[pro_zac]

"As an added precaution, the university computing center decided to issue new passwords for all 38,000 JLU email accounts. However, the university was unable to do this online because of a quirk of German law, whereby the German National Research and Education Network (DFN) requires, in this case, JLU students and staff to obtain their new passwords in person from the university's IT staff, using as ID card to prove their identity."

[SamuelAdams]

I'm curious to know what law this is and why other organizations in Germany do not have to resort to a similar tactic to reset passwords.

[wongarsu]

I think this might be a misquote. DNF is a registered association/charity which is providing network services for universities and research facilities (originally German, but spreading across Europe and beyond). They are the ISP of most German Universities, and more relevant to the topic they operate Eduroam, a wifi where any student or staff member can access their internet using their login credentials (username/password login via WPA 2 Enterprise). It's really handy because even if you are at another university you can still access the wifi, and any misuse (==people getting sued for torrenting) is easy to track.

As such it stands to reason that they set rules for how credentials used to authenticate to their wifi are handled. And basically always those are the credentials for your university account.

tl;dr: almost certainly not a law, but rules most Universities have to abide to if they want to keep their ISP and wifi.

[usrusr]

So basically the equivalent of requiring ID for getting a phone SIM, thanks for the clarification.

Did not make much sense otherwise for just email or even for active user accounts (as in unix logins), because if you have tens of thousands of them your security model surely cannot rely on the assumption that none of them are bad actors.

"Just like a phone SIM" is also where it definitely enters the realm of legal requirements. Certainly debatable, but there can't be much precedent and then it's the usual struggle between a perhaps careless group appealing to common sense and a maximum correctness camp that wants to go by the book, in its most pessimistic interpretation. When under a malware attack like that, even the slightest trace of neglect on the technical side can punish you hard. It's no surprise that the required mindset of extreme prudence carries over to the legal side. I still don't believe that the ID check would be the only correct way to handle this (e.g. snail mail still goes a long way in terms of checking legal boxes), but they surely are not in the mood for taking risks right now.

[TazeTSchnitzel]

Maybe a contractual provision they're legally bound by but which isn't itself a law?

[sbx320]

This seems like a bit of a misconception in the article. The university website [1] states:

> For security reasons and in accordance with the legal requirements of the German National Research and Education Network (DFN), there is no alternative to this procedure.

I'd assume the DFN requires all users to be personally identifiable for liability reasons. Although requiring all users to show up in person is still a bit odd. I just received a letter with a one time password by regular old mail back when I entered university.

[1] https://www.uni-giessen.de - English version of the second article is available by scrolling down a bit.

[ryacko]

Possible it has to do with cards that can be used for purchases, though usually schools in America have a photo on file. Something is being miscommunicated probably.