Re: Regulatory Compliance / User Training / Identity Confirmation

[Gary Flynn <flynngn () JMU EDU>]

Anthony Maszeroski wrote:

> 3.) If I'm interpreting the proposed new FERPA regulations correctly,
> the days of formulaic initial passwords derived from an individual's
> D.O.B. and/or SSN are numbered (no pun intended). For institutions that
> have already been down this road, have you moved to random initial
> passwords? If so, how do you distribute them? We'd like to avoid paper
> mailings if at all possible and instead distribute them electronically
> with an identity confirmation system front-end similar to the one
> utilized at AnnualCreditReport.com. The problem is finding enough data
> on a new student that can be mined to populate the question/answer
> challenges.


We've been exploring options. The latest one under consideration
can be summarized as follows:

1. The student provides the following on their application:

   a. Answers to three of eight secret questions.
   b. External e-mail address
   c. Cell phone number ( optional )

2. Upon acceptance, student receives postal and/or electronic
   message containing:

   a. Their account name
   b. URL where account can be activated. www.jmu.edu/activateAccount-1

3. Student visits web site and answers their three secret questions.

4. A message is sent to their e-mail and/or cellphone listed on
   their application containing:

   a. a temporary, time limited password
   b. another URL - www.jmu.edu/activateAccount-2

5. Student visits web site and finishes activation.

Fallback methods in order:

  Postal mail of password ^H^H^H^H PIN to address of record
  Physical helpdesk visit
  Interactive verification based on student records





--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature