Saturday, September 24, 2011

Usernames Continued: Universities and FERPA

In my previous post I discussed usernames and their role in the authentication process. Systems in a university setting has similarities with any organization but have different regulatory requirements. Before Federated Identity Management (FIM) or Single-Sign-On (SSO), many universities also used to use SSN or a student ID or as a username to access some systems on campus. Using an ID# or personal pin# was probably not a good idea since the SSN or student ID may have also been used to authenticate students in a way similar to a password is used in other instances by some university departments to access student records.

In addition the Family Education Records Privacy Act (FERPA) helped push universities away from using confidential information such as SSN as a student ID or username. FERPA is the federal law protects certain pieces of student records from being made public without student consent. For example, faculty are no longer allowed to post a list of student grades attached to their SSN as was common in the past. But student email accounts are not protected by FERPA as they are considered "directory information". For campuses with FIM or SSO systems the email would likely be the same as the username and therefore also be made public. Students do have the option to make any of their "directory information" confidential if they choose.

No comments:

Post a Comment