Equifax Work Number

[Dean Halter <dean.halter () NOTES UDAYTON EDU>]

We are considering engaging Equifax to allow our current and past employees
to electronically verify employment and income to lenders, social services,
etc.  Users get accounts and can log in and specifically provide
"verifiers" access to their personal information as necessary.

This solution is intended to be available for both current and past
employees so central authentication isn't going to work for everyone.  One
of the suggestions we received is use the SSN for username and a password
composed of some combination of last name/part of birth date/etc for
authentication.  There will be security controls in place like locking the
account after xx failed attempts.  Assuming the controls are adequate, what
are other schools using for username/passwords and what are best practices
for authentication of past employees?

I'd also be interested in your opinions on whether the risks with respect
to privacy and security of these types of solutions are greater than their
reward.

Thanks in advance,
Dean
___________
Dean Halter, CISA, CISSP
IT Risk Management Officer, UDit
University of Dayton
Miriam Hall 358
(937) 229-4387

"Security is a process, not a product."  Bruce Schneier