Objective: The goal of this strategy is to rationally and consistently apply multi-factor authentication to university services, systems, and applications to ensure the confidentiality of university data and the protection of related services.
- What is Multi-factor Authentication (MFA)?
- Why is MFA important?
- What higher-level policy or law requires MFA?
- When will MFA be required at UT Austin?
- How can I ensure I am ready for MFA?
- What are the approved MFA methods?
- What is the proposed policy statement?
- When will this strategy take effect?
- How can I have my service or application covered by MFA?
- Where can I get more information about these proposed changes?
When a system attempts to determine that you are who you claim to be, that is referred to as authentication. There are three methods, or factors, by which you can be authenticated. One factor is something you know, such as a password. Another factor is something you have, such as your mobile phone. A third factor is something you are, such as your fingerprint. The university has already had multi-factor authentication (MFA) in place for a number of security-sensitive services since 2014 – for example, when employees claim their W2 online – using their UT EID password (something they know) and a device such as a smartphone or tablet (something they have). The university's Executive Compliance Committee has approved of a more extensive use of MFA to increase security and protect university data.
When more factors of authentication are used to access security-sensitive university services, the authentication process is more reliable and the level of assurance of your identity is greater, leading to better security.
With MFA, the risks from a compromise of an individual authentication factor are also less severe since all factors have to be presented together for a successful authentication. For example, in most public and private industries the most common way of acquiring passwords and then compromising accounts is through targeted phishing attacks. With MFA if someone reveals their password in a phishing attack, the attacker will not be able to login to any UT services that require MFA since they only have one factor. Your information will be safer. UT information will be safer. Many universities and colleges across the world have already aggressively implemented MFA to enhance their security practices.
- No federal or state law currently requires the use of MFA for security-sensitive university services.
- UT System has implemented MFA requirements for very specific use cases, namely (see reference):
- when an employee or other individual providing services on behalf of the University (such as a student employee, contractor, or volunteer) logs on to a University network using an enterprise Remote Access gateway such as VPN, Terminal Server, Connect, Citrix, or similar services;
- when an individual described in (a) who is working from a Remote Location uses an online function such as a web page to access or modify employee banking, tax, or financial information;
- when a Server administrator or other individual working from a Remote Location uses administrator credentials to access a Server that contains or has access to Confidential University Data.
- when an individual described in (a) who is working from a Remote Location accesses a web-based interface to University email. At the discretion of the institution’s CISO, student employees may be exempted from this requirement
MFA is already required or in place for various functions and applications (e.g., accessing W-2 forms, changing bank routing information or using the VPN service).
This strategy will be applied at the end of the Spring 2019 semester and will extend MFA such that it will be required for all UT logins that use the UT EID (e.g., via UTLogin, Shibboleth, Active Directory) for active university faculty, students and staff. Exceptions may apply for situations where current technology or infrastructure does not allow for compliance (e.g., network authentication, desktop logins).
MFA services will be configured to allow an end-user to “remember” devices that are trusted. Such features allow the user to bypass subsequent verifications for a specified number of days, after they've successfully signed-in to a device by using MFA. The capability enhances usability by minimizing the number of times a user has to perform multi-step verification on the same device.
In general, end-users would not need to re-authenticate a trusted device for 30-days if that device has been used to successfully complete an authentication session using multiple factors. The MFA infrastructure will also attempt to maintain the state of an end-user’s active MFA session to prevent them from having to go through duplicative MFA approvals for different services in a short period of time. In some cases, that is where the risk is considered very high or where technology doesn’t allow (e.g., VPN, Stache), the end-user will be required to authenticate with multiple factors each time they interact with the specific service or application. Users may be required to authenticate with multiple factors more often based upon login activity for their account. For example, if a new login is occurring from a different IP address (e.g. using geolocation) or from a new web browser, they may be prompted to provide an additional factor for extra security.
Please see the following knowledge base article: How do I set up two factor authentication?
You can quickly verify your Duo pairing via: Duo Registration Page
For additional details, please see: Two Factor Authentication
For direct assistance with Duo, call the UT Service Desk at 512-475-9400.
Please review the ISO's MFA Readiness document -- it is important to have a backup plan.
Please review the ISO's Vishing document -- to ensure you can recognize tactics that might be used by scammers to gain access to your accounts using MFA
While there are several MFA options available, Duo is currently the primary enterprise-wide MFA option for UT Austin. The UT Austin ISO provides a list of other approved MFA methods at the following page: https://security.utexas.edu/iso-policies/approved-mfa-methods
The following policy item will replace current items 4.6.1 through 4.6.4 of Section 4.6 in the UT Austin Information Resources Use and Security Policy, Two-factor Authentication Requirements:
4.6.1 Multi-factor authentication (MFA) will be required for all authentication requests that use the UT EID (via UTLogin, Shibboleth, Active Directory, LDAP, etc).
220.127.116.11 Trusted devices will be permitted for logins for up to 30-days as technology allows.
18.104.22.168 End-users may leverage multiple modes for multi-factor authentication (e.g., smartphone, land line, hardware token) as technology permits.
22.214.171.124 Some services may require multi-factor authentication each time the end-user interacts with the service, regardless of a trusted device preference, based on the service owners local requirements or in the event the service’s technology does not support trusted devices.
126.96.36.199 Centrally managed identity and access management infrastructure (e.g., UT EID) is required for all authentication functions as technology permits. The Information Security Office can coordinate with campus units if technology exceptions are required.
188.8.131.52.1 Use cases where confidential university data can be exposed to Guest-class accounts, where MFA is not possible, are not authorized unless an exception request has been reviewed and approved by the Information Security Office.
This campus-wide strategy will be full implemented at the end of the Spring 2019 semester.
Prior to the general implementation of this strategy, some other major campus applications and services will be adding MFA protection to their respective authentication stream in 2018 (e.g., Timesheets by September 20, Webmail access to Office365/OWA and UTmail by early October, Workday in early November).
Application and service managers can opt to add MFA to their offering earlier if they like.
You can take steps now to extend MFA to your application or service -- you don't have to wait for the general campus-wide implementation. If you are already using UT EID for authentication then please send a request for MFA coverage to the ITS Identity and Access Management team at firstname.lastname@example.org. If you don't yet use UT EID for authentication please refer to the following EID integration resource: https://iamservices.utexas.edu/integration/
Please contact the UT Austin Information Security Office (email@example.com) and we will be happy to help address your questions or concerns.
Approved by the University Executive Compliance Committee: July 06, 2018
Last Updated: September 21, 2018