Identification, Authentication, Nonrepudiation, Oh My

I think we're asking more of the digital than we are of its analog, um, analog. Section 496 of HR 4137, the College Opportunity and Affordability Act of 2008 that amends and reauthorizes the Higher Education Act of 1965 mandates that an "[accrediting] agency or association requires an institution that offers distance education or correspondence education to have processes through which the institution establishes that the student who registers in a distance education or correspondence education course or program is the same student who participates in and completes the program and receives the academic credit".

Seems reasonable enough on its face (although by no measure a simple matter in any case), but it brought about a realization: As far as I can figure, IHEs in fact do no such thing for good ol' fashioned face-to-face students. (Do they?) Who's to say that the person that shows up to get his or her picture ID card and then attends 120 credits worth of classes is actually the person indicated on the original application? Do students have to identify themselves when they are getting their ID cards? At Temple all I had to do was provide my Temple ID number.

As a teacher I'm proud to say I've never asked a student to show proof of identification. Perhaps my classes are filled with impostors! (Good work if you can get it as far as I'm concerned).

That distance education courses are still predominantly asynchronous (at least for the moment) presents a particular problem here. Synchronous tests are easy enough, if expensive and inconvenient: send folks to a testing center or make them turn a webcam on themselves for remote monitoring. A hassle, but doable. Any distance education that relies predominantly on timed, synchronous testing is bad distance education, period.

With asynchronous activities, how is this authentication possible? When a "user" (student) is complicit with his or her impersonator, traditional means of authentication (a token or password) are no use. Even biometrics seems impotent: I swipe my print and sit back and drink beers until my wife/friend/scholar-mercenary finishes my work for me.

Am I missing something here? Is there a mechanism for the assurance sought by this soon-to-be law to be achieved in asynchronous distance ed? I'm having a "Is it me?...It's *him*, isn't it?" moment here.