Authentication system that can use multiple authentication factors and can stand a situation that many students log in at once
We adopted the method net booting the terminal instead of using the terminal service and updated the system in April 2011. Since our fingerprint authentication system of other company that we employed at that time did not support Windows 7, we introduced EVE MA as a new authentication system.
Our institute has about 8000 students and about 900 faculty members. Although use of fingerprint authentication by students is optional, we need to reduce the users who cannot use the authentication system as much as possible. EVE MA capable of selecting multiple authentication factors, such as fingerprint authentication and IC card authentication matched our needs.
Unlike use in a company, students log in the terminal at once at the start of class in the university. At that time, the authentication server suffers a large load. Since students cannot login and the class cannot start as well in case of the time-consuming authentication, we wanted a system capable of withstanding the authentication requests coming at a time.
We have experience in operating a fingerprint authentication system, so we recognized that the authentication accuracy can be improved by improving quality of the registered data. Therefore, we requested to DDS to provide modification that the video lecture of registration method is embedded to the finger print registration utility so that the user can see the optimal way for sliding fingers visually. Furthermore, we could improve the quality of the registered data by applying the method where a password with expiration is issued so that the user can register fingerprint slowly at the seat instead of quick registration of fingerprints within a short period.
Operation after a preparation period of less than one year
We have already operated the infrastructure for PKI previously, so we were looking for a system on the premise of this. Since it takes time to validate the authentication system, we have started studying a system that meets our needs from one year before the commencement of operation of the new system.
Before deciding to adopt EVE MA, we had validated a system from another company that can operate both IC card and fingerprint authentication, but the system did not work as expected and we spent a great deal of time, and then had gone back to the starting point.
By this, the remaining period required for preparation has been several months, and then we had to find other systems with a high degree of completion. After that, we started to prepare for validation and development on the assumption of EVE MA. It was about eight months before starting system operation and about six months before getting the system running.
It was also required to carry out the stress test securing operation under the circumstance that many students log in at once. DDS provided the software for validation in a short period, so that we could make the validation and prepare certainly for the start of operation. Since DDS is a domestic company, it was good for us that DDS provided quick response in case of any problems. Any troubles caused by EVE MA have not occurred up to today.
Customization for sharing the authentication information in different domains
We wanted to integrate the authentication method among different systems. Since there is personal information, such as student performance on the system for faculty members, the domain for students is separated from the domain for faculty member from the security viewpoint.
In the previous system, since the domain for logging in fingerprint authentication was limited to only one, there was a drawback that the faculty member could not access by fingerprint authentication to the education and research-based terminals in the classroom. The personnel and students use either one of the systems, while faculty uses both systems. As a measure for information leakage of the university, there was a policy that it is permitted to refer to the student information with the terminals beloningg to the clerical domain only. Thus the faculty needed to use different domains of clerical and research-based separately.
Therefore, we requested DDS to add a function for sharing the authentication information among these domains, and the function was then added to EVE MA, and then the authentication information can be shared. As a result, the faculty can log in to both systems with the same authentication method, and we realize that the integration of the authentication could have been materialized in the true sense.
Furthermore, data migration from the existing database of student information and personnel information to EVE MA is also automated. If a user account of a student or a faculty member is newly registered, it will automatically be reflected to the user information on EVE MA. By adopting EVE MA, a period for registering the user information has been reduced and we are helped very much.
New challenges after the Great East Japan Earthquake can be overcome with the one-time password
Information on the clerical system is permitted to be handled within the campus only. Mail transfer of the staff has a possibility of information leakage out of the campus. Although some personnel requested to confirmation of e-mails during a business trip, it was prohibited as an operational policy.
However, personnel had to had to stay at home due to the occurrence of the Great East Japan Earthquake, and they could not work. There were no human causalities fortunately, but we could not even handle rosters when we tried to check the safety of students under the circumstance. Therefore, we urgently needed to seriously consider measures in an emergency.
Furthermore, other than disaster measures, there were requests to log in to the system externally. The faculties often go on business trips and traverse the Toyosu and Omiya campuses as well. Since many faculties use note PC of other than Windows and tablet terminals, we had to consider access methods from various terminals. We could not adopt the ordinary password due to deterioration of the security strength.
Everyday provision may also be a provision for a disaster. Since EVE MA can increase the authentication factors by adding a plug-in, we consulted DDS to combine the authentication with a one-time password, and this has been achieved.
For exactly the same time, we introduced the VDI (VMware Horizon View) environment to the clerical system partially, and the VDI can be used from a terminal on which EVE MA is not introduced if only a browser is available. So the system can be operated without deterioration of security strength.
In the case of the operation with a simple password, there may be a password leakage problem caused by charging a keylogger to the terminal. On the other hand, the login method with one-time passwords does not have this risk. We introduced the one-time password as a card, and could save the cost at the same time since it was a general-purpose product rather than a specialized product. Since the operation of this mechanism at the faculty side is appreciated, we intend to expand the system to personnel as well.
As maintaining the security, the number of terminal will be reduced to save the cost in future
We intend to integrate the identification of the faculty and the one-time password card in future. By operating this way, the unified certificate issuing work will be materialized and the security will improve more.
Furthermore, although individual terminals are required for each staff, it is not necessary to distribute the dedicated terminals to the faculties since the faculty can access to the VDI environment from any terminal by using the one-time password. Therefore, we think that we can reduce the cost for the clerical terminal drastically at the next system update.
- Name of school: Shibaura Institute of Technology
- Overview: A private university established in 1949. Since the founding of its predecessor Tokyo Industry and Commerce High School in 1927, the school fostered good technicians who can work steadily with the banner of practical science principle consistently. The university provides education and research as a university to develop human resources with rich creativity and learn to society and contribute to society while taking over the philosophy since the founding. The headquarters is located at 3-7-5 Toyosu Koto-Ku Tokyo. Other than the headquarters campus, the university has Omiya campus (Minuma-Ku, Saitama City) and Shibaura campus (Minato-Ku, Tokyo). 8399 people learn 3 undergraduates of “Engineering”, “System Faculty of Science and Engineering” and “Design Engineering” and 2 Graduate Schools of “Science and Engineering” and “Engineering Management” (As of May 1, 2013)
- Website: http://www.shibaura-it.ac.jp/