My company (it's a university) is considering adopting an universal ID for all employees and students. We are considering using simple sequence numbers, but we are concerned that some people might try to type in random sequences to retrieve others' personal information. Another option is to use people's social security numbers, but scramble them somehow (making sure the resulting numbers are not duplicates). What possible solutions exist now?
You must authenticate people using something in addition to their universal ID. That "something" is typically a password, but it could be anything else that only the employee or student would know or possess (like their fingerprint, smart card, or other physical device).
Knowing someone's universal ID should only allow you to communicate with them (maybe via e-mail since their ID is probably part of their email address), but it should not allow you to access any private information about that person. I would equate a universal ID to a person's name. With their name, you can normally look up information about them (like in a phone book: address, phone number, e-mail address, title, field of study, et cetera), but you can't look at private information like their class schedule or grades.
Kerberos is a popular method for enterprise-wide authentication. At the University of Illinois at Urbana-Champaign, they once developed a system called Bluestem that performed authentication via a browser using Kerberos. Applications had an API that they could call to obtain a user's credentials, and if the user hadn't been authenticated yet, they were redirected to an authentication site where they authenticated and then were sent back to the requested application. That was in the mid-90's and, since then, many single sign-on mechanisms have adopted similar methods for authentication, but I don't think many of them are Kerberos-based. You might try searching for Bluestem at uiuc.edu and see what you find if that's interesting to you. Back when it was developed, they were giving the code away as well, but I'm not sure if it still exists. (Go Illini! :)
I would strongly recommend against using social security number in any form ("scrambled" or otherwise) as you may leave your employees and students subject to identity theft. If I were to attend college now, I wouldn't consider any schools where social security number was used as a means of identification. Universities should be issuing their own ID mechanisms whether that be a sequence number or a unique username (like dnorris4). Generally, I like d-norris54 or similar formats since it is easier to remember than a 5- or 6-digit number (at least it is for me).
Dig Deeper on Oracle database security
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.