Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Regulatory Compliance / User Training / Identity Confirmation
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 21 Nov 2008 15:03:15 -0500

Anthony Maszeroski wrote:

3.) If I'm interpreting the proposed new FERPA regulations correctly,
the days of formulaic initial passwords derived from an individual's
D.O.B. and/or SSN are numbered (no pun intended). For institutions that
have already been down this road, have you moved to random initial
passwords? If so, how do you distribute them? We'd like to avoid paper
mailings if at all possible and instead distribute them electronically
with an identity confirmation system front-end similar to the one
utilized at AnnualCreditReport.com. The problem is finding enough data
on a new student that can be mined to populate the question/answer

We've been exploring options. The latest one under consideration
can be summarized as follows:

1. The student provides the following on their application:

   a. Answers to three of eight secret questions.
   b. External e-mail address
   c. Cell phone number ( optional )

2. Upon acceptance, student receives postal and/or electronic
   message containing:

   a. Their account name
   b. URL where account can be activated. www.jmu.edu/activateAccount-1

3. Student visits web site and answers their three secret questions.

4. A message is sent to their e-mail and/or cellphone listed on
   their application containing:

   a. a temporary, time limited password
   b. another URL - www.jmu.edu/activateAccount-2

5. Student visits web site and finishes activation.

Fallback methods in order:

  Postal mail of password ^H^H^H^H PIN to address of record
  Physical helpdesk visit
  Interactive verification based on student records

Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]