Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] Banner Parent Proxy
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 10 Feb 2021 08:34:32 -0500
On Tue, Feb 9, 2021 at 11:44 PM Uday Kiran <ukiran () hct ac ae> wrote:
1. MFA can be implemented but you need to check if non-WSU users can be supported. And student need to give the parent’s email ID to enter into the system, validation should be done as per the student’s records if the person logging in is really a parent/guardian. 2. General Counsel department needs to vet the controls we have put in for this portal as per FERPA.
I'll second both of these comments. For context, one of the questions was: 1. It looks like the only thing required to give someone proxy access is a valid email, has anyone put something in place to validate the proxy user is an actual parent or guardian? Unless it's someone acting on behalf of a minor, is that really all that important? If the student says "this person is authorised to see and do these things", does the relationship to the student *need* to be verified? I have a sibling who is a student at my uni. If she authorised me to view <x> and make a payment for her via the parent portal, does it matter that I'm not her parent or guardian? That answer might be yes, I don't know (that's why I'm asking =)). And same for us, both our Registrar's Office and our General Counsel were involved before we turned on the parent portal. Be warned, though...we still get multiple MFA fraud notifications every night because parents want to login as the student rather than use the proxy access. The student gives them their password, the parent logs in a few hours (days / weeks) later, the student (rightly) hits "Fraudulent Login", we follow up with the student and they let us know it was a parent paying a bill and the parent didn't tell them they were logging in. kmw ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Banner Parent Proxy Garrett McManaway (Feb 09)
- Re: [External] [SECURITY] Banner Parent Proxy Gregg, Christopher S. (Feb 09)
- <Possible follow-ups>
- Re: Banner Parent Proxy Uday Kiran (Feb 09)
- Re: [External] Re: [SECURITY] Banner Parent Proxy Kevin Wilcox (Feb 10)