Protecting Identities at FSU

Principles of SSN replacementJeff Bauer

Florida State Universityhttp://fsuid.fsu.edu/admin

The SSN Problem

• SSN is used as a method for authenticating students and employees via web and in-person challenges

• Mandates to protect & hide SSN abound

• SSN is still required for certain business processes (HR, external identity of students to Feds, etc.)

The Proposal (2003)

• This proposal was an attempt to combine identity terms and solve the SSN/multiple identity problem

• Proposal:– FSUID = new public “login

name”/password– FSUSN = new “SSN-like” private

number– A combined directory will manage this

information

FSU Identifier (FSUID)

• Unique public identifier• First part of a person’s email address (for

the most part)• Easy to remember (even student ones)• Rarely changes• Log in for key systems (OMNI, Bb, VPN,

etc.)• Everybody gets one as soon as officially

associated with the University

FSU Security Number (FSUSN)

• Unique private identifier (nobody should know this but the owner)

• 9 characters long (same as SSN), with letters thrown in to distinguish from a real SSN

• A little more difficult to remember, but not impossible

• Will never change (unlike some SSNs)• Everybody gets one as soon as officially

associated with the University• Currently ONLY used by instructors as a

secondary challenge for on-line grade submission

Identifier Example Properties

SSN “123-45-6789” 9 digits, can change, ultra-private

FSUID “jtbauer”, “ghs05c”, “stk6745”, “jmchannessey”

Easy to remember, first part of official FSU email address, student ones are short (Lacher naming convention), public, can change if role/name changes (e.g., student to employee)

FSUSN “KT9436123” 9 alphanumeric, only change if security breach, ultra-private replacement for SSN as user index & secondary password challenge (e.g., on-line grade submission)

FSUCard “5894371000633552” 16 digits, can change, semi-private bank number, hard to memorize, but use of photo card for identification is great

OMNI EMPLID “00025622” Only employees have them

Registration PIN

“4346” Only students have them, archaic

20-digit user key

“04060170516971298265” For internal use only

Moving Away from SSN use• Two categories of SSN use:

– Appropriate/required: IRS purposes for employees, external agency identification for students (Financial Aid)

– Inappropriate: Any use as an identifier where the information can be easily compromised or

– Undesired: An alternate unique identifier could be used instead (SSNs in person, email, printouts; SSNs on web forms that aren’t SSL’d nor blocked, etc.)

Appropriate use of SSN example

•Web registration for classes

Current State of Affairs• Acknowledge that many student systems still

use SSNs in a variety of ways (Admissions, Registration, Fee Payments, Housing, etc.).

• Acknowledge that new development in student systems have a desire to try and not use SSNs (difficult to do though).

• Realize that the cost of replacing SSNs with FSUSNs in student systems will take time and money (not unlike the Y2K time & expense problem seven years ago). ** resource intensive ** (currently unfunded)

OTI Proposal

• FSU should mandate that all computer systems & business processes move away from inappropriate use of SSNs to a suitable SSN replacement.

• FSU should mandate that customers of identity information from now on obtain Vice President approval for providing SSNs.

Proposals• All FSU offices (Admissions & Registrar, Orientation,

Financial Aid, Student Financial Services, F&A, etc.) do an internal audit to discover inappropriate uses of SSNs in normal business practices.

• Any inappropriate use in these offices should change their business process to use an alternate method for identification other than SSN. (immediately for servers that have SSNs and that could be compromised)

• OTI can assist in technological solutions to be researched and developed to lessen the impact on business practices (card swipes of FSUCard for FSUCard <--> SSN mapping, customized FSUID helpdesk lookup utility, etc.)

Proposals• Students systems, with the dominance of SSNs

on CICS “green screens”, printed forms and other business processes require the largest effort to replace SSNs.

• Proposed that $200K for 3 years in time-limited E&G positions be established to convert existing mainframe-based student systems that use SSN as primary key.

• Note that movement to Oracle/PeopleSoft student systems will solve the SSN problem, but will be more expensive to implement.