Security and the University
It’s my understanding that three components are required for a secure system: Identity, Authentication and Authorization.
For example, on Cooked.co.nz a username and password are required to login. The username is public, it represents the users identity. The password is confidential, only known to the user. It provides a way of authenticating the users session. Authorization relates to which users are allowed to perform certain actions and is not particularly relevant here.
Many university departments do not follow this system. They require only an ID number to access information, internal grades in particular. This is not secure for two reasons. Firstly, the same token cannot be used for both Identification and Authorisation. The student ID number cannot be a users Identity and Authority.
Secondly, ID numbers are not confidential. In the University system a students ID number represents their identity just like their username does on Cooked. ID numbers are printed on ID cards. The current system is about as secure as my money would be if I wrote my PIN on my EFTPOS card.
Maybe this is how the systems are supposed to work, so that internal grades are public. My grades are good enough that I don’t really care. The Computer Science Dept for example, posts grades on noticeboards sorted by ID. Everyone knows those grades are public. Everyone can see that I missed a tutorial a couple of weeks ago, I don’t mind.
What I do care about is the pretense of security. Requiring an ID number to view grades online is not secure but it gives the pretense of security. It gives the impression that a students grades are confidential when they’re not.
