Educause Security Discussion mailing list archives
Re: Student Validation
From: "Lovaas,Steven" <Steven.Lovaas () COLOSTATE EDU>
Date: Thu, 29 Nov 2018 22:17:50 +0000
Hi Michael, Sharing specific tactics is a little risky on a listserv, but you might think about the following as you confront this decision: 1) Avoid static information 2) Avoid demographic information 3) Be creative about asking for dynamic information you can easily verify but would be tougher for an opponent to determine Examples of #3 might include current course enrollments, name of current roommate, name of instructor for a currently enrolled course, etc. Nothing is perfect or perfectly safe, but if you MUST resort to knowledge-based authentication for remote verification, these are better than the kinds of information that show up in lists from breached data aggregators. Good luck! Steve ================================ Steven Lovaas University Information Security Officer Colorado State University steven.lovaas () colostate edu<mailto:steven.lovaas () colostate edu> 970-297-3707 Mit der Dummheit kämpfen Götter selbst vergebens. ================================ ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Madl, Michael <michael.madl () INDWES EDU> Sent: Thursday, November 29, 2018 3:04:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Student Validation We are batting around ideas on reworking how we validate a students identity when they call in [i.e. registrars office, help desk etc.] either to update or ask for information. Could any of you share what type of data you are asking your student population for? It seems like every point of potentially protected data has been compromised these days so is there a combination that has worked well for you all? Appreciate thoughts in advance. MICHAEL MADL INFORMATION SECURITY OFFICER UNIVERSITY INFORMATION TECHNOLOGY [cid:image003.jpg@01D48021.0B3F2230] DO NOT provide your username, password, or any personal information requested by any email. IWU WILL NEVER ask you for your username or password via email. DO NOT CLICK links or attachments unless you are positive the content is safe. CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information. If you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this information. If you have received this email in error, please notify the sender by replying to this message and immediately delete this message. e this message. Thank you.
Current thread:
- Student Validation Madl, Michael (Nov 29)
- Re: Student Validation Lovaas,Steven (Nov 29)
- Re: Student Validation Jones, Mark B (Nov 29)
- Re: Student Validation Lovaas,Steven (Nov 29)