Student Authentication For Online Learners

Reading time:8 mins

Distance learning has transformed higher education.  It’s made college courses accessible to far more students and decreased real world classroom costs by taking it all online.  It’s a huge success story.

The only downside of virtual learning for schools is there’s a higher percentage of financial fraud than traditional campuses.  The latest estimate from the Dept. of Education is $1.351B annually and that’s only what we know about (ED-OIG A03P0003 May 2015).  Much of the reason for this fraud is lack of proper student ID authentication.

Online students don’t have to show up somewhere and make a physical appearance.  The only way they are identified is usually passwords/PINs and a user name.  As any I.T. security expert can tell you, it’s an inherently porous security method since credentials are easily shared (or hacked).  Straw students can be easily created to accept financial aid like Pell Grants then disappear, leaving institutions holding the bag.

The largest financial aid fraud ring found so far was 800 people. But there are many small rings, and individuals perpetrating these thefts.  With antiquated tools like passwords/PINs, fraud detection is nearly impossible. For years this hemorrhage to fraud has been tolerated because there didn’t seem to be an easy solution, but the Office of Inspector General Final Audit report is finally getting tough on student ID verification.  For the first time, Title IV (student financial aid) compliance is now tied to the institution’s annual compliance audits. And OIG says PINs and passwords are no longer enough to ID students. Upcoming accreditations will now look for appropriate identification technology.

OIG says students should now be identified throughout the course from start to finish so proctoring will not cut it.  So the need for conclusive student identity authentication is now urgent as schools struggle to find alternatives to the old passwords and PINs to protect their funding and bottom line.

Switch gears and think academic fraud. A different element but related because much of the issue of online cheating has the same culprit – lack of effective student ID authentication.

Several years ago The Chronical Review reported in an article called “The Shadow Scholar” that academics have had to admit that cheating is a bigger deal that once thought. This article was the most commented on in Chronical history and for good reason. It highlighted how one individual (The Shadow Scholar) was able to provide services for hire for students attending 39 universities and colleges.

The unnamed person completed essays, tests, and quizzes and even participated in online discussion assignments using the students’ PINs and passwords logins. He detailed how his company of over 60 persons was extremely busy and prosperous. Many academics were in disbelief and took on a “not in my back yard” position.  The elephant in the room was threatening to stampede. The truth is, detecting cheating online isn’t any more foolproof than finding fake, fraudulent students.  So it’s been easier to ignore this ugly secret – to schools’ reputational peril.

Eight-four percent of the 141 respondents concurred that student dishonesty is a significant issue. Half of all who responded believed that the public thinks dishonesty is more likely to occur in distance learning. But 79% did not see this as a difficult barrier, as effective solutions are available.

-2015 survey of WCET and UPCEA members

Prevent fraud losses and tighten academic integrity – that’s what the Department of Education expects. But…how?  The first thought many schools had was proctoring, the tried-and-true old technology of having a real person watch students while they take tests, on the lookout for hand signals, handwriting on palms, even earpieces.

They could send online students physically to testing centers, but this would impose a burden of travel on students and also force schools to pay for testing centers along with physical proctors.  But the whole point of distance learning is that it can be done without physical attendance.  So schools looked at online proctoring with browser lock-downs, webcams, and recorded video for professors to watch later.

Couple of problems here.

1.    The new rules from Dept. of Education say that the student needs to be identified continuously throughout the course. To use proctoring for every log-in would be an astronomical cost (at an average $20 per student PER event).
2.    With virtual proctors you at least have a chance to catch cheaters; but proctorless technologies that capture movements or certain biometrics that place the burden of proof on the faculty are simply recipes for failure on several fronts (i.e. user experience – don’t move, do this, do that, faculty review of hours of video – seriously who will do this? Also liability issues if collecting physical biometrics, lack of historical forensic reports that meta analyze patterns of fraud to name a few…)

3.    Browser lock downs cannot stop students from using their cell phones or even other PCs nor prevent other people (helpers) from being in the room.

