What’s in a Name?

• 06/01/06

A lot more than there used to be. In today’s high-tech educational environment, theprocess of creating and securing network identities is more problematic than ever.

PETER STEINER CAPTURED the essential problem of identity in the electronic age with his 1993 New Yorker cartoon that showed two dogs in front of a computer, with the caption, “On the Internet, nobody knows you’re a dog.” In the popular Ender Wiggins series of science fiction books, brilliant kids pretend to be adults in online political discussions. But on thedarker side, adults on the Web can pretend to be kids.

In an era of ubiquitous computers and networks, issues of identity as they impact security have become critical. How do you know if a user is who he claims to be, or if he has a rightto the resource he is trying to access?

Identity management (IdM) is the new term that applies to these questions, and it’s relevant to situations ranging from getting money from an ATM to enrolling for classes. IdM hasfour underlying components:

• Identification: your name or network/system identifier
• Authentication: proof you are who you say you are
• Authorization: which resources you have permission to access
• Directory: information about you and what you are allowed to do per the system settings

Choosing an Identifier

At the core of identity is a name. Historically, single names such as John evolved into first and last names such as John Doe, and more recently into unique identifiers such as Social Security numbers. Unfortunately, the use of SSNs as identifiers creates identity-theft risks and privacy concerns, and doesn’t translate well to educational settings. We’re left with a need for a new identifier for students, faculty, and staff, onewith the following characteristics:

• It’s unique within the largest population set in which it is used. In other words, if there are two Jane Smiths in a school district, they should have different identifiers.
• It cannot be used to facilitate identity theft or in other ways that violate individual privacy rights.
• It’s easy to remember. Some schools assign each student a unique but easy-to-remember ID and password that maps to another unique but more complex multidigit identifier used in the background by computer systems.
• It’s scalable in the event of population-set growth. Early e-mail addresses such as [email protected] worked just fine until everyone on campus started using e-mail.

Now Prove It

Education involves multiple authentications. For example, a parent enrolling a child in school may have to present thechild’s birth certificate and her own driver’s license.

Although the details can get complicated, there are only three ways to prove identity: by something we have (a key or a birth certificate); something we know (a password); or somethingwe are (a photograph or fingerprints).

Something we have is used in education in two ways. First, items such as a child’s birth certificate and a parent’s driver’s license are used to establish a student’s identity initially. Subsequently, things such as a key or an ID card are used to establish identity before a student can gain access to something. Whether it’s an old-fashioned metal key or a high-tech token, the advantage of “something we have” is convenience; the disadvantage is that it can be lost, stolen,or forged, and then used by someone else.

Something we know usually takes the form of a password. Passwords are inexpensive but can be forgotten, and they can be stolen while being transmitted over a network. Plus, we tend to pick passwords that are easy to remember—and can be easily guessed by hackers or password-cracker programs. Passwords are safer if: they have at least eight characters with a mix of letters, numbers, and special characters; theyare not written down; and they are changed regularly.

Something you are is the oldest authentication technique. Facial recognition has been used to identify people for thousands of years. The last few years, however, have seen the emergence of relatively low-cost electronic devices that use biometrics or an individual’s physical characteristics to establish identity. Through eye scans, voice analysis, facial scans, DNA analysis, fingerprint scans—even keystroke dynamics or hand geometry—such devices can confirm anindividual’s identity with about 70 to 100 percent accuracy.

Technology Trends and Next Steps

The greatest challenges in identity management are procedural, not technical. For example, the verification of a student’s identity at the time of enrollment is complicated by the fact that birth certificates are not standardized nationally, let alone globally. While issues such as these go beyond what an individual school board or administrator can address, schools need to consider a few prevailing technologytrends as they decide how to meet local needs.

The increased use of two-factor authentication. For example, to get money from an ATM, you need to swipe your card— something you have—and enter a PIN—something you know. In an educational environment, a student’s ID card, like an ATM card, stores data and works with a PIN. But if the PIN and the information on the card are fraudulently captured during use, that data can subsequently be used for unauthorized access. Nevertheless, simple two-factor authentication is a compromise between rigorous security on the one hand, andconvenience and reasonable cost on the other.

The increased use of “smart cards.” Smart cards make use of more-sophisticated two-factor authentication schemes. In one scheme, the host computer system and the user share a secret password. The host computer sends a number (the“challenge”) to the user. The user then encrypts the challengenumber with the shared password using the smartcard and returns the result (the “response”) to the hostcomputer. The host computer independently encrypts thechallenge and compares the result with the user’s response.If the two agree, the user is given access. Even if the informationis captured during transmission over the network,the system remains uncompromised. The big drawback ofsmart cards is their cost—$60 to $100 per person—andthe cost of supporting a more complex infrastructure.

The increased use of biometrics. Fingerprint and retinal scanners are no longer merely the stuff of science fiction novels. Now they are used to speed kids through lunch lines and to control access to nursery facilities. Cost and privacy concerns are the major drawbacks.

In making technology decisions, however, educators need to remember that there aren’t any one-size-fits-all solutions. What works for a large urban high school may not be appropriate for a small, rural elementary school. A healthy dose of common sense is in order. Throwing technology at hypothetical problems that may have minimal negative consequences makes no more sense than ignoring the serious identity-management challenges introduced by computers, networks, and the globalization of education.

Doug Gale is president of Information Technology Associates, an IT consultancy specializing in higher education.