3. Session Rules of Etiquette
• Please turn off your cell phone/pager
• If you must leave the session early, please do
so as discreetly as possible
• Please avoid side conversation during the
session
• Do not pass Go, do not collect $200.
3
4. Introduction
• My goal today
• To share UNCG’s custom solution
to random PIN distributions
across all populations of entering
people.
4
5. Benefits: An understanding of
• Business Case
• Technical Architecture
• Administrative GUI
• End User Experience
• Project Results
• Woulda / Shoulda / Coulda
5
7. The University of North
Carolina at Greensboro
• 18,000+ Fall 2010 Enrollment
• Undergraduate
• Graduate
• Distance
• Additional 2,000+ iSchoolers (High School)
• 3 Entry Offices with Hiring Authority
• 6 Entry Offices Admitting Students
• Mods Philosophy: “Vanilla…. but with sprinkles… and a bit of
fudge mixed in…”
7
8. Old way of Doing Business
• Pattern based initial PIN, custom trigger on DOB entry
• DOB rearranged YYDDMM
• Pattern published on web sites
• Some emailed ID and then snail mailed PIN
• Some asked students to allow them to send both PIN via email.
• Some offices handed paper to new hires
• Letters are lost
8
9. Where we were
Different Offices
+
Different Practices
=
INSANITY
9
11. Potential Problems
• Perception, ITS owns the PIN, call Service Desk
– Have to talk through general pattern YYDDMM.
– Service Desk can’t assist because…
• Forgot PIN Q&A Not yet established, can not authoritatively
identify caller, since never had successful login
• “But they said….”
• Root Causes
– Incorrect DOB Entered (esp. Internationals)
– Student does not know ID
11
12. Inspiration from Earlier Work
• https://getmyid.uncg.edu
• Built during transition from SSN to Generate
ID approx 2006
• Allows ID display via SSL browser with entry of
persons UNCG Username/Password
• Allows email delivery of ID
• Single Last Name & Email Address Match
– Last Name: Smith
– Email: Moreland.Smith@gmail.com
12
13. The Vision: One tool to assist
them all
• Web Based
• Near Real Time, Secure (Encrypted) Delivery of Random PIN
• Options for Paper Mail
• Receive PIN Information from “Entry Office”, not ITS
• Standard text with optional Entry Office specific info
• Refer people back to “Entry Office” if there is a problem with
their data
• Flexible additional populations, additional “Entry Offices”
• Log usage
13
14. However this was beyond our
budget
And had some nasty side effects….
14
15. Core Business
Concepts/Challenges
• All persons have a “best fit” Entry Office
– Single Role (New Freshman =Undergraduate Admissions)
– Multi Role people (Employee taking classes=????)
• Offices desire to minimize mailing costs, printing labor
– Email/web is first choice
– Paper mail only if email/web is not possible or selected by person.
• If there is a problem with a person’s data it needs to be corrected by their
Entry Office, not ITS.
• People often do their email via insecure means (Public WiFi)
– Therefore delivery of PIN should be SSL Protected and
– Not “Man in the Middleable” (Firesheep)
15
16. Defining Happiness
• for Person= Doing it all online themselves at 3am and never having to
talk to UNCG staff.
• for Entry Office Staff= Person doing it all online themselves at 3am and
never having to talk to UNCG Entry Office Staff.
• for Person= Couldn’t get it online, but can get it via snail mail, but at
least I didn’t have to talk to a UNCG human.
• for Entry Office Staff= I guess I can run a daily batch job to print and
mail some letters, sigh….
• For Both= I have to talk someone via phone????
16
21. Security Principles
• All Web traffic must be SSL
• Email may or not be read via secure means, therefore we must
assume it is not
• You can’t prove who you are on the web, so we must
communicate via previously established address
• Something you have, plus something you know.
– You have: PIN LINK (Random URL) delivered by email
– You know: “Verification word” you gave in an SSL Session, stored
by the system, which you must match to use PIN LINK URL
21
22. Security Principles Continued
• Any PIN LINK URLs must be sufficiently random
• Any PIN LINK URLs must expire with a set brief time period
• Minimize visibility of PIN to UNCG staff (only on hardcopy
prints in Entry Office)
• Random PINS should be one time use only (Baseline takes
over from there)
• Even if someone starts the getmypin process who is not you
(but they know your Last Name, ID & DOB, we should
minimize the “reveal” of your protected information
[result=masking of email/addresses])
22
23. Technical Components
:Baseline
• Configurations within
– Letter Generation Letters & Paragraphs
– GTVSQPR (Business Rule Process Code Validation)
– GTVSQRU (Business Rule Code Validation)
– GORRSQL (Business Rules Form)
– GTVSDAX (For setting expiration value)
• Draw upon data within
– GOREAML Table
– SPRADDR Table
– SPRIDEN Table
– Various Student, Alumni, Employee tables calculating Entry Office
association for a person
• Baseline functionality
– Ability to set PIN as pre expired (i.e. force change on next login)
23
24. Technical Components: UNCG
Custom Built
• INB Components
– SZAEOFC (Entry Office Control Form)
– SZAHIRC (Entry Office Rule Hierarchy Control Form)
– SZAPDIS (Pin Distribution Form)
• URL on Banner App Server
– https://getmypin.uncg.edu
• SSB pages (outside Secure Login)
– Request PIN Getting
– Respond to PIN LINK URLS
• Email generation function (draws text from LTR/PARA)
• Batch Job
– SZPPNPT (Pin Letter Printing)
• PL/SQL Function for Random URL String Generation to NIST Special
Publication 800-63 Standard
24
25. 20 Minutes of Defense
• How long to make the random URL???
