Identification, Validation and Authentication: All Different But Not All CompliantCharles Dull | Associate Dean of the IT Center of Excellence, Cuyahoga Community College
There is much talk surrounding how colleges and universities will need to change to comply with the Department of Education (DOE)’s new student identity guidelines.
The new guidelines will be directed at online education providers, where there are more reported incidences of fraud than any other; the most serious being financial aid fraud. There is a great deal of misinformation in this space, and it’s important to note this is not an academic integrity guideline. As such, mitigating assignment or portal identity fraud, while needful, is not the aim of the new regulations.
In addition, confusion is created by a misunderstanding of the definition of the words used to describe the process. The Office of Inspector General (OIG) is recommending the DOE create authentication compliance standards and, as with any new legislation, many companies are there to solve the problem. However, many companies and experts are creating confusion.
The first area of confusion is in the terms. Identification, validation and authentication are not the same, and they accomplish different goals:
Identification is basic: a student is assigned a login and password identity to access secure information such as an online class or school portal. The student is granted this access through an admissions process.
Identification does have some validation for the initial process, but is not itself a validation process. Identity is established for official interaction with the institution.
Validation is showing something to substantiate the identity you claim to be. Validation can be a driver’s license, picture or any additional documentation that can support the identity claim being made. The key difference is relying on some other provider as a way of validating the identity claim. Validation helps to reduce fraud by requiring multiple documented identities that are the same. The chance that one identity is fraudulently replicated in other documents exactly the same way is theoretically possible, but remote. In many ways, sending an access code to a phone could be validation since it is relying on nothing more than a person claiming to be the same person that owns the phone.
Authentication is something unique to the individual that cannot easily be duplicated or repeated by anyone other than the individual. Optical (retina) or facial recognition can provide authentication, but true authentication is more than showing a face on a camera, and the cost of this technology puts it out of reach of most institutions. There is good research to support going back to the days of Morse code, as the way one person types out Morse code is unique. Typing style is also unique to an individual.
The idea that there’s a way to authenticate and identify is not new; what’s new is legal requirements by the DOE to make an authentication process mandatory. In addition to the typing authentication models, there are also biometrical authentication processes where style and keystroke metrics are captured, recorded as data and used to authenticate an identity. This can be done at a reasonable cost to the student or institution.
The Difference between Academic Integrity and Fraud Prevention
The need to introduce authentication measures is not an academic integrity provision, but a fraud prevention requirement. Academic integrity is important, but not at the federal level; financial aid fraud is the target for the DOE. The danger in not understanding the difference is the danger of being out of Title IV compliance. In the latest audit released in February from the OIG, it’s clearly stated that simply having unique logins and passwords does not meet the guideline for student identification. Validation may, but the OIG language suggests authentication is the preferred process. More regulation is coming through Title IV than through a negotiated rulemaking session. Once funding is tied to a rule, the DOE will be able to move more deliberately.
There is more confusion being created as some suggest that authenticating for a test taken online meets the requirement. The requirement is more far-reaching than one item, or academic integrity. The DOE relies on accreditation for integrity guidelines in most cases. The OIG recommendations seek to reduce fraud in admissions, financial aid and student identity in an online class. Simply catching a student cheating in an online test, while a worthy goal for academic honesty, will not meet the guidelines and will not reduce financial aid fraud overall.
Institutions need to understand the risk; in the virtual world, one can be many. One person can seek financial aid for many. If a low-tuition institution such as a community college is targeted for this kind of fraud, where one person fraudulently acts while many students maximize their financial aid, the potential loss is significant.
It’s this risk that the OIG seeks to mitigate, and it can only be accomplished with authentication. The challenge is to parse through the claims. The key is finding unique individual artifacts that can be captured data points requiring some action to substantiate in an authentication process. Phone calls, text routines and voice (simple phone recognition, not the authentication voice software) processes are not authentication; they are validation and will present challenges for compliance.
– – – –
Salima Douhou and Jan R Magnus, “The reliability of user authentication through keystroke dynamics,” Statistica Neerlandica Vol. 63 (4), 2009, p. 432–449
Jyotsana Raut, Nikita Agashe, Suchita Somkuwar, Trupti Sapate, Pranali Doifode and Minal Domke, “Morse Passwords Based Authentication System,” International Journal of Advanced Research in Computer Engineering & Technology (IJARCET) Vol. 3 (3), March 2014. Accessed at http://ijarcet.org/wp-content/uploads/IJARCET-VOL-3-ISSUE-3-691-694.pdf.
Title IV of the Higher Education Act Programs, “Additional Safeguards Are Needed to Help Mitigate the Risks That Are Unique to the Distance Education Environment,” Final Audit Report ED-OIG/A07L0001, February 2014