null

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Current »

  1. What is two factor (2FA) authentication?
    Two-factor authentication is a method of assuring a person is who he or she claims to be by requiring that person provide any two of the following when attempting to access resources or conduct transactions: 
    • something the person knows (e.g. a password)
    • something the person has (e.g. token, mobile phone, ATM card, etc.)
    • something unique to the person (e.g. biometrics like fingerprints, hand prints, etc.)

  2. Why is UT System requiring institutions adopt and implement 2FA authentication?
    The number and diversity of computer security incidents occurring within U. T. System and in organizations throughout the world illustrate that the combination of user-ID and password is no longer sufficient for protecting confidential information. Criminals have devised sophisticated schemes for stealing people’s logon credentials and using them to commit crimes. As a result, there have been instances in which University employee pay deposits were redirected to fraudulent accounts. Also, credentials have been used to illegally access protected health information residing on University servers. Two-factor authentication is a best practice recognized as being effective for helping prevent these types of incidents.

  3. How do criminals obtain people's login credentials?
    They do so through a variety of methods. A common method is through “phishing” wherein a criminal sends bogus email or text messages in an attempt to trick recipients into revealing their logon credentials (logon-ID and password). Also, criminals continuously scan the Internet searching for technical weaknesses within organizations that can be exploited to steal data – including employee logon credentials. In some cases logon credentials may have been stolen from a business or organization having no relationship to the University. The criminal then attempts to use the stolen credentials at the victim’s workplace in hopes the employee has used the same password at work as in other places. Additionally, there are black market sites on the Internet where criminals who have stolen credentials offer them for sale to others.

  4. Am I a target? Why would criminals want my login IDs and passwords?
    All University employees are potential targets. Everyone has information about themselves that criminals can potentially use for identity theft. Also, University employees have access to and come into contact with confidential personal, student, or patient information (e.g., social security numbers, bank accounts, credit card numbers, etc.) and valuable information related to research and scientific discoveries. Criminals may also use employee credentials when performing other illegal activities because it makes it more difficult to detect unauthorized activities.

  5. Under what circumstances with 2FA authentication be required?
    Two-factor authentication is to be required in the following remote access situations:
    • when an employee or individual working on behalf of the University logs on to a University network using an enterprise remote access gateway such as VPN, Terminal Server, Connect, Citrix, or similar services; 
    • when an individual working from a remote location (i.e. from off-campus) uses an online function such as a web page to display or modify  employee banking, tax, or financial information; and    
    • when a server administrator or other individual uses administrator credentials to remotely (i.e. from off-campus) access a University server that contains or has access to confidential data.

  6. How will this policy impact users?
    Users who access University resources only from on-site (i.e. campus) locations will not be impacted. Users who sometimes access resources from on-site locations and sometimes from off-site locations will be impacted only when doing so from off-site in the situations described in Q-6. Until two factor authentication capabilities are in place, employee access to their University banking and financial information will be restricted to on-site locations.  

  7. What costs are involved in implementing 2FA authentication?
    As a result of a contract that UT Austin secured, there is no licensing cost for use of Toopher. The cost for Duo licenses depends on the size of an institution and whether or not licenses are being purchased for faculty and staff only or for faculty, staff, and students. Duo costs are explained here: http://www.incommon.org/duo/fees.html. Also, under certain circumstances the institution may incur a small communications charge.

  8. What about employees who do not own mobile phones or who do not want to load an application on their mobile phone?
    If the employee is one who must utilize remote access to perform his/her duties and their unit or application has developed an implementation for a token, the employee can use a token hardware device. These devices are about the size of a USB memory stick. Whenever the user is required to provide a second factor credential, the device will display a one-time numeric code for the user to enter in addition to the user’s password. The numeric code proves that the user is in possession of the token device. Token devices vary in cost, and we do not have a specific brand to recommend. Currently the Toopher product does not support hardware tokens.

  9. What if a situation exists that requires 2FA authentication, but for technical or other reasons it is not currently possible to implement the requirement?
    A temporary exception may be requested by submitting a Security Exception Request Form. Exceptions must be justified and include the following elements:

    1. a statement defining the nature and scope of the exception;
    2. the rationale for the exception;
    3. an expiration date for the exception; and
    4. a description of any compensating security measures that are to be required.

  10. What is the deadline for implementation?
    August 31, 2015
  • No labels

Confluence Documentation | Web Privacy Policy | Web Accessibility