Senator Pushes for Stronger FAFSA Security Measures

Financial aid is on the minds of students and parents across the nation as they plan how to pay for post-secondary studies, but they shouldn't have to worry about information security as well.

by Susan Gentz, Deputy Executive Director, Content, Center for Digital Education / January 2, 2018 0
Financial aid is on the minds of students and parents across the nation as they plan and strategize how to handle applying for post-secondary studies. In the 2017 film “The House,” two distraught parents go as far as starting an illegal casino in the neighborhood to cover the costs of education for their daughter. While that’s not a recommendation the Center for Digital Education (CDE) would give, we can certainly understand the sentiment and concerns that come with applications for financial aid: concerns about cost, as well as privacy.
The information required for the Free Application for Federal Student Aid (FAFSA) can be financial data that banks have on any given customer. This intense amount of private, personal and important information must be protected, and for this reason, one senator is asking Secretary of Education Betsy DeVos to consider some protective measures for this sensitive information.
In April 2017, the FAFSA online tool was hacked, and files of over 100,000 FAFSA applicants were impacted. Criminal activity was found, and according to The Washington Post, “within weeks of taking the tool offline, the IRS and Education Department decided to disable it until October to put stronger protections in place.”
This could be what prompted Democratic Sen. Ron Wyden of Oregon to request that Secretary DeVos enact multi-factor authentication for access to these records, which includes information such as birthdate, income and Social Security numbers.
In a letter to DeVos, Wyden states that, “given the sensitivity of the data collected during the FAFSA application, it is paramount that this information be protected from identity thieves. To that end, I urge you to direct your staff to examine the existing security controls protecting the FAFSA website, and to consider additional cybersecurity protections, particularly for data associated with partially completed applications. At the very least, subsequent logins to the FAFSA website should require two-factor authentication, either by sending an email to an address on file for an applicant or using a phishing-resistant method of two-factor authentication, such as a U2F token.”
According to How-To Geek, “U2F is a new standard for universal two-factor authentication tokens. These tokens can use USB, NFC, or Bluetooth to provide two-factor authentication across a variety of services. It’s already supported in Chrome for Google, Dropbox, and GitHub accounts. Microsoft is working on implementing it in Edge. This standard is backed by the FIDO alliance, which includes Google, Microsoft, PayPal, American Express, MasterCard, VISA, Intel, ARM, Samsung, Qualcomm, Bank of America, and many other massive companies. Expect U2F security tokens to be all over the place soon.”
If the Department of Education were to accept the recommendation of Sen. Wyden, it would be one of the first agencies to enact this specific multi-factor authentication. While this type of authentication isn’t new to federal agencies, this specific option is. The National Institute of Standards and Technology (NIST) classifies the protocol (U2F) as a strong credential option, as it meets government guidelines for asymmetric, public-key (PK) cryptography for authentication.
While some of the flagged records from the FAFSA breach were not criminal, but simply applicants that had not finished their application, there are still security concerns. Sen. Wyden points out that “there is a 'save key' which is intended to protect student data from unauthorized access that has been saved as part of the application process, but not yet submitted for processing. However, according to that same media report, the save key can be bypassed merely with knowledge of the student’s zip code.”
The privacy concerns are valid, and will only become more pertinent as the Department of Education is planning a release of a mobile app for use to apply for FAFSA by the spring of 2018.
What are you doing on your campus? Is U2F the best way forward to protect data? Let us know what you think!