Well, 2 points I would make:
I was advised not to use a student number as a password here, so, when I finally got the pdo login system working, I left student numbers out of the equation entirely. Just an email and a password of which I have no knowledge. I don’t know who owns that email.
If I collect the student number in the registration process and the student enters a wrong student number, as skawid suggests might happen, that student will never get a score! My Python looks down the numbers column in the results table and writes the score corresponding to that number!
My students still use an ‘unsafe’ login, using their student number, but then, it is only homework, not bank accounts. (I’ll change the login system for next term.) They login with their student number and write their student number on each homework. Just like my mobile phone, every 72 hours it requires me to enter my password instead of my fingerprint. I remember my password!
The students have a vested interest in writing the correct student number: their score!
" Is a student allowed to submit work for another student?"
Theoretically not, but if you give me your login and password for your bank, I can login, transfer your millions to me! The bank won’t know it is not you! I don’t think that can be controlled.
Unless you know a better way to check that!