If you don't read anything else, read this...
Policy mandates that 2FA is required whenever any person working from a remote location utilizes administrative credentials to access a device that is used to store or process confidential or Category I university data. This includes cases where an initial login is performed with non-administrative credentials and privileges are elevated after a session is established (e.g. via sudo or su).
This policy only covers users with administrative privileges. Users who do not have administrative credentials to a device are not required to use 2FA to authenticate to that device.
This page lists the acceptable 2FA options for remote access to university devices which store or process Category I data. Certain options may work better in specific environments than others - consult your local IT support staff for any implementation questions or issues. If you need to use a 2FA option not on this list, please contact us at security@utexas.edu.
Remote administrator access to workstations and non-server devices should utilize 2FA options, such as the UT VPN service.
Note: Users MUST utilize 2FA for devices they have administrative access to, even when authenticating using non-administrative credentials, if the ability exists for users to elevate permissions to an administrative level after authenticating as a lower-privileged user. If no ability to escalate permissions exists, then only logins using administrative credentials need be secured with 2FA, unless such differentiation is not possible.
| Service type | Operating Systems | 2FA option(s) | Notes |
|---|---|---|---|
| Secure Shell | Linux, Unix, Windows, OS X | Password protected public key, or Toopher (via PAM), or PAM OATH, or VPN group with firewall rules/router ACLs |
|
| Remote Desktop | Windows | Certificate-based auth, or Toopher, or VPN group with firewall rules/router ACLs | |
| VNC | Linux, Unix | SSH tunnel with password-protected public key, or VPN group with firewall rules/router ACLs | |
| Absolute Manage Server | OS X, Windows | VPN group with firewall rules/router ACLs | Network configuration information can be found on ITS' Absolute Manage wiki pages: Ports used by Absolute Manage |
| Apple Remote Desktop | OS X | SSH tunnel with password-protected public key, or VPN group with firewall rules/router ACLs | Apple Remote Desktop is acceptable without the listed 2FA only if it is configured with the observation and control options disabled, and the “request permission to control screen” option enabled. This is a technical limitation inherent in the OS X environment and ISO's position is subject to change pending improvements in this area. |
| TeamViewer | * | VPN group with firewall rules/router ACLs, or OATH compliant app (e.g., Google Authenticator, Toopher, Duo Security) |
