One of the deliverables of this project is a “mobile bookmarklet tool”, which is intended to help address the difficulty of entering a complex password into a mobile keyboard. The difficulties encountered tend to be with accessing special characters and achieving complete accuracy, especially in password fields where characters are hidden as soon as you type them.
The original concept of the bookmarklet tool was that once a user had linked to a content provider’s website through EZproxy and had been asked to authenticate via the OU SAMS authentication system they would then be able to bookmark each site within a mobile application. The user could then easily return to the content provider’s site without having to remember the URL, connect through EZproxy or enter their authentication details. However, the project board raised concerns about the security of this approach as it could enable anyone who got hold of a mobile phone belonging to a valid user to access our eResources.
Our alternative approach is inspired by an earlier OU Library project called RISE (Recommendations Improve the Search Experience), which experimented with a token based method to authenticate users from a Google Gadget.
The planned approach for MACON will be
- Pass the user to a SAMS-Protected page generates a hash token, and redirects the user to a mobile authentication page with the token as a URL parameter, and stores this token in the database.
- The user is provided with a 6 digit PIN which they can thereafter use in place of their SAMS password for signing in to the mobile website
- When a user accesses the mobile website and is prompted to sign in, they enter their OU Computer Username and PIN, which is checked against the database entry stored in step 2.
We are just starting to develop this prototype and will have to ensure that the OU’s IT department are happy with this approach before we roll it out. The advantage of this approach is that no data is stored locally on the device, but it will need testing with users to ensure they are able to recall both a PIN and their usual password.
Thanks for keeping us updated on progress with this, Keren – I know it’s something many libraries are trying to tackle.
Does this approach still take the user through the same process in terms of getting through the EZproxy and getting to the resource? I know some devices have problems with a lot of different redirects, is this something that you have come across? Would this help that problem or is this just to solve the complex password problem?
The user will still be taken through EZproxy, but there will only be one redirection from the OU’s athentication system to EBSCO via EZproxy. We don’t have it sufficently well developed to test yet, but I’ll let you know how it goes.
Thanks Keren – look forward to hearing more as it develops.