News: AuthGate now supports Google Authenticator.

Authgate trials for 'Google Authenticator' are now underway, see this page for more information.

AuthGate Privacy Policy/Terms of Service
This policy details the use of personal data gathered and collected by AuthGate, and the use of cookies by the AuthGate service.

This policy also details the Terms of the service provided.

This policy was last changed: 20 September 2009 at 19:45

Contents


Personal Information

Upon Registering your account with AuthGate, you are asked to provide some personal information.
The Stored Data will never be sold on, or distributed to third parties, and will not be made available to member sites without your permission. (However, the AuthGate API does permit selected member sites to send email to specific users via the AuthGate site. Your email address will not be disclosed by the API only the AuthGate site knows your Address)
Data may be provided to Law Enforcement agencies upon written request. (Contact AuthGateLegal at dataforce.org.uk for details on where to send written correspondance). If this occurs, unless prohibited by law, efforts will be made to notify the user.
The data stored will not be used by AuthGate unless we need to contact you. (In which case we will use EMail, followed by your postal address or Phone number depending on the urgency or nature of the request and the availability of such information)

Should a Member Site request your information, we shall contact you and seek your permission before the data is given. Should you not reply within 14 days (2 weeks), the request shall be denied, this may result in an inability for you to access/recieve a particual service/product on the member site.

It is your decision whether or not to provide a valid address/phone number on signup, all that we request is a valid Name and EMail address.
Should you wish to view the data stored, or request that it be changed or even deleted, you may contact AuthGateData at dataforce.org.uk stating your account name, and the reason you would like your details removed from our database. Requests will only be honoured from the EMail Address registered for that account. Should you no longer have access to the email address registered, you will need to contact us and provide as much information about your account as possible to aid with verification, this will allow us to comply with your request, and change your stored address. It is advised however that you contact us from your old address prior to changing it.

Data Security

Data/Information transfered (including but not limited to your password and contact information when registering) to and from the AuthGate website are currently transfered in plain text, and not HTTPS (Secure HTTP), so you may wish to use a different password for AuthGate than you do for other important accounts such as your email or banking. We are looking at providing HTTPS support on our website (using a non self-signed SSL Certificate) with as little cost as possible (in an attempt to keep AuthGate Free and AD-Free). In an attempt to improve security, we now provide a login using AJAX that only sends a one-way hash of your password to the server when logging in, rather than a plaintext version, there is also the 'Authgate Authenticator' which can optionally be added to an account in order to add further security.
All Data/Information is stored in a secured database on a Secured Server. This data can only be accessed by a server administrator. All Passwords are hashed (manipulated by mathematical functions which cannot be reversed) before being stored, to make it very difficult (usually impossible) for them to be recovered from the database.
A lot of effort has been put into the securing the scripts that run this website to protect your data and privacy.
In the unlikely event that the security of the database is compromised, users will be notified as soon as we are aware of the issue.

Stored Data and its uses.

We store the following data on our server:
  1. Account Username: This is the name used to identify you with AuthGate and member sites. This is passed on to member sites when you login.
  2. Password: This is the "key" to your account. This is not passed on to anyone.
  3. Access Level: This is used to identify your level of access on the AuthGate system. Users have level "1" access. Owners of member sites get level "2" access. Administrators have level "1000" access. This is passed on to member sites when you login.
  4. Firstname / Surname: This is used to address you in correspondance. This is not passed on to member sites without your permission.
  5. Your Address: This may be used to contact you for formal (eg Legal Realted) requests should EMail not be available or appropriate. This is not passed on to member sites without your permission.
  6. Your Phone Number: This may be used to contact you for less-formal, or urgent requests should EMail not be available or appropriate. This is not passed on to member sites without your permission
  7. Your EMail Address: This will be used as the primary method of contacting you before resorting to other methods. This is not passed on to member sites without your permission
  8. Account Creation Time: This is used for statistical purposes and is not passed on to anyone.
  9. Last Login Time: This is used for statistical purposes and is not passed on to anyone.
  10. Authenticator Secret Code: If you have enabled an Authenticator on your account, we store the secret code to allow for verification.

