Educause Security Discussion mailing list archives
National Student Clearinghouse authentication changes
From: Kevin Shalla <kshalla () UIC EDU>
Date: Fri, 7 Nov 2008 10:01:05 -0600
We refer many students and others to the National Student Clearinghouse (NSC) to get enrollment verifications. When we registered for this service, the NSC offered several options for referring students from our web site. The one we chose was the client-side authentication, where the student authenticates (with our standard net ID and password), then chooses the link to the NSC, then the student enters in the name, date of birth, and SSN. This helped to prevent anyone not a student at a school which registered for this service at the NSC to access the service. Now the NSC no longer offers that option, and is requiring us to switch to a system where we authenticate the student, then pass the SSN in the URL to them. Apparently now they want us to do their authentication for them. It seems to me that passing the SSN in the URL would allow the user to simply modify the SSN in the URL to someone else's and then gain access to the information for the person with that other SSN. What are others doing regarding this NSC policy change?
Current thread:
- National Student Clearinghouse authentication changes Kevin Shalla (Nov 07)
- <Possible follow-ups>
- Re: National Student Clearinghouse authentication changes Alex (Nov 07)
- Re: National Student Clearinghouse authentication changes Steven Carmody (Nov 10)
- Re: National Student Clearinghouse authentication changes Kevin Shalla (Nov 10)
- Re: National Student Clearinghouse authentication changes Theresa Rowe (Nov 10)