Multi-Factor Authentication Policy

  1. Overview
    There are many ways an individual could gain unauthorized access to the campus network and information system. The Office of the CISO has enacted a common method of protection against unauthorized access by using multi-factor authentication (MFA). MFA is a security process whereby users must provide at least two different authentication factors to verify their identities and access their accounts. This process ensures better protection of both a user’s personal information, credentials, and other assets, while also improving the security around the resources the user can access. MFA should be universal for all privileged or administrator accounts.

  2. Purpose
    The purpose of this policy is to provide guidelines for MFA connections to the University of Arkansas network and information systems on and off campus. These standards are designed to minimize the potential security exposure to University of Arkansas from damages which may result from unauthorized use of university resources. MFA adds a layer of security which helps deter the use of compromised credentials.

  3. Scope
    The policy applies to all members of the University of Arkansas community, including affiliates, students, faculty, staff, retired employees, and volunteers that use their UARK account to connect to the University’s network or technology resources. This policy applies to any system accessing University data where MFA can be utilized.

  4. Definitions
    1. Multi-factor authentication: Using two or more factors to validate the identity of a user.
    2. Factor (of authentication): There are five are types of factors used in combination together resulting in multi-factor authentication. They are:
      1. Something the user knows (username and password)
      2. Something the user has (an item the user physically carries with them)
      3. Something the user is (biometrics: fingerprints, face scan, etc.)
      4. Somewhere the user is (geo location, on premises)
      5. Something the user does (keystroke patterns)

  5. Policy
    1. All individuals are required to engage in one additional step beyond the normal login process to access campus resources and the campus network. Individuals are required to register a second approved device.
    2. MFA is required on all new accounts created. Previously set up accounts will be grandfathered until MFA has been enacted.
    3. MFA is required for all externally-exposed enterprise or third-party applications, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this safeguard.
    4. MFA is required for remote network access.
    5. MFA is required for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.
    6.  Responsibilities
      1. It is the user’s responsibility to promptly report compromised credentials to the Information Security team.
      2. It is the user’s responsibility to promptly report a lost or stolen MFA device to the Information Security team.
    7. Exemptions
      There may be situations in which a member of the university community has a legitimate need to utilize university technology resources outside the scope of this policy. The Information Security team may approve, in advance, exception requests based on balancing the benefit versus the risk to the university.

  6. Enforcement
    1. This policy regulates the use of all MFA access to the University of Arkansas’s network, and users must comply with the Code of Computing Practices.
    2. Services will be disabled immediately if any suspicious activity is observed. Service will remain disabled until the issue has been identified and resolved.
    3. Any University of Arkansas employee found to have intentionally violated the Code of Computing Practices will be subject to loss of privileges.
    4. By choosing to use the University of Arkansas’s service, the user agrees to all terms and conditions listed above.

  7. Policy Version
    August 2021, revised for publication September 2021