For an explanation of why Two Factor Authentication (2FA) is being required, what services this new policy will apply to, and when 2FA must be implemented on applicable services, please reference the UT System policy memorandum for second factor authentication - 2014-Dec-02. If you have any questions about whether you need to implement 2FA or what 2FA methods are best for you to use, please contact your local IT support staff or our office at security@utexas.edu.
2FA Options for Gateway Access Services
At this time, the only acceptable 2FA enterprise gateway access service is the UT VPN. If you have a need to define another enterprise access gateway service, please contact us at security@utexas.edu.
2FA Enterprise Gateway Access Service
Service Type
Operating Systems
2FA Option(s)
2FA Options for Remote Access
If You Don't Read Anything Else, Read This
If You Don't Read Anything Else, Read This
Policy mandates that 2FA is required whenever any person working from a remote location utilizes administrative credentials to access a device that is used to store or process confidential or Category I university data. This includes cases where an initial login is performed with non-administrative credentials and privileges are elevated after a session is established (e.g. via sudo or su).
This policy only covers users with administrative privileges. Users who do not have administrative credentials to a device are not required to use 2FA to authenticate to that device.
This page lists the acceptable 2FA options for remote access to university devices which store or process Category I data. Certain options may work better in specific environments than others - consult your local IT support staff for any implementation questions or issues. If you need to use a 2FA option not on this list, please contact us at security@utexas.edu.
Remote administrator access to workstations and non-server devices should utilize 2FA options, such as the UT VPN service.
Note: Users MUST utilize 2FA for devices they have administrative access to, even when authenticating using non-administrative credentials, if the ability exists for users to elevate permissions to an administrative level after authenticating as a lower-privileged user. If no ability to escalate permissions exists, then only logins using administrative credentials need be secured with 2FA, unless such differentiation is not possible.
2FA Options
Service Type Operating Systems 2FA Option(s) Notes
Secure Shell Linux, Unix, Windows, OS X

Password protected public key, or

Toopher (via PAM), or


VPN group with firewall rules/router ACLs

OATH Toolkit: http://www.nongnu.org/oath-toolkit/
Remote Desktop Windows

Certificate-based auth, or

Toopher, or

VPN group with firewall rules/router ACLs

VNC Linux, Unix

SSH tunnel with password-protected public key, or

VPN group with firewall rules/router ACLs

Absolute Manage Server OS X, Windows VPN group with firewall rules/router ACLs Network configuration information can be found on ITS' Absolute Manage wiki pages: Ports used by Absolute Manage
Apple Remote Desktop OS X

SSH tunnel with password-protected public key, or

VPN group with firewall rules/router ACLs

Apple Remote Desktop is acceptable without the listed 2FA only if it is configured with the observation and control options disabled, and the “request permission to control screen” option enabled. This is a technical limitation inherent in the OS X environment and ISO's position is subject to change pending improvements in this area.
TeamViewer *

VPN group with firewall rules/router ACLs, or

OATH compliant app (e.g., Google Authenticator, Toopher, Duo Security)



