7 Replies Latest reply on Oct 26, 2017 12:19 PM by Greg Sykes

    Masking Logins

    Greg Sykes Tracker

      I can see where we can turn on the ability to mask logins if we're using Omega devices, but how can we accomplish this if we are still using a computer with Pharos Station on it? I would like to be able to have logins mask to cut down on theft.

       

      Thanks,

       

      Greg Sykes

        • Re: Masking Logins
          Greg Sykes Tracker

          I may need to put in a ticket with TracSystems on this. Was just hoping there was a quick fix.

            • Re: Masking Logins
              Steven English Guide

              Good Morning Greg Sykes,

               

              Unfortunately, the ability to mask logons on the PC stations is not a feature that currently exists in the product.  I do not know if the new API based release stations will have this feature or not.  Perhaps someone from Pharos could comment on what features could be expected when the new web API-based PC station is released?

               

              Regards,

              Steven

            • Re: Masking Logins
              Katherine Baynton Ranger

              I'm not sure of your logon (bank) scenario, so this may or may not be useful - but if users do not have passwords then you could switch the station bank to have Source of ID (and Source of Funds) as ID Card Keyboard Wedge.  No feedback is shown on the screen at all when entering credentials with this option (it also says something like 'Please swipe your card' which may not be meaningful to your users).  If users are typing in a username, they will not see any indication of how many characters they have typed but it will certainly mask what is being entered. 

               

              The coming PPC Release Station will behave the same as the existing PC station in this regard.

               

              If this doesn't help, please provide a little more info on your configuration/scenario and we can see if there's anything more useful.

               

              Regards,

              Katherine

              • Re: Masking Logins
                Yadin Flammer Navigator

                I'm not understanding the question or situation.  Passwords are (of course) not displayed at login, i.e. they are masked.  Are you asking to mask the userid as well?  In what way does this "cut down on theft"?  I can't envision the conditions that would make this a concern.

                  • Re: Masking Logins
                    Greg Sykes Tracker

                    Hi Yadin,

                     

                    I'll try not to go into a long explanation, but we currently have logins for staff setup to where they can use their employee number to log into the Xerox machines and the computer release stations, without having to also supply the password. Their staff number is associated with their user logins. We did this out of convenience for the staff, because mostly what they use are Xerox machines, and it's really tedious having to type in your username AND a password just to log into the MFD to retrieve a print job. We also have it setup so that they can use their ID badge (RFID badge) to scan into the machines as another easy login method. The Staff IDs are pretty  much benign. There's no money associated with our staff numbers, so it doesn't matter if someone happens to learn my ID number. Essentially, the student ID numbers are also in Pharos and work exactly the same way. However, the issue is, there is added security risk of student ID numbers getting stolen, because financial aid is attached to the number, add-value printing is attached to the number, and also, students can look up email addresses via the student ID and get the password reset and hijack that account. The way things are setup right now, we can't force the students to use a password if they log in with their ID # (only the username requires a password), without turning that on for the staff as well. We don't want to turn that on for the staff, because that would undo the work we put in to making it more convenient our staff/faculty.

                     

                    My thought process was to keep the login process convenient for the student so that they could continue to use their student ID # to login without the need of a password, but also find a way to mask the username field like the password field gets masked, so that their student ID#s would be protected. That's the best way I can explain it. The whole process gets imported from our ERP database, but I won't get into all of that. Just that masking the username field would help in this situation, but it appears the only the Omega devices have that functionality.

                      • Re: Masking Logins
                        Yadin Flammer Navigator

                        hmmm... might I humbly suggest that if a userid is all you need to hijack an account, you have bigger issues.

                        That said, I see some of your conundrum with convenience for employees, but there is a way to do what you want I think, all you need to do is have two queues for the same device.  The queue you install on employee machines, which I assume are controlled by IT and therefore trusted devices with standard logins, are direct print and do not require popups.  The queues you make available for students, DO require popups.  All accounts have a password on them, but because they are not required on the employee queues, the machine login is used for identification and there's no auth.  Students auth every print and can use release stations.  IF you had a printer where you really needed all jobs to be released, then the employees using that would need to have a set password and use the popup queue.  There is a certain security by obscurity here still in that if a student ever figured this system out, on a personal machine they can make a login account that matches an employee ID and print free under that person's account.  That I believe could be mitigated with further scripting, but we haven't gone that far.

                        We actually have two print servers to further help with this, one for fac/staff printers, one for student chargeback.  Again, employees wanting to use one of the large format student printers has to have their account on that server set with a password they know.  IDs are the same on all accounts as central University userids.  Some students are granted access to the employee printers, department pays for those, they are only accessible from systems using University auth in secure locations.  In some cases personal machines still come in to play with those printers, so we make the popup copy of the queue.  Group membership and access time settings limit who has access to what area's printers.

                        Hope that helps in some way, we don't have the badge layer you do but I'd hope that you could use the card number in Pharos for that, although I believe password would still be required in the configured cases.  I've only seen setups where a swipe is needed so you need the physical card, not just a number to type in.

                          • Re: Masking Logins
                            Greg Sykes Tracker

                            Thank you for your response Yadin.

                             

                            It's not an issue with the staff printing. Most all staff have an MFD in their area that is staff only, and we do have staff set up on direct print as default. If they need secure printing, we just have them email the doc to mobile print for release. In student areas, they are all secure printing only. We could, possibly do direct print for students, which would still capture their account and deduct money from their account, while not needing to use a pop up. Students in our LRC, now, log in with their AD accounts, so we could have it set up that way for them. The only downfall would be that when they send the print job to the printer, it's sitting on the printer along with other print jobs that would've been sent to the same printer, so there would be no security in that. I believe we'd like to keep student printing as secure release only.

                             

                            Not sure if we want to go the route of having a separate database print server for students only. I suppose we could look into that, but then, we'd probably have to go back through and do a reinstall of queues everywhere, and we just got through with a massive roll out of the system college wide, so I would really prefer not to have to go back and do it again.