Proctoring is good for its intended purposes to catch cheating in a single session. But we really don’t know who the student is who is taking the exam.  And we certainly don’t know who is completing all the other tests, quizzes, and discussion and participation assignments in the other say 20 gradable events that make up a student’s final grade. If the purpose is to reduce cheating, why not do it throughout the course and do it right.

Ultimately proctoring is becoming completely cost-prohibitive. So the next idea that gained ground was adding a layered security solution such as challenge questions to the LMS log-in. These are questions that only the student would know the answer to, like their favorite band or pet name.  Nice try, but these answers can be socially engineered (figured out through visiting social media pages). These questions also don’t qualify as a fully compliant solution to the problem of authentication beyond a doubt. (Read the latest on IRS hacking and the 50% failure of security questions).

Biometrics, identifying individuals through unique traits in a database profile, is really the only answer to compliance.  Long considered the best way – maybe the only way – to conclusively identify people, biometrics are increasingly being used. There are two types: -physical and behavioral biometrics. Physical include fingerprints, iris, knuckle, or face scans. But there’s a huge privacy risk with physical biometrics – these identifiers are not replaceable if stolen.  Schools would take on that liability.

What is needed is new biometric technology – a method to identify online students in a way that can’t be gamed, is cost-effective, privacy preserving and incurs no liability.   A tall order, but it brings us to gesture biometrics, also called behavioral biometrics.  Unlike physical biometrics, they are dynamic (changeable) and so can’t really be stolen. The main types are gait, writing, and typing (keystroke) recognition.  As effective as physical biometrics (excepting keystroke which has a low rate of accuracy*) gestures are a great fit for online student identification because they’re low-liability, low-cost, highly accurate and privacy friendly.  In education it’s a little tougher to identify an online student’s walk so that leaves keystroke and writing.  Of course we at BSI specialize in writing, specifically a hand-drawn 4 character password that users draw with their finger or mouse, depending on device.

But whatever biometric you choose to determine who is taking all the course assignments, you’ll need technology that has to be have the following ingredients:

•    Low-cost (example: gesture biometrics generally has one low fee for unlimited use and the yearly cost is only a fraction of just ONE session of what virtual proctoring costs)
•    User friendly (try to get 98% positive experience or better)
•    Takes less than 10 seconds to complete because students will use it often
•    Is added to your LMS and is recorded in your LMS grade book
•    The biometrics used should be behavioral, not physical, to avoid hacking which creates privacy law liability
•    Provides forensic reports that detail cheating in ready-made reports for accreditation and Feds

Almost certainly the solution to identity authentication compliance woes will be a blend of biometric technology and proctoring. Gesture biometrics for everyday use – as the foundation – and proctoring for higher stakes exams as you can afford. But the key point is to use at least an everyday foundation technology for effective continuous student ID authentication.  So institutions concerned about academic integrity (who is not? Please stand up!) should be using technology that will counter the escalating use of others (Mom, Dad, sibling or paid surrogates) doing gradable assignments, or even participation grades for students.

Why do it now?  You can also expect that the OIG and Department of Education will become ever-more stringent in their identity recommendations. Even years ago, their reports stated they expected that schools would migrate to better identification technologies as these became available.

But in fact, most haven’t. Why? Simple human nature. Reluctance to change, lack of urgent need to do it, and most of all, the lack of a cost-effective technology that would be relatively painless to implement.  With regulation changes in the air, better biometric choices than ever before, it’s time to get serious about dealing with identity.

*(Note: Keystroke biometrics are a poor option due to weaknesses in accuracy versus gesture biometrics like BioSig-ID that reported 27X better accuracy and 9X more user friendliness for registered users in independent lab tests).

Jeff Maynard, Inventor and Founder, Biometric Signature ID
Biometric Signature ID is a leader in the field of user ID verification that offers a family of solutions to meet the needs of institutions in multiple markets.