Multi-Factor Authentication Policy

Purpose

As part of the university's larger information security program, access to certain services may require students and employees to use multi-factor authentication. This policy defines the options that are available for multi-factor authentication.

Scope

This policy applies to all employees of the institution where multi-factor authentication is required.

Policy

Options for multi-factor authentication
  1. Temporary One Time Passwords (via an authenticator app) 
    1. The preferred option for a second factor is an authenticator app that employs a Temporary One-Time Password (TOTP) such as Okta Verify or Google Authenticator.
    2. SMS
      1. SMS may be used in situations where an authenticator app is not feasible.
  2. Physical hardware token(i) University employees (Staff, Administrators and Faculty) who are unable or unwilling to install the Okta Verify App or use SMS messages on their personal devices may select to use a hardware token (e.g. Yubikey) instead.
    1. These devices will be provided by the institution on request.
    2. These devices remain property of the institution and should be returned upon termination of university employment.
    3. These devices should be considered “Restricted” and treated as sensitive data would be treated.
      1. They should not be left unattended
      2. When not in use they should be stored in a secure manner, either on the person of the individual responsible for it or in a locked room or drawer.