Case study of logging into the study portal and computers of the Tallinn Uni of Tech
Use case: logging into the study portal and computer desktops of the Tallinn University of Technology
Tallinn University of Technology (TTU) is one of the two largest educational facilities in Estonia. TTU has ca 2000 employees and 13.000 students. University buildings - altogether 55 - are mostly centralized into the Mustamäe campus.
The employees, students and partners regularly log into different mission-critical systems of TTU (computers for work and study, study portal, managing personal accounts) connected to the account system based on Windows Active Directory. The latter system also contains and manages the public certificates of users regularly and automatically pulled from the Certification Centre.
It is relatively hard to estimate the concrete costs of realization: compared to the overall development costs of the beforementioned systems the costs for eID integration are marginal. Developing and launching the authentication systems has been associated with minor problems for all of them: however, all the problems have been solvable with a limited, sensible amount of effort. There is a monthly cost of a few hundred euros spent on online certificate status validation (OCSP) service , which is obligatory for mobile ID. The use of the OCSP service has been minimized in cases where ID card is used.
The main savings:
- Freeing the IT department from the massive need to generate new passwords and replace the lost passwords.
- A significantly higher level of security handling critical study information.
- Offering a third-party printing and copying service to all the students.
There are several typical problems and complexities associated with authenticating / logging into systems at TTU:
- It is inconvenient to manage separate user names and passwords for different systems used.
- Creating new passwords and replacing the lost ones creates a lot of work for the IT department.
- Ordinary password-based authentication is not secure enough for managing mission-critical information through a web portal: it is too easy to pass the passwords to other people.
Taking up the eID in different systems of TTY has been motivated by solving or easing these three problems.
The focus of the current overview is on authentication / logging in to an an account, using either a password, an ID card or - for some systems - mobile ID. In some cases the available functionality depends on the method of authentication used. To be more concrete, the following activities and systems are related to the process of logging in:
- Managing passwords and the central personal account of a TTU system user.
- Sending new passwords to users who - for some reason - cannot manage the password via the central personal account.
- Usign paid Overall services for printing and copying.
- Logging into the desktops of computer classes and personal computers of employess, connected to the Windows domain and managed by the IT department.
- Logging into the study portal: a regular necessity for all students (have to declare their courses and check grades) and lecturers (enter grades and perform administrative duties).
Changing personal passwords and managing the central personal account
TTU has introduced a centralized account system based on Windows Active Directory: both the employees and the students have an account which is connected to a single universal username/password. The systems accessable: email and Outlook functionality, printing, logging into computer desktops, logging into the study portal.
A user can
- Add/change the photo, set phone number, facebook, skype etc contact information.
- Change the password: this is the main use of the personal account.
In order to set/change anything the user must log in to the central account management web page https://pass.ttu.ee/ : this is possible either using a password or an ID card. The mobile ID cannot be used. Both the employees, students and external partners can log in.
The management functionality described in this chapter - differently from logging into the functional systems mentioned - is not an everyday or a regular necessity.
Costs and savings
The system was implemented by fall 2012 by the employees of the IT department of TTU. Resources spent were roughly one man-week.
What was gained:
- Primary gain: saving time for the IT department otherwise spent generating new passwords / changing lost passwords.
- Increased convenience for users: they can manage the passwords, contact information and personal data without contacting the IT department.
- Makes it possible to collect varied contact information, entering which requires action by the user.
Replacing a lost password
In most cases the IT department does not have to replace passwords (since users can change these themselves), in some cases it is necessary.
In such cases there arises a problem of sending a password securely.
TTU IT department sends passwords by email, encrypted using the public key of the user.
Encrypting and decrypting the password is performed using the standard software for ID card, without any special developments. We note that it is easy to access the public key of the user: the central system pulls and updates the public key to the Windows Active Directory account at least once per week.
Printing and copying
There is a significant number of printers and copying machines in public use in TTU. These machines are used to offer paid printing and copying services by the Estonian company Overall. Services rely on authentication: every ID card holder can transfer money to the printing account, which enables her to print on any printer attached to the system.
