Background

The InCommon Student Services Collaboration Group is conducting a survey on organizational process issues associated with identity proofing and authenticating remote-students across their life cycle. These include identity proofing as a prospective student, remote assessment as a student taking a distance education course, and re-credentialing of returning students.

The outcome of this survey will be a summary of the survey findings, a list of interesting approaches from other sectors, and one or more recommendations for remote approaches to each issue.

Audiences and their respective organizations targeted for the survey include:

Audience

Target Organization for Survey

Admissions Staff

AACRAO

Registrar Staff

AACRAO

Distance/Continuing Education Staff

(WCET?)

Information Technology

EDUCAUSE, InCommon, Internet2

Survey Sections

Introduction

The original purpose of this survey was to understand what other institutions are doing or planning to do in response to the requirement in Section 495 of the HEOA (2008). This states that accrediting agencies must require an institution that offers distance education or correspondence education to have processes through which the institution establishes that the student who registers in a distance education or correspondence education course or program is the same student who participates in and completes the program and receives the academic credit.

However, the challenge of remote credentialing does not only exist in Distance Education. Most incoming students at an institution go through an admissions process that requires their access to campus applications or services prior to their arrival on campus. In some cases, these applications deal with FERPA protected or financial data that needs to be protected from inappropriate access. The question is how comfortable are institutions that their process for granting access to these resources is secure - namely, that the campus credential they issue to the "student" is really going to the right person.

(Talk about why we are focusing on these three areas and why we aren't talking about other areas.)

Terms

Authentication - The process of identifying an individual, usually based on username and password. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

Credential - An object that authoritatively binds an identity (and optionally, additiional attributes) to a token possessed and controlled by a person.

Credentialing - The process whereby users are given electronic credentials to ensure that they are coupled with the correct digital identity information.

Digital Identity - The representation of a human identity that is used in a distributed network interaction with other machines or people.  The purpose of the digital identity is to establish the level of comfort and confidence in a digital environment that is associated with face-to-face human interactions.

Identifier - usually a permanent, persistant number assigned to a student.  Frequently a replacement for SSN.  (StudentID number).  Usernames are also identifiers but may not be persistent.

Identity Proofing - The process of verifying the identity of an individual either "in person" by presenting a government issued photo ID or through challenge-response questions that contain information about the individual being "proofed" that would not be available to the general public. Usually performed in conjunction with the credentialing process.

Identity Vetting - The process of thorough examination and evaluation of an individual's identity data.

Matriculated Student

Prospective Student

UserID - account/login ID (NetID).  Can be name-based or not.  May or may not be permanent, persistent.

Demographic Information and Environment

  1.  Institution size, location, mission, etc.
    1. Name of Institution (can we get carnegie class info from Educause?)
    2. Do you have a distance education program(s)?
      1. How many students are in the program(s)?
    3. Our admissions and registration function across campus (check one)
      1. Spread across multiple schools or colleges
      2. Consolidated in one administrative unit.
    4. Responsibility for the information technology is (check one)
      1. Spread across multiple schools or colleges
      2. Consolidated in one administrative unit.
    5. Decision making, change management, and implementation question here.
  2. Department of the person completing the survey:
    1. Admissions
    2. Registrar
    3. Distance Education
    4. Information Technology

Prospective Students - Remote Identity Proofing

(On-campus identity proofing is relatively straightforward, so we're focusing on off-campus. More definition here.) Define Prospective Student or refer to glossary.

