Multi- Factor Authentication (MFA) - Standard

This Standard supports and supplements the University of Central Oklahoma’s (“University” or “UCO”) Information Security Policy.  The standard is mandatory and enforced in the same manner as policy.  It will be periodically reviewed and updated as necessary to meet changes in operational, legal, and regulatory requirements.   

This Multi-Factor Authentication (MFA) Standard establishes requirements for securing access to information systems and sensitive data at the University. MFA adds an additional layer of security beyond just a username and password, ensuring the protection of institutional and personal data against unauthorized access. 

Multi- Factor Authentication (MFA) - Standard 

Purpose 

This Standard supports and supplements the University of Central Oklahoma’s (“University” or “UCO”) Information Security Policy.  The standard is mandatory and enforced in the same manner as policy.  It will be periodically reviewed and updated as necessary to meet changes in operational, legal, and regulatory requirements.   

This Multi-Factor Authentication (MFA) Standard establishes requirements for securing access to information systems and sensitive data at the University. MFA adds an additional layer of security beyond just a username and password, ensuring the protection of institutional and personal data against unauthorized access. 

Scope 

This Standard applies to: 

1. All divisions, colleges, and units established by the University that exercise any information technology (IT) function relating to the mission of the University except for those specifically exempted in writing by the senior leadership (as defined in the information security policy) of the University. 
2. Faculty, staff, some student workers, academic and administrative units, affiliated entities, agents, contractors, vendors, volunteers of the University, members of the community who use and/or administer University computer and telecommunications systems, or any information system or system asset (as defined in the information security policy) that connects directly or indirectly to any University owned, leased, contracted, or operated computer or telecommunication system. 

Standard Details 

1. Definitions: a. Multi-Factor Authentication (MFA): A security measure requiring at least two of the following types of verification factors: 

1. Something you know (e.g., password, PIN). 
2. Something you have (e.g., smartphone, hardware token). 
3. Something you are (e.g., fingerprint, facial recognition). 
4. Sensitive Data: Information classified as confidential, restricted, or otherwise critical to the university’s operations or compliance obligations (e.g., student records, financial information, research data). 

2. MFA Implementation

1. MFA will be required for all applicable users accessing university systems containing sensitive data, including but not limited to email, learning management systems, financial systems, and cloud storage services. 
2. MFA will be required for all remote access to university systems, regardless of the user’s role.  
3. MFA will also be required for all accounts and systems deemed High-Risk Accounts such as but not limited to Admin Accounts, critical systems, and financial transactions.  

3. Authentication Methods

The university currently supports DUO as the only approved MFA solution. The university does allow the use of other methods for MFA which can supplement DUO for third-party applications and external services that require a different authentication method.  See options below: i. Authenticator applications (e.g., Authy, Microsoft Authenticator, Google Authenticator). 

Hardware tokens (e.g., Duo fob). 

Users must register and use DUO as their primary method of authentication for accessing UCO specific services requiring that authentication. 

4. Enrollment and Configuration

1. All applicable users must enroll in the university’s MFA system during the onboarding process 
2. The UCO IT Help Desk is the primary point of contact for any MFA related questions as they are the designated Tier I support channel. 
3. Information Security will provide Tier II support as deemed necessary or to resolve enrollment issues. 
4. Identification Verification, also known as identity proofing, will be used to confirm a user’s identity during troubleshooting procedures. 
5. Knowledge Based Articles (KBA’s) are available to provide additional guidance for enrollment, configuration, and troubleshooting.  

5. User Responsibilities 

1. Ensure the security of MFA devices (e.g., do not share hardware tokens or store passwords insecurely). 
2. Report lost or stolen MFA devices immediately to the IT Help Desk. 
3. Users are responsible for maintaining their MFA devices and updating the system with any changes as deemed necessary. (e.g., replacing a smartphone or updating OS to meet minimum MFA requirements). 

6. Standard Violations  

1. Failure to comply with this standard or other University policies will result in disciplinary action, up to and including termination of employment and/or enrollment. All persons to whom these policies, standards, and guidelines are applicable, as stated above, are responsible for adhering to these rules.   
2. All supervisory personnel are responsible for ensuring that these policies, standards, and guidelines are adhered to within their respective areas of responsibility. Any user may report University policy or law violations to their immediate supervisor, representative faculty, or school personnel or using UCOMMENT.