For an explanation of why Multi-Factor Authentication (MFA) is being required and what services this new policy will apply to please reference the UT Austin Information Resources Use and Security Policy, Section 4.6. If you have any questions about whether you need to implement MFA or what MFA methods are best for you to use, please contact your local IT support staff or our office at security@utexas.edu.
 
 
MFA Options for Gateway Access Services
At this time, the only acceptable MFA enterprise gateway access service is the UT VPN. If you have a need to define another enterprise access gateway service, please contact us at security@utexas.edu.
 
MFA Enterprise Gateway Access Service
Service Type
Operating Systems
MFA Option(s)
Notes
UT VPN
*
Duo
  
MFA Options for Remote Access
If You Don't Read Anything Else, Read This
If You Don't Read Anything Else, Read This
Policy mandates that MFA is required whenever any person working from a remote location utilizes administrative credentials to access a device that is used to store or process Confidential (or Category I) university data. This includes cases where an initial login is performed with non-administrative credentials and privileges are elevated after a session is established (e.g. via sudo or su).
This policy only covers users with administrative privileges. Users who do not have administrative credentials to a device are not required to use MFA to authenticate to that device.
 
This page lists the acceptable MFA options for remote access to university devices which store or process Confidential (or Category I) data. Certain options may work better in specific environments than others - consult your local IT support staff for any implementation questions or issues. If you need to use a MFA option not on this list, please contact us at security@utexas.edu.
 
Remote administrator access to workstations and non-server devices should utilize MFA options, such as the UT VPN service.
 
Note: Users MUST utilize MFA for devices they have administrative access to, even when authenticating using non-administrative credentials, if the ability exists for users to elevate permissions to an administrative level after authenticating as a lower-privileged user. If no ability to escalate permissions exists, then only logins using administrative credentials need be secured with MFA, unless such differentiation is not possible.
 
MFA Options
Service Type Operating Systems MFA Option(s) Notes
Secure Shell Linux, Unix, Windows, OS X

Password protected public key, or

Duo (via PAM), or

PAM OATH, or

VPN group with firewall rules/router ACLs

 OATH Toolkit: http://www.nongnu.org/oath-toolkit/
Remote Desktop Windows

Certificate-based auth, or

VPN group with firewall rules/router ACLs

  
VNC Linux, Unix

SSH tunnel with password-protected public key, or

VPN group with firewall rules/router ACLs

  
Absolute Manage Server OS X, Windows VPN group with firewall rules/router ACLs Network configuration information can be found on ITS' Absolute Manage wiki pages: Ports used by Absolute Manage
Apple Remote Desktop OS X

SSH tunnel with password-protected public key, or

VPN group with firewall rules/router ACLs

 Apple Remote Desktop is acceptable without the listed MFA only if it is configured with the observation and control options disabled, and the “request permission to control screen” option enabled. This is a technical limitation inherent in the OS X environment and ISO's position is subject to change pending improvements in this area.
TeamViewer *

VPN group with firewall rules/router ACLs, or

OATH compliant app (e.g., Google Authenticator, Duo)

  

 

MFA for End User Devices

If your department uses devices that warrant security measures beyond those laid out by policy, please consider the following options.

Duo Two-Factor Authentication for OS Login Multi-platform

Available for WindowsMac OSUnix, and Linux. More use cases on the Duo documentation page.
Apple ID Two-Factor Authentication Mac OS Published Attacks: |LS|1|RS|, |LS|2|RS|
Google Two-Factor Authentication Android Published Attacks: |LS|3|RS|, |LS|4|RS|
OTP software or hardware token Multi-platform Published Attacks: |LS|5|RS|, |LS|6|RS|
SMS text message Multi-platform Published Attacks: |LS|4|RS|, |LS|7|RS|, |LS|8|RS|

 

References

  1. "Bypassing Apple’s Two-Factor Authentication". Retrieved 2 October 2017.

  2. "Bypassing Common Two-Factor Solutions". Retrieved 3 October 2017.
  3. "Bypassing Google's Two-Factor Authentication (2013)". Duo. Retrieved 5 October 2017.
  4. "Need to bypass Google's two-factor authentication? Send a text message (2017)". CSO. Retrieved 5 October 2017.

  5. Koh, Maxwell, "2FAssassin: Bypass 2FA, Stealing Private Keys, And More" filmed September 22 2017 at HITB GSEC Singapore, video. https://www.youtube.com/watch?v=JvQYTiu3ink

  6. "2FAssassin: Bypass 2FA, Stealing Private Keys, And More (2017 slides)". Retrieved 30 October 2017

  7. Mulliner, Collin; Borgaonkar, Ravishankar; Stewin, Patrick; Seifert, Jean-Pierre. "SMS-based One-Time Passwords: Attacks and Defense". Forschungsberichte der Fakult¨at IV Elektrotechnik und Informatik (2014). https://www.eecs.tu-berlin.de/fileadmin/f4/TechReports/2014/tr_2014-02.pdf. ISBN 978-1-4503-4139-4/16/10.