  1. How do you begin your recruiting process(check all that apply)?
    1. Internal aggregation of "Suspects" (Inquiries, camp attendees, etc)
    2. Obtain potential "suspects" from third Party
  2. When do you first learn about prospective students? (Check all that apply.)
    1. Test score Referrals
    2. High School Meetings
    3. Alumni/other "gatherings"
    4. Phone Inquiries
    5. Other - Please explain
  3. How do students make initial contact? (Check all that apply.)
    1. Submit an application
    2. Email Inquiry
    3. Inquiry through Campus Portal
    4. Phone Inquiries
    5. Request for Site Visit
    6. Response to CRM Campaign
    7. Other
  4. How do you establish a communications channel? (Check all that apply.)
    1. Use the user supplied email address
    2. Establish/use institutional email address.
    3. Parent/Guardian email address
    4. US Mail
    5. Voice Contact
  5. Do you issue temporary userids or credentials for use during the admissions process?
    1. Yes
    2. No
  6. If Yes to question 5, how are the temporary credentials communicated to the client?
    1. Sent to supplied email address
    2. Sent via email - but must change password upon first invocation (usage) of account.
    3. Sent via US Mail
    4. Sent via US Mail, but must change password upon first invocation (usage) of account
    5. Other
  7. How does the student receive their persistent/campus userid?
    1. They make up their own or choose one from a provided list when they start the application process.
    2. Identifier/Initial PW defined by institution and delivered to supplied email address
    3. Identifier/Initial pw defined by institution and sent via US Mail
    4. Identifier/Initial pw defined by institution and connected to vcleint via knowledge questions from record.
    5. Identifier/Initial pw defined by institution and connected to vcleint via knowledge questions established upon first contact.
    6. Other
  8. At what point do you assign a permanent identifier (StudentID)?
    1. To Suspects/Prospects prior sending information
    2. To applicants when they submit an application
    3. To Admitted/Accepted students
    4. When they pay initial fees
    5. Other
  9. At what stage do you do identity proofing for remote students?
    1. We do not require any information in addition to what has been supplied. (survey goes to next section)
    2. After they have been accepted and before they register
    3. After they have registered, but before classes begin.
    4. Shortly after classes begin.
    5. Before a final grade is awarded.
  10. Why did you choose this stage?
    1. Open Comment
  11. What information do you have on the remote student at that stage? (Check all that apply.)
    1. Name
    2. Address
    3. Birthdate
    4. Email address
    5. High School Transcript
    6. Test scores
    7. Parent/Guardian Name
    8. Parent/Guardian Address and Contact information
    9. Academic Interest
    10. Academic Term of interest
    11. Post-secondary Institution (if transfer student)
    12. Other notable....
  12. What do you require from the student to prove their physical identity?
    1. faxed/scanned government picture id
    2. faxed/scanned credit card
    3. faxed/scanned notary
    4. eletronic notary
    5. travel to campus for physical presence
    6. Use a Third party vendor to validate Identity
    7. Other (Comment box)
  13. Please indicate any concerns with this process (unauthorized individual obtains financial aid or gains access to FERPA-protected data, labor intensive, inconvenient for client)
    1.  (Other with comment box)?
  14. Please list any vendors you use to support for this process? (Comment box)
  15. What business office is involved in doing the identity proofing of remote students? (Check all that apply.)
    1. Admissions
    2. Registrar
    3. Bursar
    4. Orientation
    5. Academic Unit
    6. Continuing Education
    7. Other (Comment box)
  16. Please list the steps involved. (Comment box.)

Matriculated Students - Photo ID and Login Credential Issuance

Distance

  1. Do you revisit identity proofing, vetting or credentialing for students matriculating at a distance?
    1. Yes
    2. No
  2. If so, how is this done?
    1. (Comment box)
  3. If not, are there circumstances where you do revisit these processes?
    1. Yes
    2. No
  4. If so, what triggers the re-proofing, -vetting, -credentialling?
    1. (Comment box)
  5. How is this done?
    1. (Comment box)
  6. Do you ever issue Photo ID cards to mstriculated students at a distance?
    1. Yes
    2. No
  7. If so, how is this done?
    1. (Comment box)
  8. How do you insure the identity of students taking tests and other assessments?
    1. (Comment box)

On Campus

  1. Does obtaining a PhotoID in person at a PhotoID office improve your proofing, vetting and credentialing of matriculated students?
    1. Yes
    2. No
  2. What information do you have on the remote student at that stage? (Check all that apply.)
    1. Name
    2. Address
    3. Birthdate
    4. Email address
    5. High School Transcript
    6. Test scores
    7. Parent/Guardian Name
    8. Parent/Guardian Address and Contact information
    9. Academic Interest
    10. Academic Term of interest
    11. Post-secondary Institution (if transfer student)
    12. Other notable....(Comment box)
  3. What do you require from the student to prove their physical identity?
    1. faxed/scanned government picture id
    2. faxed/scanned credit card
    3. faxed/scanned notary
    4. eletronic notary
    5. travel to campus for physical presence
    6. Use a Third party vendor to validate Identity
    7. Other (Comment box)
  4. How does the process for replacement of a PhotoID card differ from the first issuance of a PhotoID?
    1. (Comment box)

