Ask the FERPA Professors

July 22, 2024
  • FERPA
  • FERPA Professor

Dear FERPA Professor,

We are trying to determine the best practice for IT when it comes to resetting passwords for students. 

Right now, we have a reset link that is sent to them if they can answer Name and DOB. We know that this isn't secure enough and want to ensure we are utilizing the best practice for authentication for a password reset.

Regards,
Ms. Tustehp

Dear Ms. Tustehp,

The process you describe for resetting passwords for students to access their SSI would not be in compliance with FERPA. Institutions are required to ensure the privacy of student education records, and any disclosure of those records must meet the signed consent requirements at § 99.30 in the FERPA regulations or the conditions of one of the exceptions to signed consent found at § 99.31. One of those exceptions is § 99.31(a)(12), which permits disclosure to the student without consent. However, § 99.31(c) requires that the institution use "reasonable methods" to identify and authenticate the identity of the student prior to any disclosure of those records.

This would involve such methods as a secret PIN or password. When resetting a password, it is important to have a robust identity authentication process in place. This could include an authentication process such as a verified photograph of the student, having the student email the request through an institutional assigned email account, or mailing the new password to the home address on file. What is not considered reasonable for identity authentication, however, are items such as D.O.B., SSN. An institution would not be prohibited from requesting such items, but they do not authenticate a student's identity. In addition, if the SSI contains financial information, then the institution would be subject to the requirements of the Gramm-Leach-Bliley Act, which has its own standards concerning the protection and disclosure of financial information.

I hope this is helpful in answering your questions. You can find the above cited FERPA regulations on pages 159, 161, and 162 of the 2012 AACRAO FERPA Guide.

The FERPA Professor

Want the Professor to come to your campus? Visit our FERPA compliance training page.

AACRAO members, send your questions to the FERPA Professor at communications@aacrao.org.

Subscribe

AACRAO's bi-weekly professional development e-newsletter is open to members and non-members alike.