attributes database are key components

10. Authentication needs: conclusion u Future access controls must – be appropriate, robust, flexible, scaleable, simple: “user-proof” – enforce control but maximise access – enact (indirect) contractual relationships – reflect new inter-organisational world – avoid current fragmentation – embody needs of all ‘stakeholders’

11. Further details are available on the HEADLINE Website at: www.headline.ac.uk including outline Project Workplan and project Working Papers as published March 1999 Further Details