Session security levels

CONNECT supports various session security levels and conditions for transitioning between levels for different user types.

During an active session, the administration roles assigned to a user are enforced based on the session's security level which is determined by specific authentication methods.

Different actions or users require different level of protection. Common activities, such as viewing a profile, involve minimal risk, while actions like changing account details or performing administrative tasks require stricter authentication.

CONNECT supports three levels of security to balance security and usability based on the nature of the action and the authentication method used:
  • Weak Security Level: This session is established using a "Remember Me" cookie, allowing users to view their profile and edit non-sensitive attributes without requiring re-authentication.
  • Strong Security Level: This session is established through password authentication, passkeys, or supported third-party login providers such as Google, Microsoft, ORCID, or Apple. It allows users to perform higher-risk actions, such as logging in for the first time or updating personal details (e.g., passwords, emails).
  • Secure Security Level:This session is established through a one-time code or passkeys, allowing administrative access.

Transitioning between security levels

A session can transition from a lower security level to a higher one when the user provides additional authentication. CONNECT automatically determines the required security level based on the action being performed and prompts the user with the appropriate authentication method.

If a session remains idle for 15 minutes, its security level resets to weak, requiring re-authentication for any higher-security actions.

Security levels and allowed actions

The table below summarizes the actions permitted at each security level and the required authentication methods to perform them:

Session Security Level Authentication Method Permissions
Weak Remember Me cookie All actions except:
  • Change password
  • Add/remove/change email
  • Administrative permissions granted through the assigned admin role to a user
Strong
  • email/password login
  • Google/Microsoft/Apple ID
  • ORCID iD
 All actions except administrative permissions granted through the assigned admin role to a user.
Secure
  • One Time Code
  • Passkey
 All actions including administrative permissions granted through the assigned admin role to a user.