Educause Security Discussion mailing list archives
Re: Onboarding
From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Fri, 31 Oct 2014 14:54:48 +0000
If you want to do a ‘deep dive’ into this topic you need to reference the following… - http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf - http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf - http://www.incommon.org/assurance/ - http://www.nist.gov/nstic/ We are looking at collecting a personal email address when students apply and then treating that as an address of record where we can send a short lived, one-time use link for the student to set their initial password. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Halgren Sent: Friday, October 31, 2014 8:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Onboarding We do the same thing. The fundamental challenge is in validating identity so you can ensure you are getting the information to the right person. The typical means to validate identity are government issued documents like driver’s license or equivalent, birth certificate, social security card, passport, and the like. None of those are particularly web-friendly. For commercial services, they often use credit card and cell phone number, and while that may provide some accountability it does not really represent proof of identity, which is why online identities are commonly forged. If you can find some web-friendly solution to identity validation then you can address the issue, but I can’t think of anything good. I’m hoping someone has better ideas because I’d love to hear them as well. Kevin From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Kaftan Sent: Friday, October 31, 2014 8:13 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Onboarding Forgive me if this has been brought up recently. I have been offline for a while. How are you getting your students logged in and setup with a username and password initially? We are sending people a mailer telling them their initial password and a url to connect to. Then they log in with their SSN and this password for the first time. Once they do that they get their username and are prompted to setup a new password. It works but it is clunky as students have to wait for us to send them that mailing before they can get in. In the era of “instamatically” I am wondering if we can do better. What is your organization doing? I have seen SSN and birthday suffice for initial setup. Also, do folks get logins after they are admitted or after they register for a class. Oh one more, do non-credit (continuing ed) students get a login? Thanks John Kaftan Dean of Information Technology Cayuga Community College 315.294.8520 It’s all about the students.
Attachment:
smime.p7s
Description:
Current thread:
- Onboarding John Kaftan (Oct 31)
- Re: Onboarding Kevin Halgren (Oct 31)
- Re: Onboarding Jones, Mark B (Oct 31)
- Re: Onboarding Kevin McCormick (Nov 01)
- Re: Onboarding Kevin Halgren (Oct 31)