Educause Security Discussion mailing list archives
Re: Regulatory Compliance / User Training / Identity Confirmation
From: Gary Flynn <flynngn () JMU EDU>
Date: Fri, 21 Nov 2008 15:03:15 -0500
Anthony Maszeroski wrote:
3.) If I'm interpreting the proposed new FERPA regulations correctly, the days of formulaic initial passwords derived from an individual's D.O.B. and/or SSN are numbered (no pun intended). For institutions that have already been down this road, have you moved to random initial passwords? If so, how do you distribute them? We'd like to avoid paper mailings if at all possible and instead distribute them electronically with an identity confirmation system front-end similar to the one utilized at AnnualCreditReport.com. The problem is finding enough data on a new student that can be mined to populate the question/answer challenges.
We've been exploring options. The latest one under consideration can be summarized as follows: 1. The student provides the following on their application: a. Answers to three of eight secret questions. b. External e-mail address c. Cell phone number ( optional ) 2. Upon acceptance, student receives postal and/or electronic message containing: a. Their account name b. URL where account can be activated. www.jmu.edu/activateAccount-1 3. Student visits web site and answers their three secret questions. 4. A message is sent to their e-mail and/or cellphone listed on their application containing: a. a temporary, time limited password b. another URL - www.jmu.edu/activateAccount-2 5. Student visits web site and finishes activation. Fallback methods in order: Postal mail of password ^H^H^H^H PIN to address of record Physical helpdesk visit Interactive verification based on student records -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Regulatory Compliance / User Training / Identity Confirmation Anthony Maszeroski (Nov 21)
- <Possible follow-ups>
- Re: Regulatory Compliance / User Training / Identity Confirmation Gary Flynn (Nov 21)