Approaches to user authentication at a climate research Web site

As Web sites become a more critical medium for communication both within an organization and between the organization and the outside community, so grows the need to ensure that the right information is reliably and securely made available to the right people. A Web browser interface may be used to distribute sensitive, internal-use intranet information, extranet information which may be no less sensitive but should be available to some select outside users in addition to internal users, and information that needs to be made available to the world at large. At the NOAA-CIRES Climate Diagnostics Center (CDC), we distribute information in each of the above categories: personnel and systems information and some climate data sets approved for in-house use only; test applications, research results, and other climate data sets available to internal users and some approved outside users and collaborators; and finally, our large collection of climate data which is freely available to all interested users.

The definition of the "internal" user is also changing. We now have telecommuters who may be using a different Internet Service Provider than their parent organization for access, researchers at field sites, and conference attendees who need to access data, results, or home office information. While these people are physically external to the site, they need to retain the privileges afforded internal users.

These increasingly variable authentication demands begin to reach the scalability limits of Web server-based authentication schemes. These generally require an approved IP address or simple password in order to authenticate a user. Restricting access by IP address becomes unwieldy as the number of users accessing the site from different domains (e.g., conference sites, field, home) increases. User authentication via passwords leads to a proliferation of passwords for each user as they gain approval at different sites (or even within the same site), and is only minimally secure as often the implementations transmit the passwords as plain text.

This paper discusses our investigation into alternatives for user authentication and providing content based on user identity. We consider the use of Public Key approaches (including Secure Sockets) to allow user access to Web documents, and report on the ease of use from both the user and system administration points of view. Our goal of this investigation was to provide a scheme which requires minimal upkeep by system personnel as users move from one client to another, and which allows the user to be able to access needed information in a simple, straightforward way which doesn't change regardless of the client machine in use.