  8. "Upgrade 2FA by Downgrading SMS (2017)". Twilio. Retrieved 5 October 2017.

MFA Options for Web Applications
This page lists the acceptable MFA authentication options for web applications that handle employee banking, tax, or financial information. At present, only these applications require the use of MFA for authentication. If you need to use a MFA option not listed below, please contact us at security@utexas.edu.
 
MFA Authentication Options
Authentication Services Operating Systems MFA Option(s) Notes
Enterprise Authentication * Duo  
UTLogin * Duo  
Active Directory *   not acceptable for use with applications handling employee banking, tax, or financial information
TED *   not acceptable for use with applications handling employee banking, tax, or financial information
Shibboleth * Duo
 
Frequently Asked Questions
  1. What is two factor (MFA) authentication?
    Multi-factor authentication is a method of assuring a person is who he or she claims to be by requiring that person provide any two of the following when attempting to access resources or conduct transactions:  
    • something the person knows (e.g. a password)
    • something the person has (e.g. token, mobile phone, ATM card, etc.)
    • something unique to the person (e.g. biometrics like fingerprints, hand prints, etc.)
       
  2. Why is UT System requiring institutions adopt and implement MFA?
    The number and diversity of computer security incidents occurring within U. T. System and in organizations throughout the world illustrate that the combination of user-ID and password is no longer sufficient for protecting confidential information. Criminals have devised sophisticated schemes for stealing people’s logon credentials and using them to commit crimes. As a result, there have been instances in which University employee pay deposits were redirected to fraudulent accounts. Also, credentials have been used to illegally access protected health information residing on University servers. Multi-factor authentication is a best practice recognized as being effective for helping prevent these types of incidents. 
     
  3. How do criminals obtain people's login credentials?
    They do so through a variety of methods. A common method is through “phishing” wherein a criminal sends bogus email or text messages in an attempt to trick recipients into revealing their logon credentials (logon-ID and password). Also, criminals continuously scan the Internet searching for technical weaknesses within organizations that can be exploited to steal data – including employee logon credentials. In some cases logon credentials may have been stolen from a business or organization having no relationship to the University. The criminal then attempts to use the stolen credentials at the victim’s workplace in hopes the employee has used the same password at work as in other places. Additionally, there are black market sites on the Internet where criminals who have stolen credentials offer them for sale to others.
     
  4. Am I a target? Why would criminals want my login IDs and passwords?
    All University employees are potential targets. Everyone has information about themselves that criminals can potentially use for identity theft. Also, University employees have access to and come into contact with confidential personal, student, or patient information (e.g., social security numbers, bank accounts, credit card numbers, etc.) and valuable information related to research and scientific discoveries. Criminals may also use employee credentials when performing other illegal activities because it makes it more difficult to detect unauthorized activities. 
     
  5. Under what circumstances with MFA be required?
    Multi-factor authentication is to be required in the following remote access situations:
    • when an employee or individual working on behalf of the University logs on to a University network using an enterprise remote access gateway such as VPN, Terminal Server, Connect, Citrix, or similar services; 
    • when an individual working from a remote location (i.e. from off-campus) uses an online function such as a web page to display or modify  employee banking, tax, or financial information; and    
    • when a server administrator or other individual uses administrator credentials to remotely (i.e. from off-campus) access a University server that contains or has access to confidential data.
       
  6. How will this policy impact users?
    Users who access University resources only from on-site (i.e. campus) locations will not be impacted. Users who sometimes access resources from on-site locations and sometimes from off-site locations will be impacted only when doing so from off-site in the situations described in Q-6. Until MFA capabilities are in place, employee access to their University banking and financial information will be restricted to on-site locations.   
     
  7. What costs are involved in implementing MFA?
    The costs associated with Duo licensing, management, and associated services for active faculty, staff and students are paid for by the university's central IT division.
     
  8. What about employees who do not own mobile phones or who do not want to load an application on their mobile phone?
    If the employee is one who must utilize remote access to perform his/her duties, the employee can use a hardware token or their land line phone service. Please contact the UT Service Desk (512-475-9400) for more information.
     
  9. What is the long term campus strategy for multi-factor authentication (MFA)?

Here is the strategy that has been generally reviewed and approved by the Internal Audit Committee and the Executive Compliance Committee.

  1. What if a situation exists that requires MFA, but for technical or other reasons it is not currently possible to implement the requirement?
    A temporary exception may be requested by submitting a Security Exception Request Form. Exceptions must be justified and include the following elements:

    1. a statement defining the nature and scope of the exception;
    2. the rationale for the exception;
    3. an expiration date for the exception; and
    4. a description of any compensating security measures that are to be required.