Child pages
  • 2FA options for remote access

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleIf you don't read anything else, read this...

Policy mandates that 2FA is required whenever any person working from a remote location utilizes administrative credentials to access a device that is used to store or process confidential or Category I university data. This includes cases where an initial login is performed with non-administrative credentials and privileges are elevated after a session is established (e.g. via sudo or su).

This policy only covers users with administrative privileges. Users who do not have administrative credentials to a device are not required to use 2FA to authenticate to that device.

 

This page lists the acceptable 2FA options for remote access to university devices which store or process Category I data. Certain options may work better in specific environments than others - consult your local IT support staff for any implementation questions or issues. If you need to use a 2FA option not on this list, please contact us at security@utexas.edu.

Remote administrator access to workstations and non-server devices should utilize 2FA options, such as the UT VPN service.

Note: Users MUST utilize 2FA for devices they have administrative access to, even when authenticating using non-administrative credentials, if the ability exists for users to elevate permissions to an administrative level after authenticating as a lower-privileged user. If no ability to escalate permissions exists, then only logins using administrative credentials need be secured with 2FA, unless such differentiation is not possible.

 

...

Password protected public key, or

Toopher (via PAM), or

PAM OATH, or

VPN group with firewall rules/router ACLs

...

 

 

OATH Toolkit: http://www.nongnu.org/oath-toolkit/

...

Certificate-based auth, or

Toopher, or

VPN group with firewall rules/router ACLs

...

SSH tunnel with password-protected public key, or

VPN group with firewall rules/router ACLs

...

SSH tunnel with password-protected public key, or

VPN group with firewall rules/router ACLs

...

VPN group with firewall rules/router ACLs, or

...