Educause Security Discussion mailing list archives

Re: Onboarding

From: "Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>
Date: Fri, 31 Oct 2014 14:54:48 +0000

If you want to do a ‘deep dive’ into this topic you need to reference the following…

-          http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

-          http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy04/m04-04.pdf 

-          http://www.incommon.org/assurance/

-          http://www.nist.gov/nstic/

 

We are looking at collecting a personal email address when students apply and then treating that as an address of 
record where we can send a short lived, one-time use link for the student to set their initial password.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
Halgren
Sent: Friday, October 31, 2014 8:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Onboarding

 

We do the same thing.  The fundamental challenge is in validating identity so you can ensure you are getting the 
information to the right person.  The typical means to validate identity are government issued documents like driver’s 
license or equivalent, birth certificate, social security card, passport, and the like.  None of those are particularly 
web-friendly.

 

For commercial services, they often use credit card and cell phone number, and while that may provide some 
accountability it does not really represent proof of identity, which is why online identities are commonly forged.

 

If you can find some web-friendly solution to identity validation then you can address the issue, but I can’t think of 
anything good.  I’m hoping someone has better ideas because I’d love to hear them as well.

 

Kevin

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
Kaftan
Sent: Friday, October 31, 2014 8:13 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Onboarding

 

Forgive me if this has been brought up recently.  I have been offline for a while.

 

How are you getting your students logged in and setup with a username and password initially?  We are sending people a 
mailer telling them their initial password and a url to connect to.  Then they log in with their SSN and this password 
for the first time.  Once they do that they get their username and are prompted to setup a new password.

 

It works but it is clunky as students have to wait for us to send them that mailing before they can get in.  In the era 
of “instamatically” I am wondering if we can do better.

 

What is your organization doing?  I have seen SSN and birthday suffice for initial setup.

 

Also, do folks get logins after they are admitted or after they register for a class.  Oh one more, do non-credit 
(continuing ed) students get a login?

 

Thanks

 

 

John Kaftan

Dean of Information Technology

Cayuga Community College

315.294.8520

It’s all about the students.

Attachment: smime.p7s
Description:

Current thread:

Onboarding John Kaftan (Oct 31)
- Re: Onboarding Kevin Halgren (Oct 31)
  - Re: Onboarding Jones, Mark B (Oct 31)
- Re: Onboarding Kevin McCormick (Nov 01)