unc cause 2011 random pin
DESCRIPTION
Presentation for UNC CauseTRANSCRIPT
![Page 1: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/1.jpg)
Custom Secure Random Pin Distribution
Moreland SmithThe University of North Carolina at Greensboro
![Page 2: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/2.jpg)
Alternate Title
How we kept our Registrar from going to jail
and got cookies!!!!
![Page 3: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/3.jpg)
Session Rules of Etiquette
• Please turn off your cell phone/pager
• If you must leave the session early, please do so as discreetly as possible
• Please avoid side conversation during the session
• Do not pass Go, do not collect $200.
3
![Page 4: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/4.jpg)
Introduction
• My goal today• To share UNCG’s custom solution
to random PIN distributions across all populations of entering people.
4
![Page 5: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/5.jpg)
Benefits: An understanding of
• Business Case• Technical Architecture• Administrative GUI• End User Experience• Project Results• Woulda / Shoulda / Coulda
5
![Page 6: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/6.jpg)
Business Case
Things I learned from 1990’s Infomercials
![Page 7: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/7.jpg)
The University of North Carolina at Greensboro• 18,000+ Fall 2010 Enrollment
• Undergraduate
• Graduate
• Distance
• Additional 2,000+ iSchoolers (High School)
• 3 Entry Offices with Hiring Authority
• 6 Entry Offices Admitting Students
• Mods Philosophy: “Vanilla…. but with sprinkles… and a bit of fudge mixed in…”
7
![Page 8: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/8.jpg)
Old way of Doing Business
• Pattern based initial PIN, custom trigger on DOB entry
• DOB rearranged YYDDMM
• Pattern published on web sites
• Some emailed ID and then snail mailed PIN
• Some asked students to allow them to send both PIN via email.
• Some offices handed paper to new hires
• Letters are lost
8
![Page 9: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/9.jpg)
Where we were
Different Offices +
Different Practices =
INSANITY
9
![Page 10: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/10.jpg)
Good advice from the mid 1990’s…..
10
![Page 11: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/11.jpg)
Potential Problems
• Perception, ITS owns the PIN, call Service Desk
– Have to talk through general pattern YYDDMM.
– Service Desk can’t assist because…
• Forgot PIN Q&A Not yet established, can not authoritatively identify caller, since never had successful login
• “But they said….”
• Root Causes
– Incorrect DOB Entered (esp. Internationals)
– Student does not know ID
11
![Page 12: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/12.jpg)
Inspiration from Earlier Work
• https://getmyid.uncg.edu• Built during transition from SSN to Generate
ID approx 2006• Allows ID display via SSL browser with entry of
persons UNCG Username/Password • Allows email delivery of ID • Single Last Name & Email Address Match– Last Name: Smith– Email: [email protected]
• If one and only one match found i.e. Banner Record with Smith that also has [email protected] in GOREAML = Send ID# to that Email
12
![Page 13: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/13.jpg)
The Vision: One tool to assist them all• Web Based• Near Real Time, Secure (Encrypted) Delivery of Random PIN • Options for Paper Mail • Receive PIN Information from “Entry Office”, not ITS• Standard text with optional Entry Office specific info• Refer people back to “Entry Office” if there is a problem with
their data• Flexible additional populations, additional “Entry Offices”• Log usage
13
![Page 14: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/14.jpg)
However this was beyond our budget
14
And had some nasty side effects….
![Page 15: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/15.jpg)
Core Business Concepts/Challenges• All persons have a “best fit” Entry Office
– Single Role (New Freshman =Undergraduate Admissions)– Multi Role people (Employee taking classes=????)
• Offices desire to minimize mailing costs, printing labor– Email/web is first choice– Paper mail only if email/web is not possible or selected by person.
• If there is a problem with a person’s data it needs to be corrected by their Entry Office, not ITS.
• People often do their email via insecure means (Public WiFi)– Therefore delivery of PIN should be SSL Protected and– Not “Man in the Middleable” (Firesheep)
15
![Page 16: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/16.jpg)
Defining Happiness
• for Person= Doing it all online themselves at 3am and never having to talk to UNCG staff.
• for Entry Office Staff= Person doing it all online themselves at 3am and never having to talk to UNCG Entry Office Staff.
• for Person= Couldn’t get it online, but can get it via snail mail, but at least I didn’t have to talk to a UNCG human.
• for Entry Office Staff= I guess I can run a daily batch job to print and mail some letters, sigh….
• For Both= I have to talk someone via phone????
16
![Page 17: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/17.jpg)
Random Pin Origination Process Flow
17
![Page 18: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/18.jpg)
Random Pin Flow
18
![Page 19: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/19.jpg)
Technical ArchitectureSome vanilla, some sprinkles, and some fudge ripple mixed in….