Cookies

The AuthGate service makes use of "cookies". (See "What is a cookie?" below)
Most of the cookies used by AuthGate are "Session-Length" cookies (unless specified below), which means once you close your browser they will be removed from your computer. They are not permanent like cookies provided by other services (Such as Banner Advertisements)
The AuthGate server uses cookies to track information about your login "Ticket". This allows the server to know who you are when you have logged in, this means we do not need to make you login every time you visit the site during your browsing session. (This also allows you to login to member sites without entering your password more than once per session). Login Tickets last 24 hours unless you renew them. (Renewal changes the expirey to 24 hours after the renewal took place). If you close your browser, your ticket automatically expires, and you will have to login again.
The AuthGate website sends you 2 cookies when you login (This contains your ticket information and allows the ticket to be validated.) and member sites will send you the same 2 cookies to allow identification on their domain. (Member sites may further utilise cookies outside the normal Authgate cookie usage, this can not be controlled by Authgate)
AuthGate-Related Cookies from member sites are also Session Length.

The following cookie names are used:
  1. AuthGate[Auth]: This is used to store the authorisation code for your login ticket.
  2. AuthGate[ID]: This is used to store the Ticket ID number for your login ticket.
  3. AuthGate_NOAJAX: This is used to remember if you opt not to use AJAX Login. (This is a permanent cookie)
  4. AuthGate_OPENID: This is used to remember if you last logged in using OpenID. (This is a permanent cookie)

What is a Cookie?

A cookie is a small amount of data, which often includes an anonymous unique identifier that is sent to your browser from a website's computer and stored on your computer's hard drive. Each website can send its own cookie to your browser if your browser's preferences allow it, but (to protect your privacy) your browser only permits a web site to access the cookies it has already sent to you, not the cookies sent to you by other sites.

Many sites do this whenever a user visits their website in order to track online traffic flows, or in the case of Banner Advertisements, to check your browsing habbits to allow them to target adverts at you

Users have the opportunity to set their computers to accept all cookies, to notify them when a cookie is issued, or not to receive cookies at any time. The last of these, of course, means that certain personalised services cannot then be provided to that user user and accordingly you will not be able to use the AuthGate Service. Each browser is different, so check the "Help" menu of your browser to learn how to change your cookie preferences.

If you have set your computer to reject cookies you can not make use of AuthGate. For further information on cookies please visit http://www.AboutCookies.org/.

How Does the service work?

When you login to AuthGate.co.uk (either via a redirect from a Member Site, or directly) the server sends your browser a cookie to identify you on return.
When a member site needs a login from you, it redirects to you to a special page on the AuthGate server that checks for the presence of an AuthGate cookie, should the cookie be present, you will be redirect back to the member site, giving them the details about your ticket. They then use these details (An Authorisation Code and a Ticket ID Number) to validated the ticket with AuthGate. Once the ticket has been validated the site will set its own Cookies to prevent you having to be redirected to the AuthGate server again, and to allow it to know you are logged in.
Should you not be already logged in when the member site redirects you to the AuthGate Server, you will be presented with a login screen (The name of the site you are logging in to will be shown under the password field). Once you login you will be redirected back to the member site using the same system as if you were already logged in.
When you logout of AuthGate, you will be logged out of all member sites aswell. (Your login ticket is deleted, and thus fails validation). You will also be logged out of all member sites when you close your browser.

Terms of Service

By logging in to AuthGate you acknowledge that the use of the service is a privilege not a right, and can be removed at any time.
Abuse of the service (such as registering multiple accounts to get round site-specific bans) is not tollerated, and will be delt with on a case-by-case basis according to the severity of the case.
By using this service you agree that: AuthGate is not responsible for content or services provided by its member sites, AuthGate simply serves as a method to allow a Centralised login system for multiple sites.
The Terms of Service or the Privacy Policy may be changed at any time. In the event of a major change, Users will be alerted by email. Changes will effect all newly created accounts, and all old accounts will have 7 days (1 week) before the changes take effect. This allows you to request the removal of your account should you disagree with the new terms.

AuthGate Home
Privacy Policy/Terms of Service
Register an Account
OpenID Support
Google Authenticator