Re: Dealing with password authenticated online content Toni Fortini 29 May 2007 20:25 UTC

Chad brings up a good point: the problem with password authentication is
the inability to keep passwords confidential.

Has anyone explored the new option in EBSCO's Registration Tracker
called "Custom Journal Data"?  From EBSCO's help page: "Here, you can
record your Publisher Authentication Code for participating publishers.
This code will enable EBSCO to link your patrons directly to the
publisher's site and log them in automatically. (The use of this field
varies from publisher to publisher. As we implement this option with
each publisher, we will provide explicit instructions below regarding
the formatting they require.)"

I haven't yet come across any participating publishers. Would be nice to
see this used more widely!

-Toni

Toni Fortini
Online Access Assistance Coordinator
Cataloging Group
Bailey/Howe Library
The University of Vermont
http://eresourcejournal.wordpress.com/2007/05/29/password-authentication-discussion/

Hutchens, Chad wrote:

>We have the same de-facto policy.  If the publisher or provider does not
>offer IP authentication, we don't activate the title electronically.
>Also, if it's an e-only title or resource without IP authentication, we
>generally will not purchase or subscribe to it.
>
>Policing usernames/passwds is really not possible.  Once someone has
>them they can distribute them however they want, regardless of how they
>got them in the first place (e.g. via a password protected library
>resource).  The only way to make something like that work would be to
>update passwords at regular intervals.  However, that solution simply
>doesn't scale when you start getting up there in subscription numbers.
>
>Chad E. Hutchens
>Electronic Resources Librarian
>Montana State University Libraries
>P.O. Box 173320
>Bozeman, MT  59717-3320
>(406) 994-4313 phone
>(406) 994-2851 fax
>chutchens@montana.edu
>
>

Susan Davis wrote:

> No Susan, you are not dreaming.  I believe this topic came up not all
> that long ago and several responses came through with some solutions.
>
> We certainly strive to set up IP based access whenever possible;
> however, there are still some products that are password access only.
>
> We have a little script (I'm not the technical person here so I'm just
> describing the process in generic terms) that is invoked when a user
> clicks on the 856 link which leads to an authentication page.  After
> the user inputs the necessary information to verify themselves as a
> legitimate university users, they are taken to a webpage that lists
> the username and password for the product, as well as the URL to the
> product itself.
>
> The downside of this process is that many users fail to read the
> entire webpage explaining the need to take note of the username and
> password and instead try to use their university authentication again
> to gain access.
>
> With an ever increasing demand for one click access, this is not a
> particularly elegant solution.  But it does keep the passwords "safe"
> in that not just anybody can readily obtain them, nor does a patron
> have to come to a service point to ask for them.
>
> Susan
>
> Susan Davis
> Head, Electronic Periodicals Management Department
> University at Buffalo (SUNY)
> 134 Lockwood Library
> Buffalo, NY  14260-2210
> (716) 645-2784
> (716) 645-5955 fax
> unlsdb@buffalo.edu
>
> ***Please consider the environment before printing this email****
>
> --On Tuesday, May 29, 2007 2:13 PM -0500 Susan Wishnetsky
> <pasiphae@NORTHWESTERN.EDU> wrote:
>
>> At 12:23 PM 5/29/2007, Chad Hutchens wrote:
>>
>>> We have the same de-facto policy.  If the publisher or provider does
>>> not
>>> offer IP authentication, we don't activate the title electronically
>>> ....
>>
>>
>> We do the same, but I thought that some libraries had come up with
>> a way to automate the entering of passwords.  Once the user clicks
>> on a password-only resource, the user (or the location of the user's
>> workstation) is authenticated by the library's system, which proceeds
>> to activate a kind of macro to enter the password for them, a process
>> that is invisible to the user.
>>
>> There'd probably have to be separate macros, with unique instructions,
>> for each password-only product ... but if you really wanted to
>> provide the
>> product, it'd be worth it.  Did I dream this?  Is it being done
>> anywhere?
>> Can it be done?  SW
>>
>>
>> Susan Wishnetsky
>> Electronic Resources Librarian
>> Galter Health Sciences Library
>> Feinberg School of Medicine, Northwestern University
>> 303 East Chicago Avenue
>> Chicago, Illinois 60611-3008
>>
>> (312) 503-9351
>> FAX (312) 503-1204
>> pasiphae@northwestern.edu
>>