Institutional authentication policy

The most common method of authenticating authorized users of ScienceDirect is by IP- address recognition. This means that only users that are using computers within an institute's registered IP address range will be allowed to access that institute's subscribed content. This is the so-called "one-factor authentication", and automatically limits access to ScienceDirect to the premises of the institute.

For users that want to access their institute's subscribed content on ScienceDirect from outside their institute's premises, the ScienceDirect license requires the institute to deploy username/password authentication. This can be ScienceDirect's built-in username/password functionality, but also compatible authentication methods like Athens and Shibboleth. Next to this, the use of proxy servers with proprietary authentication is allowed.

The ScienceDirect license requires that, regardless of authentication mechanism, two-factor authentication is used by off-site users. This means that remote users should use at least two variables to authenticate. Examples of this are a username and a password, a staff ID and a PIN, or an email address and a software token. Proxy servers that only require a staff ID to log in (without additional password) are, therefore, not allowed for authenticating ScienceDirect users.

Whenever Elsevier notices that two-factor authentication is not deployed for off-site access to ScienceDirect at an institute, we will contact the institute to address the situation and offer advice on alternative authentication methods if needed.