Re: Best practices for identifying students

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

In the age of Facebook, it is too easy to obtain a picture to text or email.
Student record quizzes and security questions are in my opinion too easy to obtain.

I like schemes that offer the user multiple ways to prove their identity such as:
Sending a onetime use link to a personal, preregistered email address
Sending a code to a preregistered mobile phone
Placing a live call to a preregistered mobile phone
Conducting the ‘in-person’ identity vetting procedure over live video



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of WALTER 
KERNER
Sent: Thursday, September 07, 2017 6:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Best practices for identifying students

Hi all.  Can you comment on your practices and procedures for confirming student identity if they request a password 
re-set?  We have to service people in person, through email, and on the phone.  A couple of ideas if have heard


Ask the caller/emailer to text or email a picture of him/herself

Ask the caller/emailer questions from his/her student record, like birthdate or course name

Set up a knowledge-based question set like mother’s maiden name or favorite movie.

Are you using these or other techniques?  We appreciate the insights.  Thanks



Walter Kerner
Acting AVP and CISO
[blue]
333 7th Avenue, 13th Floor
New York, NY 10001
Voice: 212-217-3415