Approved MFA Methods
For an explanation of why Multi-Factor Authentication (MFA) is being required and what services this new policy will apply to please reference the UT Austin Information Resources Use and Security Policy, Section 4.6. For questions, contact your local IT support or security@utexas.edu.
MFA Options for Gateway Access Services
Only UT VPN is accepted. Contact security@utexas.edu for alternatives.
| Service Type | Operating Systems | MFA Option(s) | Notes |
|---|---|---|---|
| UT VPN | * | Duo |
MFA Options for Remote Access
| Policy mandates MFA for remote admin access to systems handling Confidential data. Non-admin users are not required to use MFA. |
This section lists approved MFA options for such access. Consult IT staff if unsure.
| Service Type | Operating Systems | MFA Option(s) | Notes |
|---|---|---|---|
| Secure Shell | Linux, Unix, Windows, OS X | Password protected public key, Duo (via PAM), PAM OATH, VPN group with firewall rules | OATH Toolkit |
| Remote Desktop | Windows | Certificate-based auth, VPN group with firewall rules | |
| VNC | Linux, Unix | SSH tunnel w/ password-protected key, VPN group with firewall rules | |
| Absolute Manage Server | OS X, Windows | VPN group with firewall rules | Ports used by Absolute Manage |
| Apple Remote Desktop | OS X | SSH tunnel with key, VPN group | AR is okay without MFA if "request permission" is enabled |
| TeamViewer | * | VPN group or OATH-compliant app |
MFA for End User Devices
Departments may adopt stronger measures if warranted.
| Method | Platform | Notes |
|---|---|---|
| Duo for OS Login | Multi-platform | See Duo Docs |
| Apple ID 2FA | Mac OS | 1, 2 |
| Google 2FA | Android | 3, 4 |
| OTP token | Multi-platform | 5, 6 |
| SMS | Multi-platform | 4, 7, 8 |
MFA Options for Web Applications
Required only for applications handling sensitive employee financial data.
| Authentication Services | Operating Systems | MFA Option(s) | Notes |
|---|---|---|---|
| Enterprise Authentication | * | Duo | |
| UTLogin | * | Duo | |
| Active Directory | * | Not acceptable for sensitive apps | |
| TED | * | Not acceptable for sensitive apps | |
| Shibboleth | * | Duo |
Frequently Asked Questions
- What is MFA? It combines two of: something you know, something you have, something you are.
- Why is UT requiring it? To prevent credential-based attacks seen across higher ed and U.T. System.
- How are credentials stolen? Commonly via phishing or exploits. Stolen credentials are resold or reused.
- Am I a target? Yes — all employees are. MFA helps prevent identity theft and unauthorized access.
- When is MFA required? For remote access to sensitive data or financial systems.
- Who is impacted? Only off-campus users in specific contexts. On-campus-only users are not affected.
- Is there a cost? Duo and services are paid for by UT's central IT.
- What if I don't have a mobile phone? Use a landline or request a hardware token.
- What’s the strategy? See the MFA Strategy 2018.
- What if I can't use MFA? Submit a Security Exception Request with justifications.