Logging in students securely and without pain

Description / Overview

When students get the opportunity to see their submissions with grade and tutor feedback they somehow have to login to Grady. In a first test, long passwords printed on lists were used. This approach is slow and ultimately insecure since passwords are printed out on paper and therefore easy to eavesdrop. Another hurdle is that students are not reliable. Any concept involving tokens sent to email accounts or the students smartphone is too error-prone.

The proposal for a solution is to use a combination of pre authentication with a username in combination with a manual confirmation by already authenticated tutors. The student arrive at the exam room where computers are present. It works like this:

1. The student sits down, opens the website of their exam and enters their username.
2. The username is then displayed in large friendly letters on the screen, while the session is registered in the system.
3. All authenticated tutors have an overview of all students that currently request access.
4. (Optional) The student can enter their seat number (or some other form of geo information) to give the tutor a hint.
5. The tutor checks if the identity of the session matches that of the student via student identity card.
6. The tutor confirms the login on their phone/laptop. The student webpage reloads and they can now see their submissions.
7. (Optional) It would be easy to extend this system, so students can request help even after login.

Use cases

For students so the may login without entering a password and for reviewers/tutors so they can effortlessly login students.

Links / references

This is the original proposal before discussion:

Possible solution to the password during exam access problem:

When trying to access their exam, the students are prompted for their Matrikelnr. and their @stud.uni-goettingen.de mail. A Session token is generated and sent to the specified email-adress. Clicking a link within the email or entering the token manually authenticates the Student for the duration of the exam access. After the end of the exam access or when the student logs out, the token is deleted. This would require that the e-campus or OWA mail client is accessible.

Feature checklist

• Student can enter their username and a session is logged.
• The tutor has an overview of all students that requested access.
• The tutor may authenticate a student after checking their identity.
• No passwords or additional tokens are used.

/label Feature proposal

changed milestone to %Computer Science I & C programming exam

By robinwilliam.hundt on 2017-10-28T21:05:12 (imported from GitLab)

changed the description

By robinwilliam.hundt on 2017-10-28T21:05:52 (imported from GitLab)

changed the description

By robinwilliam.hundt on 2017-10-28T21:07:15 (imported from GitLab)

changed time estimate to 5h

By robinwilliam.hundt on 2017-10-28T21:07:26 (imported from GitLab)

I think especially the availability of the Email client could be problematic. A simple expiry date for the token should be set and enforced as well (5 min for example).

But a 2-factor-auth without an additional password is the way to go I think.

By Jan Maximilian Michal on 2017-10-29T12:41:01 (imported from GitLab)

Would also solve #29 (closed) btw.

By Jan Maximilian Michal on 2017-10-29T20:28:05 (imported from GitLab)

changed title from Access to Student View via email-sent tokens to Logging in students securely and without pain

By Jan Maximilian Michal on 2017-11-02T16:54:12 (imported from GitLab)

changed the description

By Jan Maximilian Michal on 2017-11-02T16:54:12 (imported from GitLab)

changed time estimate to 2d

By Jan Maximilian Michal on 2017-11-02T16:54:58 (imported from GitLab)

mentioned in issue #43 (closed)

By robinwilliam.hundt on 2017-11-08T22:18:31 (imported from GitLab)

mentioned in issue #29 (closed)

By Jan Maximilian Michal on 2017-11-15T18:07:16 (imported from GitLab)

changed milestone to %Computer Science I & C programming exam (Mock exams)

By Jan Maximilian Michal on 2017-11-16T14:11:18 (imported from GitLab)

mentioned in issue #52 (closed)

By Jan Maximilian Michal on 2017-11-16T16:12:19 (imported from GitLab)

mentioned in issue #57 (closed)

By Jan Maximilian Michal on 2017-11-24T21:48:56 (imported from GitLab)

changed milestone to %Computer Science I & C programming exam

By Jan Maximilian Michal on 2017-12-21T09:04:47 (imported from GitLab)

mentioned in issue #76 (closed)

By robinwilliam.hundt on 2017-12-29T16:11:49 (imported from GitLab)

changed milestone to %C programming course (Block)

By Jan Maximilian Michal on 2018-02-17T21:37:56 (imported from GitLab)

This feature is no longer necessary due to the changes of ea3357ba .

The reviewer now has the option to generate passwords for all students when exporting the data. Combined with the functionality of applying the pseudonym map, this allows the reviewer to generate username, password, real name pairs for all students without any involvement of the application maintainers.
These credentials can be used by the reviewer to send the students their login data before they access their exam. Student access has to be first allowed in the reviewer student overview and is one time only.

By robinwilliam.hundt on 2018-09-30T16:42:24 (imported from GitLab)

closed

By robinwilliam.hundt on 2018-09-30T16:42:24 (imported from GitLab)