Main Nav


Here at Massachusetts College of Art and Design we’re looking to implement a form of self-service account claiming process. Currently we disseminate initial account information to our users via postal mail with their username and starting password included. We would like to stop sending out mail and instead direct our new users to visit a website enter certain info about themselves to claim their account. We have the capability of pre-populating new users information in our question and answer password reset tool but we are uncertain of what would be the most suitable identifying information to use. Common pieces of info used by other institutions are typically a combination of last 4 digits of SSN, DOB, ID number and name, but we’re wondering what other schools are using and what works best for our higher ed counterparts.

If any of you are using some form of account claiming methodology – what information are you requiring users to provide to validate their identity?



Sam Dolph






********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at




Our account management system has what we call a “starter kit” which allows students to create their initial accounts. We require that they know their 10 digit university ID, which is included in their admission letter. For employees, the ID is issued by HR.


IU Knowledge Base “How do I get my first computing accounts at IU?” -

IT Accounts Starter Kit -



Message from

We too have observed that many schools use SSN, DOB, school ID, etc. in these kinds of systems. However that appears inconsistent with some parts of the U.S. FERPA rules. For example, the following statements can be found in "The regulations in § 99.31(c) require educational agencies and institutions to use reasonable methods to identify and authenticate the identity of ... students.... The use of widely available information to authenticate identity, such as the recipient's name, date of birth, SSN or student ID number, is not considered reasonable under the regulations." "We assume that educational agencies and institutions that require users to enter a secret password or PIN to authenticate identity will deliver the password or PIN through the U.S. postal service or in person." Is anyone aware of any other resources that clarify what methods are allowed for authenticating students? Steve Krahn Information Technology Department North Central University 612-343-4750 ------------------------------------------------------------------------------------