Why email is a poor way to identify students.
If you have an online business and you want to offer students and university staff discounts or special offers, then how do you go about verifying that they really are students?
Attracting students to your products or services can be immensely valuable. With over 50,000,000 university students across Europe they have substantial buying power and, if you can gain their loyalty early, this buying power will only grow with time. In the physical world, asking for a student ID card with a photo is quick and simple and, for most purposes, reliable enough however what is the online equivalent of photo ID?
It is often assumed that using an email address from an academic domain provides sufficient proof that a user is affiliated with an academic institution. Being, by definition, an online identity and also unique to each student then this would seem to be an ideal identity mechanism to verify students.
However, there are a number of issues with using email addresses.
- Privacy – Students are unlikely to want to use their academic email address for personal activities, such as registering to a new streaming service. Some institutions recommend that students do not use their academic email addresses for personal use.
- Personally identifiable information – email addresses are defined as personally identifiable information; if you only need it for the purposes of validating their academic affiliation, you won’t be authorised to store it for future use; using InAcademia means that you don’t have to ask for the academic email address at all, supporting the principle of data minimisation
- Inconsistent formats – Each country will probably use a slightly different format for issuing institutions with academic domain names and may have inconsistent rules for which institutions qualify. For example, many countries will provide schools with *.ac* domains. If your service is not suitable for under 18 year olds then this could be an issue for you.
- Not every college provides emails – Obviously this can cause issues if your primary verification process is the student email address.
- Email expiry – most colleges will continue to offer access to student emails for a period of time after graduation to enable students to migrate away from the use of their student email account. Sometimes this could be a period of over a year (or forever).
- Duplicate emails – email addresses are not always unique, and they are potentially reassignable to future students. Therefore the email address has to be correlated with other personally identifiable information before it can be used to verify a user’s academic affiliation
- Reliability – Email can fail to be delivered or caught in spam filters. Email accounts are also a prime target for hackers, making them less than 100% reliable as an authentication method.
- Email sharing – Even if you send a verification code to the email address, there is little to stop the student giving that code to their non-student friend or family member in order to share their discount offers to non-qualifying people.
InAcademia leverages the security and ubiquity of eduGAIN’s federated identity and authorisation process to provide a mechanism to verify the status of a student without needing to share personally identifiable information. Students using the InAcademia system will verify their credentials with their home institution and a simple response will be provided to the merchant. This response will be accurate, real-time and will not share data between the parties reducing the cost and complexity of managing data retention and GDPR reporting.
Find out how InAcademia can support identity verification for your business at https://inacademia.org