A user, accessing a service must first authenticate at the IdP to prove his or her identity. The edu-ID service currently supports the following authentication methods
It is planned to support new passwordless authentication methods with using FIDO2 tokens over WebAuthn protocol in the near future.
- Minimum password length: 10 characters
- Commonly used passwords are forbidden. New prospective passwords are checked against various lists of common passwords
SWITCH edu-ID does not enforce ineffective password limitations. It almost entirely follows the NIST recommendations for memorized secrets (passwords). No periodic password change is required.
The only complexity requirement is that at least two character classes (lowercase letters, uppercase letters, numbers, punctuation) must be present in the password.
- Choose a long password (> 15 chars). Read these hints.
- Don't re-use a password across multiple websites
To protect your accounts from phishing and other unauthorized access it is strongly recommended to activate two-step login.
See also Password Policy
With SPENGO+Kerberos authentication, the SWITCH edu-ID IdP trusts the Windows PC authentication. This means that a user who has logged in on a Windows PC does not have to log in again on the edu-ID IdP.
SPNEGO+Kerberos authentication is currently under development.
SPENGO+Kerberos Login Flow
- The user has logged on to Windows on the PC.
- The user calls an AAI service in the browser and must log on to the IdP.
- The user chooses to log on with the Windows logon data.
- The IdP asks the browser to present a Kerberos ticket valid for Windows logon.
- The IdP checks the ticket and accepts it for authentication.
- No need to enter username and password.