Purpose
The use of 2FA is the best method to prevent the theft of university information and resources through the use of compromised credentials and should be implemented wherever possible.
Each year through phishing and password reuse, over 1,000 NetID accounts require their password to be reset as they are involved in attempts to leverage these stolen credentials to access:
- University data, including student, faculty, or staff email accounts
- Research data
- Systems and services remotely
Other nefarious uses include using UConn as a launching attack point to other institutions.
Standard
User Requirements
- Users must maintain a device that can receive Duo authentication requests in a secure manner via the Duo mobile app or another mechanism, such as SMS, phone, or token.
- When an attempt is made to access a Duo enabled system or application, the system will challenge the user by requesting a second factor of authentication, which may include an acknowledgement of a push notification via the Duo app, a 6-digit code via SMS, or a passcode from the app or token.
- If users receive a Duo notification when not conducting a recent authentication, the authentication should be denied and reported to the Technology Support Center.
Frequency of User Challenges
The frequency with which a user may be challenged depends both on policy and use.
- Policy based – depending on information being accessed, more frequent authentications may be required.
- Usage based – While user challenges may be “remembered” for a period of time, use of other hardware, browsers, or other behaviors may trigger additional verification using a second factor.
Lost or Stolen Devices
If a user’s registered device is lost, stolen, or the user has reason to suspect their UConn NetID has been compromised, the user must contact the Technology Support Center immediately. As a precaution, they should change their password on netid.uconn.edu.
Off-Hours and Emergency Access to systems and applications
UConn Information Technology Services will maintain internal procedures for processing emergency access requests if issues arise with the 2FA process. Users should contact the Technology Support Center for additional information.
Use of Automated Systems
Automated systems that intend to interfere with the approval component of 2FA are prohibited.
Exceptions
ITS will review and document any requests for exceptions to this standard. ITS will also have available solutions for the intermittent failure of various second factors, which may include the allowance of temporary access codes upon verification of an individual’s identity.