Effects of alcoholism and paxil xanax….

Anytime I see an SSN on campus, I ask myself, why an SSN and not a student or employee ID? Some campus depts obviously need it (HR, Financial Aid), but can they be more properly cared for? Does HR really need to ask for an SSN on the job application, or can it be ascertained after the indivdual has been hired? I was able to obtain 3-4 SSNs just by looking at faculty candidate folder in our office this past year! The big question goes beyond ITS and really is geared more towards indivdual departments who do use SSNs. There’s some social engineering that needs to happen here, and I believe that some of that burden must fall on campus entities other than ITS.

That’s my 2 cents. You guys are on the front lines of all this, though, so you may have a different perspective. It’s a tough problem no matter how you slice it. Let me know if I can provide more feedback.

Good luck!

Brendon

* PS: Not sure if “student ID” is the same as “Banner ID” is the same as “Employee ID”, but I’m simply refering to an internally generated random alphanumeric number.

If you’re not familiar with netsol, here’s how it works: If you lose your password, and your email has changed so that you can no longer use a forgot password link to have your password emailed to you, you can fill out a form on their website with your information, then print that form, attach a copy of your driver’s license, and then fax it in. In this case should a user forget their password and lose their PCAC, they could fax in a new request for a pcac with a copy of their photo id along with the email they want their new pcac sent to. Turn around time should be very low …. if you don’t include a username with the pcac in the email, then anyone who happens to intercept the email or get it through an error in the email address will find a pile of letters that won’t get them anything without the username. Just a thought.

2. One of the benefits of using a PCAC or token to provide temporary authentication is that you could embed the code in a URL and present that URL to the user, which would bring them to a password change form online. Unfortunately, this would kind of require that the user already has an email address that could be used to send the PCAC to. Perhaps there could be two methods – email and snail mail and let the user choose how to receive the PCAC. Otherwise, I would be concerned about snailmailing this stuff and the time lags there.

3. The other concern is that a PCAC is tough to enter manually, and may scare users off. Then again, it’s no worse than manually entering Micro$oft license codes…

4. Is there a benefit to keeping the PCAC valid after a password has been changed? If it is still valid, there is a small security risk there by having a backdoor. In the event of a lost password, should you just send a new PCAC?

2) for now we’re saying set their password, their username would be preset. But, this would obviously be easy enough to go one way or the other on.

3) If a user forgets their username and password, AND loses the PCAC, the accountability is clearly on their end. That said, it is clearly a problem wiht distance ed to have any kind of lag. What other solution would allow for quicker re-entry than PCAC? Right now I can’t think of anything that would be both secure and at all faster… I’d love to entertain ideas here if anyone has a solution.

4) intermediary step… hmm, not really, our structure isn’t radically different than this now, so we’re sort of at an intermediary. I have a flowchart of the current process and you can see this is true. (I didn’t really want to share that sad/scary process with the world)

As this is on the Internet… I hope other non-ITS people can be pointed here and review this. I welcome comments from the world.

Here are questions and comments that come to mind.

1. Why 32 characters…that’s rather long, isn’t it. I assume it is a standard.

2. So once the user logs in with their new PCAC, they can immediately reset their username and password. Cool.

3. If they forget their username and password, and forget where they put the darned PCAC, or they are away from it, they have to show up to Library (HD next year) to get a reset or wait for snail mail. The accountability factor is good, the time delay on service may not be acceptable. Case in point: Grad student working from a distance. 2-3 days for mail is going to be a problem. The more online we go, the more this will impact us.

4. Can we have an intermediary step?

Let’s keep rolling this around, not a bad idea.

We might want to talk to some non-ITS folks. Let a lay person respond to it.