The printing and copying services are implemented by Overall. TTU IT department connected the Overall services to the TTU authentication system, which was a relatively simple task.
Costs and gains for the user and the IT department
The estimated amount of work spent on connecting the TTU system to the Overall printing system was in the range of a few days to a week. Importantly, the users already had centralized Windows domain user accounts with the necessary information (primarily, person code) and used these for logging into the desktops.
Copying services are independent of the TTU system, hence no connecting costs from the TTU side.
The main gain is enabling large amounts of students to print. Without the described technology printing would be possible only at large computer labs with a TTU administrator sitting nearby, collecting money for the printing service and printing documents emailed by the students: an expensive and an inconvenient solution.
Logging into the computer lab machines and private desktops
All the computers in computer labs and the majority of the computers of personnel have been connected to the Windows Domain from fall 2012. All these computers are managed by the IT department: users normally do not have administration rights.
There are two ways to log into the computers: using a password or an ID card. Password management is performed using the beforementioned https://pass.ttu.ee/ site described before.
A large percentage of TTU computers has an ID card reader built in. However, in most cases people use passwords to log into their desktop: ID card use for this purpose is not very common.
Costs and gains for the user and the IT department
Considering that (a) the Windows domain exists already and (b) computers have ID cards attached, it takes just one day to enable logging in using an ID card: basically, the central system has to be configured acccordingly.
On the other hand, logging into the desktop using an ID card does not give significant gains neither to the user nor the IT department. Basically, the ID card enables loggin in even if the password has been lost, after which the user can log into the central system and change the password.
Logging into the study portal web application
The study portal is the largest IT system of TTU, used for managing study programs, courses, exams, grades etc. Every student must log in at least during the beginning of each semester, to fill her study plan. Later she can follow her results and other study information. Lecturers must log into the system regularly, primarily to manage the descriptions of their courses, enter exam times and grades, confirm results.
Since the progress of studies is highly important at the university and is related to available scholarsips, study cost, graduating, expelling etc, the security of the system is important. There are three ways to log into the system:
- User ID and password.
- ID card.
- Mobile ID.
The rights of the user is influenced by the method used for logging in: looking and managing ones own information can be done for any methods of logging in, whereas managing information about other people (for example, entering grades) is only possible if the user has logged in using an ID-card or mobile ID.
Hence the ID card is far more common in the TTU study system when compared to TU or TLU. TTU has been considering an option to stop using conventional passwords altogether, which will require creation of the the special ID-token/card for the university. Otherwise there will be a problem with foreign students who have to log into the system at the beginning of the semester, but get their ID-cards a month or two after immatriculation.
Right now the usage of mobile ID is marginal when compared to the ID card. Also, there is a single case where students must use an ID card: if you want to change the password for logging into the desktop or the study portal, you must login with the ID card first.
Since logging into the study portal is a high-volume activity, no certificate status validation (OCSP) requests are performed, for the main reason that this requires payment from the TTU. OCSP requests are performed when logging in using mobile ID, since in this case it is obligatory.
Costs and gains
The study portal is designed and developed by Fujitsu Estonia. A modification of the same system is used by the Tallinn University. Concrete authentication solutions have been developed in cooperation of Fujitsu Estonia and TTU, according to the needs of the TTU.
It is impossible to calculate the exact cost of implementing the eID authentication solutions in the project as a whole: they are estimated to be more than a a few weeks and less than a few months. Considering the whole study portal system, the costs for eID are marginal.
The OCSP service generates a monthly cost of a few hundred euros to TTU. In one month the number of all the OCSP service calls is ca 6000, of these ca 5500 used for authentication and ca 600 for signing, typically by mobile ID, where OCSP is mandatory.
We note than in case TTU would use OCSP calls for each authentication case by ID card, the total cost of OCSP calls would be significant: the monthly number of logins to the study portal using the ID card is fairly high.
The main gain from the use of the ID card for logging into the study portal is significantly higher security for managing critical information (mostly grades). From the pure ease of use standpoint the end users would be better off using a user name / password (the dominating login method for students).