Re: Student Validation

["Jones, Mark B" <Mark.B.Jones () UTH TMC EDU>]

I don't like any version of KBA.
I think mechanisms that make use of personal phone numbers or email addresses that are in the person official record 
are much better.  Send the user a password reset link/code to their personal phone or email of record.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Lovaas,Steven
Sent: Thursday, November 29, 2018 4:18 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Student Validation


Hi Michael,



Sharing specific tactics is a little risky on a listserv, but you might think about the following as you confront this 
decision:



1) Avoid static information

2) Avoid demographic information

3) Be creative about asking for dynamic information you can easily verify but would be tougher for an opponent to 
determine



Examples of #3 might include current course enrollments, name of current roommate, name of instructor for a currently 
enrolled course, etc. Nothing is perfect or perfectly safe, but if you MUST resort to knowledge-based authentication 
for remote verification, these are better than the kinds of information that show up in lists from breached data 
aggregators.



Good luck!

Steve


================================
Steven Lovaas
University Information Security Officer
Colorado State University
steven.lovaas () colostate edu<mailto:steven.lovaas () colostate edu>
970-297-3707
Mit der Dummheit kämpfen Götter selbst vergebens.
================================
________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Madl, Michael <michael.madl () INDWES EDU<mailto:michael.madl () INDWES EDU>>
Sent: Thursday, November 29, 2018 3:04:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Student Validation


We are batting around ideas on reworking how we validate a students identity when they call in [i.e. registrars office, 
help desk etc.] either to update or ask for information.



Could any of you share what type of data you are asking your student population for?  It seems like every point of 
potentially protected data has been compromised these days so is there a combination that has worked well for you all?



Appreciate thoughts in advance.





MICHAEL MADL

INFORMATION SECURITY OFFICER

UNIVERSITY INFORMATION TECHNOLOGY



[cid:image003.jpg@01D48021.0B3F2230]



DO NOT provide your username, password, or any personal information requested by any email.

IWU WILL NEVER ask you for your username or password via email.

DO NOT CLICK links or attachments unless you are positive the content is safe.



CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information.  If 
you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this 
information. If you have received this email in error, please notify the sender by replying to this message and 
immediately delete this message.

e this message. Thank you.