Why Digital Theatre+ recommends not using IP Authentication

Digital Theatre+ recommends that customers do not use IP Authentication, preferring Single Sign On instead

Summary

Historically, institutions and librarians have often used IP authentication to provide access to licensed materials to their users. 

IP addresses have never been an accurate method to determine organisational affiliation and continue to diminish in reliability as such. 

IP-based authentication is an inherently insecure form of authentication. Therefore, it should not be used in favour of user/password or identity provider-based authentication.

Users of IP-based authentication are not uniquely identifiable, which is a pre-requisite for using many exciting personalisation features either currently in development or already launched. This means that new or upcoming Digital Theatre+ functionality such as Content Controls, Bookmarking or Playlists is/will not be available to users of IP Authentication.

Impending browser changes likely to impact IP authentication

Updated August 2024

Many internet browsers, including Google, Mozilla, and Apple, are now working to introduce privacy features that prevent tracking of users across the web, for example, from one web domain to another.

Most significantly, many browsers will soon obfuscate IP addresses, rendering on-site IP authentication unusable for many library resources and learning platforms, including Digital Theatre+.

If your institution relies upon IP authentication, you should identify and move to using an authentication method available to you that does not rely on IP ranges, such as SAML SSO. This may involve talking with your campus IT. If your proxy tool already uses SAML SSO for logins, you may use SAML SSO directly to authenticate to our service.

Please refer to our other articles on Authentication and/or contact our Support team if you would like further guidance on moving away from IP.

 

5 Key Disadvantages of IP Authentication:

  1. It is not secure.
  2. It is not reliable.
  3. Gives false assurance of anonymity. 
  4. Gives reduced value to your users (features like content control and bookmarking are not available).
  5. Creates additional and avoidable costs.

1. Why IP Authentication is not secure...

  • In short - because IP addresses, by nature, are not guaranteed to be associated with a given organisation, IP Authentication must be considered a very weak indicator of organisational affiliation. This means that as a service, Digital Theatre+ cannot offer the frictionless, seamless and personalised experience that users now demand.
  • IP Authentication may be faked through spoofing of the IP address. This is often done with certain HTTP headers that proxies may use to forward on requests. If an attacker successfully exploits an authentication bypass, they could log in as a user in your organisation to view information.
  • IP addresses therefore cannot be trusted to perform authentication and must be assumed to have a high probability of being unauthorised.

2. Why IP Authentication is not reliable...

  • Ownership of IP ranges change, with no central global registry that can be used to assert ownership.  This means your users and their activity can either be blocked or associated with another organisation without prior notice or intent.
    • We repeatedly have customers claim ownership of the same or overlapping IP ranges, and had to arbitrate between the two to discern ownership.
    • We repeatedly have customers whose IP ranges have changed, however, neither the person responsible for providing the service nor Digital Theatre+ are informed.
  • In order to work, your users are forced to either be in specific locations or connect via specific mechanisms (such as VPN or Proxy) which causes difficulty, frustration and friction in using web based resources.
    • We repeatedly are contacted by customers who experience issues with both Digital Theatre+ and other websites, because VPN or Proxy networks and servers are misconfigured, or overloaded in traffic and processing terms.
    • We are also contacted by users who know they want to use Digital Theatre+, discover our website but then cannot sign in, because they aren't familiar with the specific access methods organisations have configured for them.
  • Misuse can result in all users being blocked.  If someone in your IP address range accidentally, or intentionally, performs actions that are considered harmful or suspicious, the only defence available is to block every user within the range.  Conversely, if users are individually identified, then the specific user can be suspended, and the remaining users can continue using the service uninterrupted.

3. Why IP Authentication gives a false assurance of anonymity...

One of the prevailing beliefs about the use of IP Authentication is that it provides end users with anonymity, ensuring their activity cannot be tracked by surreptitious or malicious companies for advertising purposes.

If a business is intent on tracking an end user, and building a profile of them, it's possible to do so using techniques that cannot be detected or avoided by IP Authentication, VPNs or Proxies.  The primary technique is called Browser fingerprinting

At this point, it's important to point out that Digital Theatre+ does not include any third-party tracking, even our analytics system is hosted by us, and Digital Theatre+ does not perform Browser fingerprinting.

The limit of personal information that Digital Theatre+ stores is information used for authentication only, which is not accessible to other business functions, such as marketing.

You can read more about Browser fingerprinting at AmIUnique.org and CoverYourTracks.eff.org.

In short, the majority of web browsers reveal sufficient information about themselves, the operating system, and the hardware that's being used, that they can be identified as unique, and therefore tracked.

4. Why IP Authentication provides reduced value to end users...

In our experience:

  • Issues with capacity or configuration of VPN, Proxy or network prevent users from accessing Digital Theatre+ despite the service being fully available and functional.  A computer, a modern browser and an internet connection are all that are required to use Digital Theatre+.
  • Users using IP Authentication will have to be treated as completely anonymous, and therefore will not benefit from the personalisation that digital services can provide.  Remember personalisation does not mean that personal information has to be provided about a user, only that the user is uniquely identifiable when using Digital Theatre+.

Our features Content Controls and Bookmarking will not work for users of IP Authentication, as the platform is unable to identify whether a user should be allowed to administer account settings or not if the user is not uniquely identifiable.

Other highly-anticipated features now in development, such as creating and saving Playlists, will also not work for users of IP Authentication when they launch.

5. Why IP Authentication creates additional and avoidable costs...

In our experience, IP Authentication causes increased:
  • Administration and co-ordination costs
  • Third-party network and software costs
  • User support costs
  • Missed opportunity costs (when users aren't able to access Digital Theatre+ for reasons beyond their own and Digital Theatre+ control)