Password Reset

Distance Students

  1. Who manages the password reset process for distance students?
    1. Distance education department
    2. Home academic department
    3. Central IT
    4. Other, please specify
  2. If a distance education student forgets his/her password, what are his/her instructions to get access again? Check all that apply.
    1. Call a person at the help desk to have the password reset.
      1. Please tell us how the help desk verifies the student's identity. Check all that apply.
        1. Knows students by voice
        2. Asks the student one or more knowledge-based questions (Go to Q 3)
        3. Asks the student for faxed/sent identification
        4. Other
      2. If identity verification is done based on knowledge-based questions, are these questions and answers:
        1. Identified question/answer pairs established earlier by the student.
        2. Organization assigned information (such as a PIN or StudentID)
        3. Personal information shared by the student and stored in the student services system (Check all that apply):
          1. Name
          2. Address
          3. Previous Address
          4. Birthdate
          5. Email address
          6. All or part of the SSN
          7. GPA variant
          8. High School
          9. Enrollment
          10. Parent/Guardian Name
          11. Parent/Guardian Address and Contact information
          12. Academic Interest
          13. Post-secondary Institution
          14. Other. Please specify:_________
        4. Other
      3. How is the new password established? (Check all the apply.)
        1. Read aloud by the department representative (Go to v.)
        2. Transmitted by text messaging to a pre-established phone number of record (Go to v.)
        3. Transmitted by email to a pre-established personal email address of record (Go to v.)
        4. Transmitted by postal mail to a pre-established address of record (Go to v.)
        5. Set or reset using a URL link that is sent to the student and used to establish his/her new password.
        6. Other
      4. What information is used to generate the new password? 
        1. Personal information such as Birthdate, SSN, or name
        2. Organization assigned information such as StudentID
        3. Random string of characters
        4. Other
      5. Can the help desk representative see the original password?
        1. Yes
        2. No
      6. Can the help desk representative see the new password?
        1. Yes
        2. No
      7. Is the student forced to change the new password upon first use?
        1. Yes
        2. No
    2. Use an online web password reset form.
      1. Who manages the web password reset form for distance students?
      2.  
      3. Please tell us how the web password reset form verifies the student's identity. Check all that apply.
        1. Identified question/answer pairs established earlier by the student.
        2. Organization assigned information (such as a PIN or StudentID)
        3. Personal information shared by the student and stored in the student services system (Check all that apply):
          1. Name
          2. Address
          3. Previous Address
          4. Birthdate
          5. Email address
          6. All or part of the SSN
          7. GPA variant
          8. High School
          9. Enrollment
          10. Parent/Guardian Name
          11. Parent/Guardian Address and Contact information
          12. Academic Interest
          13. Post-secondary Institution
          14. Other. Please specify:_________
        4. Other. Please specify:
      4. How is the new password established? (Check all the apply.)
        1. Set or reset in the online web password reset form (If checks this answer, go to iii)
        2. Transmitted by text messaging to a pre-established phone number of record (If checks this answer, go to iii)
        3. Transmitted by email to a pre-established personal email address of record (If checks this answer, go to iii)
        4. Transmitted by postal mail to a pre-established address of record (Go to v.)
        5. Set or reset using a URL link that is sent to the student and used to establish his/her new password.
        6. Other
      5. What information is used to generate the new password? 
        1. Personal information such as Birthdate, SSN, or name
        2. Organization assigned information such as StudentID
        3. Random string of characters
        4. Other
      6. Is the student forced to change the new password upon first use?
        1. Yes
        2. No
    3. Use a different approach.
      1. Please describe (open text field).
      2.  General Questions
      1. Do you keep an audit record of the password change?
      2. Vendor (Comes out of other open comment fields on other questions).

