The University finished accepting proposals this week for a more secure method of verifying users' identities on UT's online services, such as UT Direct, registration, eGradebook and Blackboard.
Currently, the University only requires a single authentication factor before students can log in to any UT Web site. Currently, users need only to know their passwords to confirm their identity.
An additional security method, which the University has considered adopting for several years, may include a possession-based system that uses password-generating items that users carry with them at all times. These can include passwords sent to users' cell phones, ID cards that display a password, or USB tokens that closely resemble flash drives and generate one-time passwords, said Information and Technology Services Director Sheila Ochner.
The USB tokens automatically send the user's password when inserted into a computer, and some have a visual display that shows the password as well, Ochner added.
Another possible security method, the use of biometrics like hand- or eye-scanning devices, will not be considered because they are not cost-effective, and they raise privacy concerns, Ochner said.
Even before a 2003 hacking incident, which resulted in the theft of 37,000 Social Security numbers, and the more recent McCombs School of Business security breach, which put almost 200,000 people at risk for identity theft, the University was looking into a way to make their online community more secure, Ochner said.
"Possession-based systems are an expensive technology whose time has finally come," Ochner said.
Dana M. Springs, the buyer in charge of this proposal at the UT Purchasing Office, said a number of companies, including CompUSA Inc. and RSA Security Inc., have submitted proposals.
The proposal chosen by ITS will launch with a 300-to-600-person pilot in October, consisting of individuals with a wide range of computer expertise, according to the proposal request. Should the pilot be well-received, the approximately 15,000 staff and administrators on campus will begin using the new security system on April 1, 2007, according to the request's preliminary timeline.
"Staff and administrators are at the highest risk, because, when compromised, their accounts present the greatest opportunity for harm to be incurred," Ochner said.
Students will not be affected until Aug. 1, 2008, should ITS deem it necessary to extend these new measures to them.
Should the heightened security be extended to students, they would be responsible for keeping up with their security device, whatever it may be. Ochner acknowledged the likelihood that these tokens may be lost or stolen, and said the proposal has a provision requiring the company to provide a solution and constant support.
Ochner is confident that such a program can work.
"The UT Health Science Center in Houston deployed a possession-based system using USB tokens three years ago with much success," she said.
Be the first to comment on this article!