PT: Parent access security

Jan 23, 2018

One of the first questions we get asked is about the parent access security.  Specifically, “where is it?”.  When we tell first time users that there isn’t any they seem quite taken aback with the idea.  There was however a lot of thought put into this decision, so let us explain how we arrived at our current design.

Keep it simple

One of the core ideas was “simplicity”.  We wanted to keep the application as easy to use as possible.  For parents, teaching staff, IT admin and office staff.

Keeping it simple for parents: There are no code numbers of pin numbers to remember.  The vast majority of parents would know their email address and generally they will type it correctly when asked.  This was the perfect piece of information that we could uniquely identify a parent by and one that the parent would know and remember without any additional effort.  So the parents can now create or update their bookings by remembering their email address.

Keeping it simple for office staff:  No parents queueing at the office to make bookings every morning.  No parents calling because they have lost their code numbers of pin numbers.  No parents calling because they never received their code numbers / pin numbers.  No parents calling because they have entered their code number and pin number and the system won’t let them in.  However we understand there will always be some parents who are not able to book online and therefore the office staff will make some bookings, and this they can do through the parent-friendly interface.

Keeping it simple for teaching staff:  Teaching staff are optional.  Of course we need them for the interviews however there is no absolute requirement for them to access the system.  Staff may choose to use Sobs in order to block out certain time slots due to other commitments, and they can also review the list of parents they will be seeing, however this detail is also available via printable reports that can be distributed to staff prior to the interviews.

Keeping it simple for the IT administrator:  Up load a list of teaching staff and assign year levels to each staff member.  The will likely be the requirement to include a link to the parent booking page on your school website.  The P/T interview manager can then schedule an interview round and notify staff and parents.

Our experience

Hundreds of schools have used SOBS to run their Parent/Teacher interview booking – so in practice do they have issues with the security?

We always anticipated there would be a number of student-hackers who would attempt to break the system.  Sure enough there were some, but probably less than we had anticipated.  In practice they are few and far between.  Also, there is very little the malicious hacker can do apart from creating or cancelling some interview bookings.  Generally the information they supply makes it quite obvious the bookings are invalid and therefore they can easily be deleted.

We also asked ourselves whether pin numbers would help.  In the majority of cases the pin numbers were sent home on a notice or to a family email account – places where the student would have easy access.  So even with pin numbers our ‘known’ hacker can still do damage to the booking information.

What are the risks?

Another key question was “how much damage can our hacker do, or how much information can they obtain?”.

Firstly, the hacker will need to know an email address of the parent, they will also need to know when the interview system is open for parent access.

They could create some invalid bookings.  Generally the information (names) they supply make it quite clear that the details are invalid – so staff simply delete the bookings and they are gone.  It is worth having a staff member briefly look through the bookings each day to check for invalid bookings – this would only take 1-2 minutes to quickly scan the parent booking list.

If our hacker was aware of a parent’s email address they could make changes or delete interview bookings.  We have had one instance like this that we are aware of.  The outcome of course is merely an inconvenience for the parent and teacher concerned – new interviews are scheduled and the problem is solved.

With an email address the hacker would have access to the parent’s name, phone number (a school can disable collection of the phone number), and the student names and year levels.  They would also have access to a list of staff names.  We acknowledge that this is private information that parents and schools would have to accept was at risk.  Our best defence is to limit the access times that parents have to book their interviews – this significantly reduces the opportunity our hacker has to access this information.

Still not sure?

So a few schools were still unconvinced.  We offered to add a pin number security option to the system when they purchased if they still decided they needed it after considering this information.

Generally they ran the trial, had very few problems with the security and decided that the simpler approach was better after all.

[May 2012] We recently had a school request the pin number option and have therefore implemented this as an option for those schools who wish to use it.  We continue to get positive feedback from schools and parents using just the email registration, and similarly very little mis-information is reported.