Home page logo

educause logo Educause Security Discussion mailing list archives

National Student Clearinghouse authentication changes
From: Kevin Shalla <kshalla () UIC EDU>
Date: Fri, 7 Nov 2008 10:01:05 -0600

We refer many students and others to the National Student
Clearinghouse (NSC) to get enrollment verifications.  When we
registered for this service, the NSC offered several options for
referring students from our web site.  The one we chose was the
client-side authentication, where the student authenticates (with our
standard net ID and password), then chooses the link to the NSC, then
the student enters in the name, date of birth, and SSN.  This helped
to prevent anyone not a student at a school which registered for this
service at the NSC to access the service.

Now the NSC no longer offers that option, and is requiring us to
switch to a system where we authenticate the student, then pass the
SSN in the URL to them.  Apparently now they want us to do their
authentication for them.  It seems to me that passing the SSN in the
URL would allow the user to simply modify the SSN in the URL to
someone else's and then gain access to the information for the person
with that other SSN.  What are others doing regarding this NSC policy change?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]