Device-centric Campus Wi-Fi and Web Services Access Control

Watch the pilot webinar below

The ReCRED campus Wi-Fi Pilot is a security architecture which employs the ReCRED modules in order to control the user access to the campus Wi-Fi network and to the associated web services. Nowadays, accessing the Wi-Fi network in a campus is critical because many of the university services, like e-learning or Internet resources, need to be accessed by students, professors and visitors. Taking into consideration the characteristics of this context, there is an acute need for authentication and authorization functions which are both user-friendly and non-intrusive, while assuring a granular access which can be easily controlled by administrators.

The first scenario addressed by the Wi-Fi pilot consists in students and professors accessing the network services by presenting a minimal set of trustworthy attributes. The second scenario permits a trust transfer from the user smart-phone to another device (e.g. laptop), which can be used to access the campus network services. The trust transfer scenario uses QR code scanning along with the ReCRED security stack to authenticate and authorize the second device. The Wi-Fi pilot proposes an architecture where users will be granted access to the network resources by presenting a set of identity attributes which are validated by the ReCRED infrastructure. ReCRED leverages the ubiquity of smart-phones to design a device-centric authentication and authorization scheme, where a Campus Access mobile application is used to gain access to the campus network resources. The user launches the mobile application to select the desired university resources and after being informed about the revealed attributes it will start the authentication process.

The ReCRED Wi-Fi pilot permits the user to authenticate by using biometric solutions such as fingerprint, thus replacing user-name/password credentials. Among the core security technologies employed by the WiFi pilot, there are protocols like FIDO UAF and a ReCRED tailored version of OpenID Connect/OAuth2. The Wi-Fi pilot has a modular structure, with separate authentication, authorization and network access structures along with the ReCRED services, thus it can be easily adapted to custom security requirements.The ReCRED campus-wide Wi-Fi and web services access pilot aims to move the burden of traditional authentication methods from the user to the device itself, taking full advantage of the smartphones’ inherent capabilities. The pilot carries two main advantages: (a) the advantage of Device Centric Authentication (DCA), which enables the user to authenticate using biometrics (e.g., fingerprint) instead of having to remember a username and a complex password; and (b) enables users to prove part of their identity in order to access the universities' campus Wi-Fi and web services without the need to reveal their complete profile (Privacy-preserving Attribute-based Authentication). In case the user wishes to use an alternate device (e.g., desktop PC) to access the campus Wi-Fi and web services, the service presents a QR code. The user should scan this QR code using the ReCRED application on her mobile device in order to authenticate her alternative device to the service. In this way, the mobile device and the alternate device are associated as belonging to the same user, and the user can use the alternate device to gain access to the Wi-Fi and the web services of the university.

You can also watch a very short introductory video on the project’s YouTube channel: https://www.youtube.com/watch?v=oGoi1oZ0RIQ