Multi-Factor Authentication
The purpose of this policy is to define requirements for accessing University of Kansas (KU) computer systems containing sensitive data from both on and off campus. The standards set forth in this policy are intended to minimize potential security risks which may result from unauthorized use of KU computing resources. Multi-factor authentication adds a layer of security which helps deter the use of compromised credentials.
An employee or student accessing any system that requires an additional layer of protection, as determined by the KU Information Technology Security Office (ITSO) in collaboration with campus data stewards, is required to use multi-factor authentication. Systems requiring multi-factor authentication include those supported by KU Information Technology as well as systems administered by non-centralized departmental IT staff.
User Requirements
- Register a device that can receive notifications or codes via the Duo Mobile app.
- When users attempt to log in to a KU computer system protected by multi-factor authentication, the system will “challenge” the user by requesting a second factor of authentication. This second factor could be an acknowledgement of a push notification, a code, or a physical token. This second factor will be provided through the secure method(s) the user selected during registration.
- It is the user’s responsibility to promptly report compromised credentials to the Information Technology Customer Service Center.
Registration
Users will use the multi-factor authentication self-enrollment process to register their authentication device(s) and install the Duo Mobile app. More information is available in the process guide.
Devices
The preferred method for delivering access codes and/or push notifications is via the Duo Mobile app, which can be installed on any supported smartphone or tablet. The Duo Mobile app is the preferred and recommended solution for KU users. Users are encouraged to use personally- owned or KU- provided smartphones or tablets for the Duo Mobile app. The use of jailbroken/rooted devices is prohibited.
Receiving Duo multi-factor authentication codes via SMS is an option for users who cannot access a smartphone or tablet but do own a mobile devices capable of receiving SMS messages, but users are encouraged to use the Duo Mobile app if at all possible.
Employees who cannot access a smartphone or tablet and cannot receive SMS messages may request approval from their supervisor for a code-generating token that will be provided by KU Information Technology. Students who cannot access a smartphone or tablet and cannot receive SMS messages must contact IT for further information.
Duo may, at its discretion, drop app support for older versions of mobile operating systems. Duo maintains the full list of supported devices.
Frequency of User Challenges
The frequency of user challenges depends on the application being protected by multi-factor authentication. User challenge intervals for systems and services protected by multi-factor authentication vary. The list of systems and their challenge intervals is maintained by KU Information Technology.
Lost or Stolen Devices
If a user’s registered devices is lost, stolen, or the user has reason to suspect their KU Online ID credentials have been compromised, the user must contact the Information Technology Customer Service Center IMMEDIATELY.
Off-Hours and Emergency Access to Protected Data
KU Information Technology shall maintain internal procedures for processing emergency access requests if issues arise with the multi-factor authentication process. Users should contact the Information Technology Customer Service Center for access.
There may be situations in which a member of the KU community has a legitimate need to utilize KU technology resources outside the scope of this policy. The IT Security Office may approve, in advance, exception requests based on balancing the benefit versus the risk to KU. Exception requests must be made through request to the user’s Technical Service Center or the Information Technology Customer Service Center. Policy exception requests shall be made to the Office of the Provost and include a brief description of the system and/or type of data access requested. Please be certain to indicate if the user handles Personally Identifiable Information (PII) or other confidential information, such as electronic protected Health Information (ePHI), financial data, student academic records (e.g. grades or test scores), credit card payments, Social Security numbers, or works with children.
Due to the evolving nature of technology, cyber threats, and the changing roles of users at KU, all exemptions will be reviewed periodically and at the discretion of the IT Security Office in collaboration with data stewards. This review will verify that the need stated in the request is still valid and/or that the user still requires the approved multi-factor exempted access.
Failure to register a device will result in an inability to use multi-factor authentication. If multi-factor authentication is required for a system, the user will not be allowed to authenticate and use the system.
Users may not attempt to circumvent login procedures, including Duo multi-factor authentication, on any computer system or otherwise attempt to gain unauthorized access. Attempts to circumvent login procedures may subject user to disciplinary action including, but not limited to, suspension of the user’s access to the electronic information resources. Financial losses incurred due to the use of Duo multi-factor circumvention techniques are the responsibility of the user, and the University may seek financial restitution from users who violate this policy. Users also should be aware of other possible consequences under University or Kansas Board of Regents policies and federal, state, or local laws, particularly those related to computer crime and copyright violation.
Administrative Contact:
Office of the Provost
1450 Jayhawk Blvd.
Room 250
Lawrence, KS 66045
785-864-4904
provost@ku.edu
Technical Contact:
Information Technology
1001 Sunnyside Ave.
Lawrence, KS 66046
785-864-8080
itcsc@ku.edu
“Central Authentication Service (CAS)” is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user ID and password) only once.
“VPN” or Virtual Private Network is a method employing encryption to provide secure access to a remote computer over the Internet.
“Data steward” is a person responsible for the management and fitness of data elements (also known as critical data elements) - both the content and metadata.
“Duo” is a cloud hosted two factor authentication system that works with several other information systems for an added layer of protection.
“Multi-Factor Authentication (MFA)” is a method of computer access control in which a user is granted access only after successfully presenting multiple separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something the user knows), possession (something the user has), and inherence (something the user is).
03/28/2024: Updated to include students.
08/14/2019: New policy uploaded into Policy Library.
