Approved MFA Methods

For an explanation of why Multi-Factor Authentication (MFA) is being required and what services this new policy will apply to please reference the UT Austin Information Resources Use and Security Policy, Section 4.6. For questions, contact your local IT support or security@utexas.edu.

MFA Options for Gateway Access Services

Only UT VPN is accepted. Contact security@utexas.edu for alternatives.

MFA Enterprise Gateway Access Service
Service TypeOperating SystemsMFA Option(s)Notes
UT VPN*Duo 

MFA Options for Remote Access

If You Don't Read Anything Else, Read This
Policy mandates MFA for remote admin access to systems handling Confidential data. Non-admin users are not required to use MFA.

This section lists approved MFA options for such access. Consult IT staff if unsure.

MFA Options
Service TypeOperating SystemsMFA Option(s)Notes
Secure ShellLinux, Unix, Windows, OS XPassword protected public key, Duo (via PAM), PAM OATH, VPN group with firewall rulesOATH Toolkit
Remote DesktopWindowsCertificate-based auth, VPN group with firewall rules 
VNCLinux, UnixSSH tunnel w/ password-protected key, VPN group with firewall rules 
Absolute Manage ServerOS X, WindowsVPN group with firewall rulesPorts used by Absolute Manage
Apple Remote DesktopOS XSSH tunnel with key, VPN groupAR is okay without MFA if "request permission" is enabled
TeamViewer*VPN group or OATH-compliant app 

MFA for End User Devices

Departments may adopt stronger measures if warranted.

MethodPlatformNotes
Duo for OS LoginMulti-platformSee Duo Docs
Apple ID 2FAMac OS1, 2
Google 2FAAndroid3, 4
OTP tokenMulti-platform5, 6
SMSMulti-platform4, 7, 8

MFA Options for Web Applications

Required only for applications handling sensitive employee financial data.

Authentication ServicesOperating SystemsMFA Option(s)Notes
Enterprise Authentication*Duo 
UTLogin*Duo 
Active Directory* Not acceptable for sensitive apps
TED* Not acceptable for sensitive apps
Shibboleth*Duo 

Frequently Asked Questions

  1. What is MFA? It combines two of: something you know, something you have, something you are.
  2. Why is UT requiring it? To prevent credential-based attacks seen across higher ed and U.T. System.
  3. How are credentials stolen? Commonly via phishing or exploits. Stolen credentials are resold or reused.
  4. Am I a target? Yes — all employees are. MFA helps prevent identity theft and unauthorized access.
  5. When is MFA required? For remote access to sensitive data or financial systems.
  6. Who is impacted? Only off-campus users in specific contexts. On-campus-only users are not affected.
  7. Is there a cost? Duo and services are paid for by UT's central IT.
  8. What if I don't have a mobile phone? Use a landline or request a hardware token.
  9. What’s the strategy? See the MFA Strategy 2018.
  10. What if I can't use MFA? Submit a Security Exception Request with justifications.