Overview There are many ways an individual could gain unauthorized access to the campus network
and information system. The Office of the CISO has enacted a common method of protection
against unauthorized access by using multi-factor authentication (MFA). MFA is a security
process whereby users must provide at least two different authentication factors to
verify their identities and access their accounts. This process ensures better protection
of both a user’s personal information, credentials, and other assets, while also improving
the security around the resources the user can access. MFA should be universal for
all privileged or administrator accounts.
Purpose The purpose of this policy is to provide guidelines for MFA connections to the University
of Arkansas network and information systems on and off campus. These standards are
designed to minimize the potential security exposure to University of Arkansas from
damages which may result from unauthorized use of university resources. MFA adds a
layer of security which helps deter the use of compromised credentials.
Scope The policy applies to all members of the University of Arkansas community, including
affiliates, students, faculty, staff, retired employees, and volunteers that use their
UARK account to connect to the University’s network or technology resources. This
policy applies to any system accessing University data where MFA can be utilized.
Definitions
Multi-factor authentication: Using two or more factors to validate the identity of a user.
Factor (of authentication): There are five are types of factors used in combination together resulting in multi-factor
authentication. They are:
Something the user knows (username and password)
Something the user has (an item the user physically carries with them)
Something the user is (biometrics: fingerprints, face scan, etc.)
Somewhere the user is (geo location, on premises)
Something the user does (keystroke patterns)
Policy
All individuals are required to engage in one additional step beyond the normal login
process to access campus resources and the campus network. Individuals are required
to register a second approved device.
MFA is required on all new accounts created. Previously set up accounts will be grandfathered
until MFA has been enacted.
MFA is required for all externally-exposed enterprise or third-party applications,
where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory
implementation of this safeguard.
MFA is required for remote network access.
MFA is required for all administrative access accounts, where supported, on all enterprise
assets, whether managed on-site or through a third-party provider.
Responsibilities
It is the user’s responsibility to promptly report compromised credentials to the
Information Security team.
It is the user’s responsibility to promptly report a lost or stolen MFA device to
the Information Security team.
Exemptions There may be situations in which a member of the university community has a legitimate
need to utilize university technology resources outside the scope of this policy.
The Information Security team may approve, in advance, exception requests based on
balancing the benefit versus the risk to the university.
Enforcement
This policy regulates the use of all MFA access to the University of Arkansas’s network,
and users must comply with the Code of Computing Practices.
Services will be disabled immediately if any suspicious activity is observed. Service
will remain disabled until the issue has been identified and resolved.
Any University of Arkansas employee found to have intentionally violated the Code
of Computing Practices will be subject to loss of privileges.
By choosing to use the University of Arkansas’s service, the user agrees to all terms
and conditions listed above.
Policy Version August 2021, revised for publication September 2021