Usernames Continued: Universities and FERPA

In my previous post I discussed usernames and their role in the authentication process. Systems in a university setting has similarities with any organization but have different regulatory requirements. Before Federated Identity Management (FIM) or Single-Sign-On (SSO), many universities also used to use SSN or a student ID or as a username to access some systems on campus. Using an ID# or personal pin# was probably not a good idea since the SSN or student ID may have also been used to authenticate students in a way similar to a password is used in other instances by some university departments to access student records.

In addition the Family Education Records Privacy Act (FERPA) helped push universities away from using confidential information such as SSN as a student ID or username. FERPA is the federal law protects certain pieces of student records from being made public without student consent. For example, faculty are no longer allowed to post a list of student grades attached to their SSN as was common in the past. But student email accounts are not protected by FERPA as they are considered "directory information". For campuses with FIM or SSO systems the email would likely be the same as the username and therefore also be made public. Students do have the option to make any of their "directory information" confidential if they choose.

Are Usernames Supposed to be Private?

It is a common misperception is that system usernames are always meant to be private. In most cases, usernames are not meant to be private, and I would argue that in many cases in which they are meant to be private the people designing the access control and authentication systems may have made a mistake. A username is part of the identification & authentication process. The ID (e.g., username) is authenticated or verified through correct entry of at least one private piece of information, such as a password, and sometimes additional authentication factors something the user knows (password/challenge question), has (key card/security token), or is (biometric such as fingerprint or retina scan).
[Tip: Use a strong password.]

Think about your workplace account. Most organizations now have single-sign-on (SSO) systems that allow you to login to multiple systems with the same username and password. The username is typically the first part of the email address or the email address in its entirety. Most organizations assign an email/username rather than allow employees to choose their own to create a naming convention that allows for creation of unique account name. But if you know the basic naming convention for an email which includes a person's name or initials, then you will likely be able to determine anyone else's email address in the same organization if you know an individual's name, and thus you will know the username as well.

Problems may occur if an organization allows the user to choose the username or the naming convention used to create a username includes some information that should remain confidential. In the past it was more common for a username to include or be one's social security number, bank account number, or student ID number. A SSN username or similar should not be used as a username, when it may also be used in a different setting to authenticate someone in a way similar to a password.