• Calculations by UNCG Security Analyst
• Assuming web requests can be processed at 20,000 per second, x 60
seconds per minute x 20 minutes=24 million attempts possible in time
frame.
• http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
page 53
• Goal 36 bits of entropy
• Achieved by 20 character random from a 63 character alphabet (upper,
lower and numbers)
• If 20 characters is good, then 32 is even better….
• And even if you get a hit on a Random URL that happens to be “Usable” at
the moment, you still have to guess the Verification word, and you only
have 3 attempts.
25
31. Now for the Custom UNCG
Stuff
• SZAEOFC (Entry Office Control Form)
• SZAHIRC (Entry Office Rule Hierarchy
Control Form)
• SZAPDIS (Pin Distribution Form)
31
37. 3 Faces of Happiness
• Self Service Email Delivery
• Request Paper Mail Delivery, Entry
Office Prints
• Sorry, Person and Entry Office
Communication Required
• All begin at https://getmypin.uncg.edu
37
38. Answer me these Questions 3
What is Your Name
What is Your ID
What is your DOB
38
49. From Here
• User logs into Baseline Self Service
– They must answer baseline “Forgot PIN” Security
Questions & Answers
• Because random PIN was set as pre-expired
– They must set a new PIN.
• User is in Self Service and can do their business
• “didn’t have to talk to a human…”
49
50. Face #2
Request Paper Mail Delivery, Entry
Office Prints
50
55. The Third Face
Sorry, Person and Entry
Office Communication
Required
55
56. Recap of the Path
• Success with ID, DOB, & Name
• No Valid Emails or did not choose emails
and
• No Valid Mailing Address or said do not send
via paper
56
58. Next Steps
• Hopefully person calls their entry office at the phone number
listed.
• Staff member with privileges on SZAPDIS can review request,
status, etc.
• Based on Entry Office specific practices staff can attempt to
– Identify person calling (20 questions method)
– Gather corrected contact information
– Immediately enter that in Banner (GOAEMAL/SPRADDR)
– Have the person try again.
58
59. Miscellaneous Info
• Email is sent from Entry Office specific email address, so
bounces are returned there for remediation by Entry Office
staff.
• Letters are sent from Entry Office, in their envelopes, so
returned mail can be dealt with by Entry Office staff.
• Other Error Messages
– Did not answer 3 initial questions correctly = “The
Information you entered was not found in our records.
Please check the Information for Errors.”
59
61. Results Page
• All persons (students, staff, faculty, other) follow the same
process.
• Email & Address data is better maintained by Entry Offices, since
correct emails mean more happy faces.
• DOB Pattern based PINs are gone!
• Many fewer calls to Service Desk with PIN problems due to DOB
issues, or “I lost my letter/email”
• Registrar’s Office Staff spend less time dealing with PINS for
Alums (required for transcript ordering)
61
62. Unsolicited Client Email:
Subj: Just sending some love
The PIN re-set website has been a great help.
In the past, I received an average of 8-10 calls a
month. Which isn't bad, I know, but as this was an average, I
sometimes had 8-10 in a week.
I have only printed 3 PIN letters since we went live with this
function last Spring.
THANK YOU.
--
Kelly A. Rowett-James , University Registrar
The University of North Carolina at Greensboro
62
63. Summary
• Solve the Business Problem:
– Make it Standardized, Self Service, Secure,
– Also make it Flexible and Customizable
• Architecture: Use what you have & build what you need
– Baseline Components: GORRSQL, Letter Gen, GTVSDAX
– Custom INB, SSB, Batch Job pieces
• Admin GUI: Build for flexibility
• End User Experience
– Small, Simple Steps
63
65. Ideas to make it better
• Build Form/Table to map users of SZAPDIS to Entry Offices in order to
restrict staff to “their” people, and ITS Staff to global Query. [Could also
be done with Value Based Security]
• Build a secondary log table for each status of a Pin Reset Request.
• Build a “pre log table” to capture any situations where all 3 items do not
match, to detect bot attack
• Put in a “Captcha” as a bot defense
• Build reporting to look for patterns of non successful actions.
• Schedule batch process in UC4 for automatic nightly printing.
• Set up Workflow’s to notify Entry office, “You’ve’ got PIN LETTERS to
Print!”
65