Authentication & Authorization

Not everything on the Internet is free. Some published electronic content is only available through a paid license on a subscription basis, either to an individual or to a group, such as: residents of a particular town, a school's student population, a region, or all the residents of a state. In order for users to view this licensed content, they must show that they are members of that authorized group. In Massachusetts, the content purchased on behalf of library users is primarily made up of collections of magazine and newspaper articles, online reference works, such as encyclopedias, and, more recently, downloadable audio and video.

What Are Authentication and Authorization?

Authentication and authorization processes are the gatekeepers to licensed content. They tie the user to the licensed content available through the library. Authentication recognizes that the user has an association to a particular library. The user may be a authenticated as a town resident, a patron, student, staff, faculty, or just a visitor.

When content is viewed from the library or a school campus computer, the user may not have to provide any sort of library card or ID number. The computer itself is authenticated via its IP (Internet Protocol) address. Users that are off-campus or outside the library must provide a piece of information, or credential, such as a user ID, e-mail address, library card number or student ID. Once the user's library is known, the user's regional library system and automated library network are easily determined.

Authorization ties the user to the licensed content available through his or her library. For example, the Medford Public Library is located in the Metrowest region, and is part of the Minuteman Library Network. A Medford library user should be able to view all content provided by the Medford library, the region (Metrowest), the network (Minuteman Library Network), and the state.

IP Addresses

IP address checking is the simplest and most reliable way of authenticating users who are actually working in the library, or on a school or academic campus. Blocks of IP addresses are usually assigned to the library or campus. IP addresses often include staff and public desktop computers and sometimes user laptops or portable devices connecting via a wireless access point in the library. IP addresses may be static or dynamic.

Static and Dynamic IP Addresses

A computer is said to have a static IP address if the Internet Service Provider (ISP) has assigned the ranges of IP numbers to a library or campus either permanently or for a predictable, extended period. Static IP addresses are the most simple and reliable means of authentication for access to a licensed resource.

When a content provider's site is accessed, their system checks the IP address of the user's computer to see if it is registered on the vendor's system. The IP address must fall within a range of approved addresses.

A computer that does not have a static IP address is said to have a dynamic address. Its IP address can change at any time, and is not part of a predictable range of IP addresses assigned to the institution. One method to authenticate dynamically addressed computers is by placing a persistent cookie on the workstation. The persistent cookie is actually a small file that is downloaded to a computer when a confidential password is entered on a web page created by the vendor. This cookie need only be set once by a library staff person on each workstation. Unlike session cookies, persistent cookies do not disappear when the browser is closed or the computer is shut down. Usually, they will last the full duration of the content licensing agreement.

Public libraries, regional member, academic and K-12 institutions, as well as non-profit and not-for-profit organizations are encouraged to implement IP-based, or persistent-cookie-based authentication for all of their in-library and campus-wide computers to access the statewide licensed databases. That way, users do not have to enter an ID number in order to access the electronic content.

Setting up Access Inside the Library

Regional member library staff is responsible for reporting their library's current IP addresses to their regional headquarters. The regional office will, in turn, notify content vendors on their behalf.

When a regional member library reports that it has computers with dynamic IP addresses, the library staff member responsible for the library computers is provided with a password and instructions to set the persistent cookie on those workstations.

Access Outside of the Library

Geolocation

About 85% of the time, business and residential Internet service is provided from a local pool of addresses with a known geographical location. The web site a users visits can read the IP address of the user's computer and locate it to within about a ten-mile radius.

Board of Library Commissioners contracts with resource providers permit access for all Massachusetts residents. When, through geolocation, a user's computer is determined to be in Massachusetts, there is no need to ask for a library card number or other credential to gain access to the resource. When geolocation cannot determine the user's location, or when a Massachusetts resident is traveling out of state, he or she may still enter a library card number to access the licensed content.

Geolocation has been in use on the mass.gov/libraries portal since May, 2009. However, the majority of library users do not come to the statewide portal; they go directly to their home library's website. In addition, resource usage coming through the statewide portal cannot be attributed to an individual library.

Libraries are now encouraged to update their remote links for statewide resources so that geolocation can be leveraged from their own web sites. The geolocation-enabled URLs are configured so that usage statistics can be counted and attributed to that institution.

To make it easier to drive patrons to the statewide licensed electronic resources, the Board of Library Commissioners has developed a new web page that provides the new remote access links for these products to each library that currently offers remote access by library card number. This includes most Massachusetts public libraries, as well as certain academic and K-12 regional member libraries.

Geolocation is currently employed for statewide electronic resources only. The approximate ten-mile radius for geolocation is not sufficiently accurate to allow for authorizing products licensed by regions, networks, or individual institutions and libraries.

Libraries should not attempt to replace their in-library links with the new remote links:

  • IP and persistent cookie authentication are still the most reliable methods for in-library authentication. Sometimes geolocation fails, and users will be forced to type in a library card number when they shouldn't have to.
  • All geolocation requests go through Board of Library Commissioners servers. If the Agency server becomes unavailable, it may mean that no one can access any statewide licensed content, even if the vendors' site is up and running normally.
  
^ Back to top
This Web site, and other programs of the Massachusetts Board of Library Commissioners, is funded in part with funds from the
Institute of Museum and Library Services, a federal agency that fosters innovation, leadership and a lifetime of learning.
Page last updated on 11/30/2009