The purpose of this policy is to define requirements for accessing University of Kansas (KU) computer systems containing sensitive data from both on and off campus. The standards set forth in this policy are intended to minimize potential security risks which may result from unauthorized use of KU computing resources. Multi-factor authentication adds a layer of security which helps deter the use of compromised credentials.
This policy applies to all KU faculty, staff, and graduate assistants. Student hourly employees may be required to use multi-factor authentication based on job requirements or at the discretion of their department.
This policy applies to any system that requires an additional layer of protection as determined by the KU Information Technology Security Office (ITSO) in collaboration with campus data stewards. Systems requiring multi-factor authentication include those supported by KU Information Technology as well as systems administered by non-centralized departmental IT staff. Systems requiring the use of multi-factor authentication include, but are not limited, to virtual private network (VPN), systems utilizing Single Sign-On (SSO), system administration tools, and privileged accounts.
- Register a device that can receive push notifications or codes via the Duo Mobile app.
- When users attempt to log into a KU computer system protected by multi-factor authentication, the system will “challenge” the user by requesting a second factor of authentication. This second factor could be an acknowledgement of a push notification, a code, or a physical token. This second factor will be provided through the secure method(s) the user selected during registration.
- It is the user’s responsibility to promptly report compromised credentials to the Information Technology Customer Service Center.
Users will use the multi-factor authentication self-enrollment process to register their authentication device(s) and install the Duo Mobile app. More information is available in the process guide.
The preferred method for delivering access codes and/or push notifications is via the Duo Mobile app, which can be installed on any supported smartphone or tablet. The Duo Mobile app is the preferred and recommended solution for KU users. Users are encouraged to use personally owned or KU provided smartphones or tablets for the Duo Mobile app. The use of jailbroken/rooted devices is prohibited.
Receiving Duo multi-factor authentication codes via SMS is an option for users who cannot access a smartphone or tablet but do own a mobile devices capable of receiving SMS messages, but users are encouraged to use the Duo Mobile app if at all possible.
Users who cannot access a smartphone or tablet and cannot receive SMS messages may request approval from their supervisor for a code-generating token that will be provided by KU Information Technology. Users will need to be aware of potential syncing issues, token costs, and how to maintain the tokens.
Duo may, at its discretion, drop app support for older versions of mobile operating systems. Duo maintains the full list of supported devices.
Frequency of User Challenges
The frequency of user challenges depends on the application being protected by multi-factor authentication. User challenge intervals for systems and services protected by multi-factor authentication vary. The list of systems and their challenge intervals is maintained by KU Information Technology.
Lost or Stolen Devices
If a user’s registered devices is lost, stolen, or the user has reason to suspect their KU Online ID credentials have been compromised, the user must contact the Information Technology Customer Service Center IMMEDIATELY.
Off-Hours and Emergency Access to Protected Data
KU Information Technology shall maintain internal procedures for processing emergency access requests if issues arise with the multi-factor authentication process. Users should contact the Information Technology Customer Service Center for access.
There may be situations in which a member of the KU community has a legitimate need to utilize KU technology resources outside the scope of this policy. The IT Security Office may approve, in advance, exception requests based on balancing the benefit versus the risk to KU. Exception requests must be made through request to the user’s Technical Service Center or the Information Technology Customer Service Center. Policy exception requests shall be made to the Office of the Provost and include a brief description of the system and/or type of data access requested. Please be certain to indicate if the user handles Personally Identifiable Information (PII) or other confidential information, such as electronic protected Health Information (ePHI), financial data, student academic records (e.g. grades or test scores), credit card payments, Social Security numbers, or works with children.
Due to the evolving nature of technology, cyber threats, and the changing roles of users at KU, all exemptions will be reviewed periodically and at the discretion of the IT Security Office in collaboration with data stewards. This review will verify that the need stated in the request is still valid and/or that the user still requires the approved multi-factor exempted access.
Failure to register a device will result in an inability to use multi-factor authentication. If multi-factor authentication is required for a system, the user will not be allowed to authenticate and use the system.
Users may not attempt to circumvent login procedures, including Duo multi-factor authentication, on any computer system or otherwise attempt to gain unauthorized access. Attempts to circumvent login procedures may subject user to disciplinary action including, but not limited to, suspension of the user’s access to the electronic information resources. Financial losses incurred due to the use of Duo multi-factor circumvention techniques are the responsibility of the user, and the University may seek financial restitution from users who violate this policy. Users also should be aware of other possible consequences under University or Kansas Board of Regents policies and federal, state, or local laws, particularly those related to computer crime and copyright violation.
“Central Authentication Service (CAS)” is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user ID and password) only once.
“VPN” or Virtual Private Network is a method employing encryption to provide secure access to a remote computer over the Internet.
“Data steward” is a person responsible for the management and fitness of data elements (also known as critical data elements) - both the content and metadata.
“Duo” is a cloud hosted two factor authentication system that works with several other information systems for an added layer of protection.
“Multi-Factor Authentication (MFA)” is a method of computer access control in which a user is granted access only after successfully presenting multiple separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something the user knows), possession (something the user has), and inherence (something the user is).
08/14/2019: New policy uploaded into Policy Library.