How Does The BrowZine App Handle Authentication?

Modified on Fri, 30 Sep, 2022 at 10:03 AM

The BrowZine app handles user authentication in one of two ways: automatic login or manual authentication. The method used will depend on your institution’s authentication process for accessing e-resources. 

Automatic Login 

The BrowZine app is capable of automatically logging users into most traditional login forms. These are often based on systems such as EZProxy, WAM, OpenAthens and other similar technologies. The general technical requirements for automatic login are: 
  • An HTML-based login form with clearly defined username and password fields.
  • Using a form submission to submit the login.
  • Displaying error messaging for problems such as an incorrect username/password, an expired account, an incorrect affiliation, etc. 
In this situation, users save their institutional username and password in the BrowZine app. When they request an article, the BrowZine app will take these saved credentials and submit them to your institution’s login form automatically. Users will be logged in (or shown an error if there is a problem) and forwarded along to the article PDF they requested. 

Manual Authentication

BrowZine is not able to perform this automatic login process on more sophisticated enterprise authentication or access management systems. Some of these systems include OneLogin, Okta, federated login using Microsoft or Google, and other similar systems. In many respects these systems are explicitly designed to prevent attempts at automatically logging in users for the sake of security. This also makes it impossible for BrowZine to do so.

In this situation, users enter their institutional username and password directly in the BrowZine app when they first request an article. Your institution's login form appears in a small window much as it would in a web browser. After entering and submitting their login, the user will be logged in (or shown an error if there is a problem) and forwarded along to the article PDF they requested. 

If the user requests more articles, their login will be remembered for a period of time in much the same way as a web browser would. They will not need to repeat this login process for each article. The period of time their login is remembered depends on your authentication system’s settings. After that period has lapsed, users will be prompted to login again the next time they request an article via the BrowZine app. 

What About Two Factor Authentication?

Institutions using authentication systems capable of either automatic login or requirement manual authentication may also use two-factor authentication. This requires that users submit a special code in addition to their password. The user typically receives this code via text message or generates it via a companion app. By nature this code is known only to the user and BrowZine cannot bypass or ignore this requirement. 

For institutions which meet our requirements for automatic login, two-factor authentication requires separate handling. The request for the additional code appears directly in BrowZine much as it would in a web browser. After it is accepted, the user is forwarded along to the article PDF they requested. The period of time their authentication is remembered depends on your authentication system’s settings. 

For institutions using manual authentication, this additional step occurs as part of the same login process detailed above.

How Are Saved Credentials Stored?

On iOS devices, Apple's Keychain is used to store user credentials. This is the same mechanism used for the iPad's built-in Safari web browser if a user decides to let the browser "remember my password" for a website. The encryption used is AES-256-GCM. More specific details about Keychain's security are available in Apple's documentation.

For Android devices, the Android OS includes its own security measures at the device level which is then compounded by AES-128 encryption of credentials in BrowZine built by Third Iron creating a double layer of protection.

If your library uses a proxy server or OpenAthens to enable off-campus access, BrowZine initiates a session with the proxy server to authenticate you as an authorized user. BrowZine passes the username and password data, which is encrypted and stored securely on your device, directly to the proxy server. The username and password are never passed to Third Iron servers.

What About VPN or On-Site Only Configurations?

Institutions setup to use VPN-based authentication or which restrict BrowZine access to on-site only do not need to worry about this automatic/manual distinction. Users are granted or denied access based on their IP address and if that IP is on the list of addresses provided during your account setup. More details on how authentication works in this scenario are available in our article on VPN support.