If you don't read anything else, read this...
Policy mandates that 2FA is required whenever any person working from a remote location utilizes administrative credentials to access a server that is used to store or process confidential or Category I university data. This includes cases where an initial login is performed with non-administrative credentials and privileges are elevated after a session is established (e.g. via sudo or su).
This policy only covers users with administrative privileges. Users who do not have administrative credentials to a server are not required to use 2FA to authenticate to that server.
This page lists the acceptable 2FA options for remote access to university servers which store or process Category I data. Certain options may work better in specific environments than others - consult your local IT support staff for any implementation questions or issues. If you need to use a 2FA option not on this list, please contact us at security@utexas.edu.
Remote access to workstations and non-server devices should be handled through the UT VPN service.
Note: Users MUST utilize 2FA for servers they have administrative access to, even when authenticating to the server using non-administrative credentials, if the ability exists for users to elevate permissions to an administrative level after authenticating as a lower-privileged user. If no ability to escalate permissions exists, then only logins using administrative credentials need be secured with 2FA, unless such differentiation is not possible.
| Service type | Operating Systems | 2FA option(s) | Notes |
|---|---|---|---|
| Secure Shell | Linux, Unix, Windows, OS X | Password protected public key, or Toopher (via PAM), or PAM OATH, or VPN group with IPTables rules |
|
| Remote Desktop | Windows | Certificate-based auth, or Toopher, or VPN group with firewall rules | |
| VNC | Linux, Unix | SSH tunnel with password-protected public key, or VPN group with firewall rules | |
| Apple Remote Desktop | OS X | SSH tunnel with password-protected public key, or VPN group with firewall rules | |
| TeamViewer | * | VPN group with firewall rules, or OATH compliant app (e.g., Google Authenticator, Toopher, Duo Security) |
