Two Factor Authentication
Enhanced Authentication Requirements
In December 2014, a memo was sent to all of the Presidents of academic and medical institutions from Chancellor Cigarroa, requiring the use of Enhanced Remote Access Authentication. A detailed Frequently Asked Questions document accompanied the two-factor authentication requirement memo, as well. This requirement was also adopted as policy and incorporated into University of Texas System 165 (UTS165) - Information Resources Use and Security Policy, Standard 4, 4.7 Two-factor Authentication Requirement, amended on March 16, 2015.
Effective August 31, 2015, Two-factor Authentication is required in the following situations:
a) when an employee or individual working on behalf of the University (such as a student employee, contractor, or volunteer) logs on to a University network using an enterprise Remote Access gateway such as VPN, Terminal Server, Connect, Citrix, or similar services;
b) when an individual described in a) who is working from a Remote Location uses an online function such as a web page to modify employee banking, tax, or financial information; or
c) when a Server administrator or other individual working from a Remote Location uses administrator credentials to access a Server that contains or has access to Confidential University Data.
Frequently Asked Questions
1) What is two-factor authentication?
Two-factor authentication is an additional layer of security to any type of login account, requiring extra information or a physical device to log in, in addition to your password.
2) Why use two-factor authentication?
As companies allow more remote access and web-based applications to data, two-factor authentication is one of the best ways to protect against remote attacks such as phishing, credential misuse, and other attempts to take over your accounts.
Verizon’s Data Breach Investigations Report (DBIR) found that 95 percent of breaches involve the exploitation of stolen credentials. Many recent high-profile breaches can be traced back to stolen passwords, either from third-party vendors or from corporate employees.
3) What are factors?
An authentication factor is an independent credential category used for identity verification. The three most common categories are often described as something you know, something you have, and something you are. See below for examples of each factor category:
- Something you know (knowledge factor) - a unique username and password.
- Something you have (possession factor) - a smartphone with an app to approve authentication requests.
- Something you are (inherence factor) – a form of biometric data, like your fingerprint or a retina scan.
4) What solution is UT Arlington offering to address the requirement?
Following recommendations from UT System and sister campuses, the Office of Information Technology, working with the Information Security Office, has tested and selected Duo Security as the software vendor that will support two-factor authentication at UT Arlington, and has determined that it fulfills the technical requirements for the Chancellor's memo.
Duo Security, rebranded as NetIDplus, at UTA, primarily relies on smart phone technology (as something you have) but also supports several methods of communicating the second factor. Methods include a randomized code displayed on your smart phone, sent via SMS, a "push" function in the Duo app or via telephone call. Duo supports multiple mobile operating systems to display the second factor and also supports multiple server operating systems and web platforms to prompt for the second factor.
Click here to learn about NetIDplus and to enroll your device or phone.
5) What if NetIDplus will not be compatible with my work, or systems that I use, at UT Arlington, does this policy apply to me?
In certain instances, the Information Security Office may consider exemptions to avoid system incompatibilities or work disruptions. To do this, send a request to the Chief Information Security Officer via firstname.lastname@example.org.