![Page 20: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/20.jpg)
Sometimes good things are a bit messy….
20
![Page 21: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/21.jpg)
Security Principles
• All Web traffic must be SSL
• Email may or not be read via secure means, therefore we must assume it is not
• You can’t prove who you are on the web, so we must communicate via previously established address
• Something you have, plus something you know.
– You have: PIN LINK (Random URL) delivered by email
– You know: “Verification word” you gave in an SSL Session, stored by the system, which you must match to use PIN LINK URL
21
![Page 22: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/22.jpg)
Security Principles Continued
• Any PIN LINK URLs must be sufficiently random• Any PIN LINK URLs must expire with a set brief time period• Minimize visibility of PIN to UNCG staff (only on hardcopy
prints in Entry Office)• Random PINS should be one time use only (Baseline takes
over from there)• Even if someone starts the getmypin process who is not you
(but they know your Last Name, ID & DOB, we should minimize the “reveal” of your protected information [result=masking of email/addresses])
22
![Page 23: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/23.jpg)
Technical Components :Baseline • Configurations within
– Letter Generation Letters & Paragraphs– GTVSQPR (Business Rule Process Code Validation)– GTVSQRU (Business Rule Code Validation)– GORRSQL (Business Rules Form) – GTVSDAX (For setting expiration value)
• Draw upon data within– GOREAML Table– SPRADDR Table– SPRIDEN Table– Various Student, Alumni, Employee tables calculating Entry Office
association for a person• Baseline functionality
– Ability to set PIN as pre expired (i.e. force change on next login)23
![Page 24: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/24.jpg)
Technical Components: UNCG Custom Built• INB Components
– SZAEOFC (Entry Office Control Form)– SZAHIRC (Entry Office Rule Hierarchy Control Form)– SZAPDIS (Pin Distribution Form)
• URL on Banner App Server– https://getmypin.uncg.edu
• SSB pages (outside Secure Login)– Request PIN Getting– Respond to PIN LINK URLS
• Email generation function (draws text from LTR/PARA)• Batch Job
– SZPPNPT (Pin Letter Printing) • PL/SQL Function for Random URL String Generation to NIST Special
Publication 800-63 Standard24
![Page 25: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/25.jpg)
20 Minutes of Defense
• How long to make the random URL???• Calculations by UNCG Security Analyst• Assuming web requests can be processed at 20,000 per second, x 60
seconds per minute x 20 minutes=24 million attempts possible in time frame.
• http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf page 53
• Goal 36 bits of entropy• Achieved by 20 character random from a 63 character alphabet (upper,
lower and numbers)• If 20 characters is good, then 32 is even better….• And even if you get a hit on a Random URL that happens to be “Usable”
at the moment, you still have to guess the Verification word, and you only have 3 attempts.
25
![Page 26: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/26.jpg)
Administrative GUIPutting the Puzzle Together
![Page 27: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/27.jpg)
Initial Setups
• GTVSQPR (Business Rule Process Code Validation)• GTVSQRU (Business Rule Code Validation)• GORRSQL (Business Rules Form) • GTVSDAX (For setting expiration value)
27
![Page 28: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/28.jpg)
GTVSQPR Business Rule Process Code Validation
28
![Page 29: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/29.jpg)
GTVSQRU: Business Rule Code Validation
29
![Page 30: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/30.jpg)
GORRSQL Business Rule Form Sample
30
![Page 31: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/31.jpg)
Now for the Custom UNCG Stuff• SZAEOFC (Entry Office Control Form)• SZAHIRC (Entry Office Rule Hierarchy
Control Form)• SZAPDIS (Pin Distribution Form)
31
![Page 32: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/32.jpg)
SZAEOFC: Entry Office Control Form
32
![Page 33: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/33.jpg)
SZAHIRC: Entry Office Rule Hierarchy Control Form
33
![Page 34: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/34.jpg)
SZAPDIS: Pin Distribution Form
34
![Page 35: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/35.jpg)
End User Experience
Finding Happiness
![Page 36: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/36.jpg)
Finding Happiness
36
![Page 37: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/37.jpg)
3 Faces of Happiness
• Self Service Email Delivery
• Request Paper Mail Delivery, Entry Office Prints
• Sorry, Person and Entry Office Communication Required
• All begin at https://getmypin.uncg.edu
37
![Page 38: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/38.jpg)
Answer me these Questions 3
38
What is Your NameWhat is Your IDWhat is your DOB
![Page 39: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/39.jpg)
Initial Entry: ID, Name, DOB
39
![Page 40: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/40.jpg)
Would you like your pin in bits?