2FA Options for Web Applications
This page lists the acceptable 2FA authentication options for web applications that handle employee banking, tax, or financial information. At present, only these applications require the use of 2FA for authentication. If you need to use a 2FA option not listed below, please contact us at security@utexas.edu.
2FA Authentication Options
Authentication Services Operating Systems 2FA Option(s) Notes
UTLogin * Duo available now for UTLogin WPA; generally available in June 2016 for UTLogin SAML
Active Directory *   not acceptable for use with applications handling employee banking, tax, or financial information
TED *   not acceptable for use with applications handling employee banking, tax, or financial information
Shibboleth * Duo
generally available July 2016
Frequently Asked Questions
  1. What is two factor (2FA) authentication?
    Two-factor authentication is a method of assuring a person is who he or she claims to be by requiring that person provide any two of the following when attempting to access resources or conduct transactions:  
    • something the person knows (e.g. a password)
    • something the person has (e.g. token, mobile phone, ATM card, etc.)
    • something unique to the person (e.g. biometrics like fingerprints, hand prints, etc.)
  2. Why is UT System requiring institutions adopt and implement 2FA authentication?
    The number and diversity of computer security incidents occurring within U. T. System and in organizations throughout the world illustrate that the combination of user-ID and password is no longer sufficient for protecting confidential information. Criminals have devised sophisticated schemes for stealing people’s logon credentials and using them to commit crimes. As a result, there have been instances in which University employee pay deposits were redirected to fraudulent accounts. Also, credentials have been used to illegally access protected health information residing on University servers. Two-factor authentication is a best practice recognized as being effective for helping prevent these types of incidents. 
  3. How do criminals obtain people's login credentials?
    They do so through a variety of methods. A common method is through “phishing” wherein a criminal sends bogus email or text messages in an attempt to trick recipients into revealing their logon credentials (logon-ID and password). Also, criminals continuously scan the Internet searching for technical weaknesses within organizations that can be exploited to steal data – including employee logon credentials. In some cases logon credentials may have been stolen from a business or organization having no relationship to the University. The criminal then attempts to use the stolen credentials at the victim’s workplace in hopes the employee has used the same password at work as in other places. Additionally, there are black market sites on the Internet where criminals who have stolen credentials offer them for sale to others.
  4. Am I a target? Why would criminals want my login IDs and passwords?
    All University employees are potential targets. Everyone has information about themselves that criminals can potentially use for identity theft. Also, University employees have access to and come into contact with confidential personal, student, or patient information (e.g., social security numbers, bank accounts, credit card numbers, etc.) and valuable information related to research and scientific discoveries. Criminals may also use employee credentials when performing other illegal activities because it makes it more difficult to detect unauthorized activities. 
  5. Under what circumstances with 2FA authentication be required?
    Two-factor authentication is to be required in the following remote access situations:
    • when an employee or individual working on behalf of the University logs on to a University network using an enterprise remote access gateway such as VPN, Terminal Server, Connect, Citrix, or similar services; 
    • when an individual working from a remote location (i.e. from off-campus) uses an online function such as a web page to display or modify  employee banking, tax, or financial information; and    
    • when a server administrator or other individual uses administrator credentials to remotely (i.e. from off-campus) access a University server that contains or has access to confidential data.
  6. How will this policy impact users?
    Users who access University resources only from on-site (i.e. campus) locations will not be impacted. Users who sometimes access resources from on-site locations and sometimes from off-site locations will be impacted only when doing so from off-site in the situations described in Q-6. Until two factor authentication capabilities are in place, employee access to their University banking and financial information will be restricted to on-site locations.   
  7. What costs are involved in implementing 2FA authentication?
    As a result of a contract that UT Austin secured, there is no licensing cost for use of Toopher. The cost for Duo licenses depends on the size of an institution and whether or not licenses are being purchased for faculty and staff only or for faculty, staff, and students. Duo costs are explained here: http://www.incommon.org/duo/fees.html. Also, under certain circumstances the institution may incur a small communications charge.
  8. What about employees who do not own mobile phones or who do not want to load an application on their mobile phone?
    If the employee is one who must utilize remote access to perform his/her duties and their unit or application has developed an implementation for a token, the employee can use a token hardware device. These devices are about the size of a USB memory stick. Whenever the user is required to provide a second factor credential, the device will display a one-time numeric code for the user to enter in addition to the user’s password. The numeric code proves that the user is in possession of the token device. Token devices vary in cost, and we do not have a specific brand to recommend. Currently the Toopher product does not support hardware tokens.
  9. What if a situation exists that requires 2FA authentication, but for technical or other reasons it is not currently possible to implement the requirement?
    A temporary exception may be requested by submitting a Security Exception Request Form. Exceptions must be justified and include the following elements:

    1. a statement defining the nature and scope of the exception;
    2. the rationale for the exception;
    3. an expiration date for the exception; and
    4. a description of any compensating security measures that are to be required.
  10. What is the deadline for implementation?
    August 31, 2015