On-Campus Students

  1. If an on-campus student forgets his/her password, what are his/her instructions to get access again? Check all that apply.
    1. Call or visit the help desk to have the password reset.
      1. Please tell us how the help desk verifies the student's identity. Check all that apply.
        1. Knows the student by visual identification
        2. Knows students by voice (if requested by phone)
        3. Asks the student one or more knowledge-based questions
        4. Asks the student for faxed/sent identification
        5. Asks the student for any identification
        6. Asks the student for photo identification
        7. Other
      2. If identity verification is done based on knowledge-based questions, are these questions and answers:
        1. Identified question/answer pairs established earlier by the student.
        2. Organization assigned information (such as a PIN or StudentID)
        3. Personal information shared by the student and stored in the student services system (Check all that apply):
          1. Name
          2. Address
          3. Previous Address
          4. Birthdate
          5. Email address
          6. All or part of the SSN
          7. GPA variant
          8. High School
          9. Enrollment
          10. Parent/Guardian Name
          11. Parent/Guardian Address and Contact information
          12. Academic Interest
          13. Post-secondary Institution
          14. Other. Please specify:_________
        4. Other
      3. How is the new password established? (Check all the apply.)
        1. Read aloud by the department representative. (Go to iv.)
        2. Transmitted by text messaging to a pre-established phone number of record (Go to iv.)
        3. Transmitted by email to a pre-established personal email address of record (Go to iv.)
        4. Set or reset using a URL link that is sent to the student and used to establish his/her new password.
        5. Set or reset at the help desk by the user.
        6. Other
      4. What information is used to generate the new password? 
        1. Personal information such as Birthdate, SSN, or name
        2. Organization assigned information such as StudentID
        3. Random string of characters
        4. Other
      5. Can the help desk representative see the original password?
        1. Yes
        2. No
      6. Can the help desk representative see the new password?
        1. Yes
        2. No
      7. Is the student forced to change the new password upon first use?
        1. Yes
        2. No
    2. Use an online web password reset form. (Should be same as Distance Student.)
      1. Please tell us how the web password reset form verifies the student's identity. Check all that apply.
        1. Identified question/answer pairs established earlier by the student.
        2. Organization assigned information (such as a PIN or StudentID)
        3. Personal information shared by the student and stored in the student services system (Check all that apply):
          1. Name
          2. Address
          3. Previous Address
          4. Birthdate
          5. Email address
          6. All or part of the SSN
          7. GPA variant
          8. High School
          9. Enrollment
          10. Parent/Guardian Name
          11. Parent/Guardian Address and Contact information
          12. Academic Interest
          13. Post-secondary Institution
          14. Other. Please specify:_________
        4. Other. Please specify:
      2. How is the new password established? (Check all the apply.)
        1. Set or reset in the online web password reset form (If checks this answer, go to iii)
        2. Transmitted by text messaging to a pre-established phone number of record (If checks this answer, go to iii)
        3. Transmitted by email to a pre-established personal email address of record (If checks this answer, go to iii)
        4. Set or reset using a URL link that is sent to the student and used to establish his/her new password.
        5. Other
      3. What information is used to generate the new password? 
        1. Personal information such as Birthdate, SSN, or name
        2. Organization assigned information such as StudentID
        3. Random string of characters
        4. Other
      4. Is the student forced to change the new password upon first use?
        1. Yes
        2. No
    3. Use a different approach.
      1. Please describe (open text field).

Comments

  1. How comfortable are you that your process adequately protects your online resources?
    1. Rating: Very comfortable, Comfortable, Not comfortable
    2. If you rated Not comfortable, what resources are not being protected adequately?
  2. What resources, practices, or services would be helpful with remote identity proofing?

NOTES

Notes to be incorporated (or not) into the survey above.

d.     Identity proofing requiremsnts, information and what they do?

e.     Credentialing - keeping the change of evidence

2.     HEOA

a.     Remote test taking - wha tdo you do?

b.     Assessment methods.

3.     Returning Students - recredentialling

a.     Adult learners

b.     Security question

c.     Information versus phishing Acxiom

4.     Solutions

a.     Notaries

b.     Banks

d.     Other

                                             ii.     Tie to student life cycle - remote issues tied to student life cycle.

                                           iii.     AI - create section on website with resources.

1.     Are there fed services that are applicable to helping folks saove problems - GOAL

2.     Student's Application/Data Access - What will they access?

3.     Individual's Collected Identity Information - What do they have indentifying the individual+?+

4.     Process to establish/deliver userid/password (credential)

 [AW1|#_msoanchor_1]A sample subsection of topics to ask. This may be better done in a matrix like Mark M's. (wink)

  • No labels