40
![Page 41: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/41.jpg)
For your safety……
41
![Page 42: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/42.jpg)
Process Tips & Disclaimers
42
![Page 43: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/43.jpg)
Were done! Check your email
43
![Page 44: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/44.jpg)
Sample of Email Body (sent from EO email addy)
44
Note the PIN LINK Long URL
![Page 45: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/45.jpg)
Having clicked the link
45
![Page 46: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/46.jpg)
Oops, you waited too long
46
![Page 47: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/47.jpg)
3 strikes and you are Out!
47
![Page 48: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/48.jpg)
If you remember your Verification Word: Success!
48
![Page 49: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/49.jpg)
From Here
• User logs into Baseline Self Service– They must answer baseline “Forgot PIN” Security
Questions & Answers
• Because random PIN was set as pre-expired– They must set a new PIN.
• User is in Self Service and can do their business• “didn’t have to talk to a human…”
49
![Page 50: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/50.jpg)
Face #2
Request Paper Mail Delivery, Entry
Office Prints
50
![Page 51: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/51.jpg)
You want your PIN on dead trees…
51
![Page 52: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/52.jpg)
Ok, Please be Patient
52
![Page 53: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/53.jpg)
Were done!
53
![Page 54: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/54.jpg)
After the Entry Office, Prints, Mails and you receive
54
![Page 55: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/55.jpg)
The Third Face
Sorry, Person and Entry
Office Communication Required
55
![Page 56: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/56.jpg)
Recap of the Path
• Success with ID, DOB, & Name• No Valid Emails or did not choose emails
and • No Valid Mailing Address or said do not send
via paper
56
![Page 57: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/57.jpg)
Oh, addresses out of date/ don’t trust US Postal Service
57
![Page 58: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/58.jpg)
Next Steps
• Hopefully person calls their entry office at the phone number listed.
• Staff member with privileges on SZAPDIS can review request, status, etc.
• Based on Entry Office specific practices staff can attempt to – Identify person calling (20 questions method)– Gather corrected contact information– Immediately enter that in Banner (GOAEMAL/SPRADDR)– Have the person try again.
58
![Page 59: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/59.jpg)
Miscellaneous Info
• Email is sent from Entry Office specific email address, so bounces are returned there for remediation by Entry Office staff.
• Letters are sent from Entry Office, in their envelopes, so returned mail can be dealt with by Entry Office staff.
• Other Error Messages– Did not answer 3 initial questions correctly = “The
Information you entered was not found in our records. Please check the Information for Errors.”
59
![Page 60: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/60.jpg)
Results
What it has done for UNCG
![Page 61: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/61.jpg)
Results Page
• All persons (students, staff, faculty, other) follow the same process.
• Email & Address data is better maintained by Entry Offices, since correct emails mean more happy faces.
• DOB Pattern based PINs are gone!
• Many fewer calls to Service Desk with PIN problems due to DOB issues, or “I lost my letter/email”
• Registrar’s Office Staff spend less time dealing with PINS for Alums (required for transcript ordering)
61
![Page 62: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/62.jpg)
Unsolicited Client Email:
Subj: Just sending some love The PIN re-set website has been a great help.
In the past, I received an average of 8-10 calls a month. Which isn't bad, I know, but as this was an average, I sometimes had 8-10 in a week. I have only printed 3 PIN letters since we went live with this function last Spring.
THANK YOU.--
Kelly A. Rowett-James , University RegistrarThe University of North Carolina at Greensboro
62
![Page 63: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/63.jpg)
Summary
• Solve the Business Problem:
– Make it Standardized, Self Service, Secure,
– Also make it Flexible and Customizable
• Architecture: Use what you have & build what you need
– Baseline Components: GORRSQL, Letter Gen, GTVSDAX
– Custom INB, SSB, Batch Job pieces
• Admin GUI: Build for flexibility
• End User Experience
– Small, Simple Steps
63
![Page 64: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/64.jpg)
Woulda/Shoulda/CouldaThings we might do to enhance or would do differently.
![Page 65: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/65.jpg)
Ideas to make it better
• Build Form/Table to map users of SZAPDIS to Entry Offices in order to restrict staff to “their” people, and ITS Staff to global Query. [Could also be done with Value Based Security]
• Build a secondary log table for each status of a Pin Reset Request.
• Build a “pre log table” to capture any situations where all 3 items do not match, to detect bot attack
• Put in a “Captcha” as a bot defense
• Build reporting to look for patterns of non successful actions.
• Schedule batch process in UC4 for automatic nightly printing.
• Set up Workflow’s to notify Entry office, “You’ve’ got PIN LETTERS to Print!”
65
![Page 66: Unc cause 2011 random pin](https://reader035.vdocument.in/reader035/viewer/2022070303/549e8e52ac7959454c8b4618/html5/thumbnails/66.jpg)
Questions?
• Any and all are welcome
66