Educause Security Discussion mailing list archives

Re: [External] Re: [SECURITY] Banner Parent Proxy

From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 10 Feb 2021 08:34:32 -0500

On Tue, Feb 9, 2021 at 11:44 PM Uday Kiran <ukiran () hct ac ae> wrote:


   1. MFA can be implemented but you need to check if non-WSU users can
   be supported. And student need to give the parent’s email ID to enter into
   the system, validation should be done as per the student’s records if the
   person logging in is really a parent/guardian.
   2. General Counsel department needs to vet the controls we have put in
   for this portal as per FERPA.

I'll second both of these comments. For context, one of the questions was:

1. It looks like the only thing required to give someone proxy access is
a valid email, has anyone put something in place to validate the proxy user
is an actual parent or guardian?

Unless it's someone acting on behalf of a minor, is that really all that
important? If the student says "this person is authorised to see and do
these things", does the relationship to the student *need* to be verified?
I have a sibling who is a student at my uni. If she authorised me to view
<x> and make a payment for her via the parent portal, does it matter that
I'm not her parent or guardian?

That answer might be yes, I don't know (that's why I'm asking =)).

And same for us, both our Registrar's Office and our General Counsel were
involved before we turned on the parent portal.

Be warned, though...we still get multiple MFA fraud notifications every
night because parents want to login as the student rather than use the
proxy access. The student gives them their password, the parent logs in a
few hours (days / weeks) later, the student (rightly) hits "Fraudulent
Login", we follow up with the student and they let us know it was a parent
paying a bill and the parent didn't tell them they were logging in.

kmw

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the
person who sent the message, copy and paste their email address and forward the email reply. Additional participation
and subscription information can be found at https://www.educause.edu/community

Current thread:

Banner Parent Proxy Garrett McManaway (Feb 09)
- Re: [External] [SECURITY] Banner Parent Proxy Gregg, Christopher S. (Feb 09)
- <Possible follow-ups>
- Re: Banner Parent Proxy Uday Kiran (Feb 09)
  - Re: [External] Re: [SECURITY] Banner Parent Proxy Kevin Wilcox (Feb 10)