Multi-Factor Authentication Policy

I. Overview
Unauthorized access to University of Arkansas information systems poses ongoing risk to university data, operations, and individuals. To reduce these risks, the University requires the use of Multi-Factor Authentication (MFA), including phishing-resistant authentication methods such as passkeys, to strengthen identity verification and reduce reliance on passwords alone. MFA requires users to present two or more distinct authentication factors before gaining access to university systems. Passkeys provide a modern authentication mechanism that is device-bound, service-specific, and user-verified, making them highly resistant to phishing, replay, and credential theft attacks. This policy operates in conjunction with the University of Arkansas Code of Computing Practices. Requirements for multi-factor authentication and passkey-based authentication are established to support and enforce existing responsibilities related to account security, authorized access, and protection of university information systems.

II. Purpose 
The purpose of this policy is to establish requirements for the use of multi-factor authentication, including passkeys, when accessing University of Arkansas networks and information systems both on and off campus. These requirements are designed to minimize security risks associated with compromised credentials, unauthorized access, and identity-based attacks. 

III. Scope 
This policy applies to all members of the University of Arkansas community, including students, faculty, staff, affiliates, retired employees, and volunteers who use a university account to access university networks or technology resources. This policy applies to any university system or application that accesses, processes, or stores university data. Where MFA or passkey-based authentication is not technically supported, the system must implement the strongest available authentication method and must be documented and approved through the university’s risk or exception management process. 

IV. Definitions
Multi-Factor Authentication (MFA): An authentication method that requires two or more different authentication factors to verify a user’s identity. 
Authentication Factor: A category of credentials used to verify identity, including: 
• Something the user knows (e.g., username and password) 
• Something the user has (e.g., a physical device) 
• Something the user is (e.g., biometric characteristics) 
• Somewhere the user is (e.g., geographic location) 
• Something the user does (e.g., behavioral patterns) 
Passkey: A phishing-resistant authentication credential based on public-key cryptography that is bound to an individual user and their authenticated device. Passkeys are non-transferable, user-verified credentials and are considered an approved method of satisfying authentication and account security requirements under university policy.
Privileged or Administrative Account: An account with elevated permissions that allow configuration changes, system administration, or access to sensitive university systems or data. 

V. Policy

General MFA Requirement
All individuals must use multi-factor authentication when accessing university systems and network resources.  Passkeys provide a phishing-resistant authentication method that satisfies multi-factor authentication requirements. Where MFA or passkey-based authentication is not technically supported, the system must implement the strongest available authentication method and must be documented and approved through the university’s risk or exception management process. When passkeys are stored across multiple devices or synchronized through approved platforms, users remain responsible for ensuring that only authorized devices under their control have access to those credentials.

Use of passkeys must comply with all university requirements for account security and accountability. Passkeys must remain under the exclusive control of the authorized user and must not be shared, transferred, or used to grant access to another individual. MFA including passkeys are part of enforcing account security responsibilities already required in the Code of Computing Practices.

Employees
Passkey-based authentication is the required MFA method for employees, where supported. Employees must register and maintain: 
• At least one passkey-enabled device, and 
• At least one additional approved backup MFA method to support account recovery and continuity of access.

Students
Students are required to register and maintain at least one approved MFA method. Systems that support passkeys may require passkey registration. Systems that do not support passkeys must use the strongest supported MFA method available.

Passkey Usage
• Passkeys are the preferred and phishing-resistant MFA method for university systems where technically supported. 
• Passkeys satisfy MFA requirements 
• Passkeys are approved authentication method under university credential controls 
• Passkeys must be used through an approved centralized identity or single sign-on service. 
• Legacy systems or applications that cannot support passkeys must use the strongest supported MFA method and may require a documented exception. 
• Passkeys are non-sharable credentials
• Passkeys meet the same (or stronger) accountability requirements as passwords

Externally Accessible Applications 
MFA, including passkey-based authentication where supported, is required for all externally accessible enterprise or third-party applications. Enforcement through a centralized identity provider or single sign-on service satisfies this requirement.

Remote Access
MFA is required for all remote access to university networks and systems. Passkeys must be used where supported. Backup MFA methods may be permitted only to maintain access continuity when passkeys are temporarily unavailable.

Administrative and Privileged Access 
• Phishing-resistant MFA, including passkeys where supported, is mandatory for all privileged or administrative access accounts. 
• Privileged accounts must not rely on password-only or weak MFA mechanisms when stronger methods are available. 
• Exceptions for privileged access must be explicitly approved by the Information Security team and must be time-limited and documented.

VI. Audit and Management 
Anyone who knows or has reason to believe that another person has violated this policy shall report the matter promptly to the Office of the CISO (Chief Information Security Officer). Failure to report a suspected violation may result in disciplinary action. Reported violations will be investigated and addressed as soon as possible to reduce potential harm to the university and its affiliates. 

VII. Enforcement 
Anyone found to have violated this policy may be subject to appropriate disciplinary action as described in the Code of Computing Practices. Services may be disabled immediately if suspicious activity is observed and will remain disabled until the issue is resolved. 

VIII. Exemptions 
Exemptions from this policy must be formally approved. Questions regarding policy interpretation or applicability should be referred to the Office of the CISO. Approved exemptions must be documented in accordance with the University’s exemption procedures. 

IX. References 
• University of Arkansas Code of Computing Practices 
• University Multi-Factor Policy 

X. Policy Version 
August 2021; revised May 2026 to incorporate passkey-based MFA requirements