Information Technology Services Submit your own ticket »
policies banner
  1. Information Technology Services (ITS)
  2. Policies & Agreements
  3. Multi-Factor Authentication Policy and Procedures

Multi-Factor Authentication Policy and Procedures

Approved 4/9/20

Purpose

Multi-Factor Authentication (MFA) is achieved when multiple forms of authentication are used to increase the likelihood that the credentials are from the individual to whom they were assigned.  This process reduces the risk of impersonation or the use of compromised credentials by an unauthorized individual. The types of credentials typically fall into three categories - something you know, such as a PIN or password, something you have, such as a one-time passcode generator, token or smart card, and something you are, such as a fingerprint or other biometrics.  

Authentication methods used to access high risk data, as defined in the UW – Whitewater Authentication Policy, the  UW - Whitewater Information Technology Services (ITS) Information Asset Classification Policy and the University of Wisconsin System Administrative Policy 1031 - Information Security: Data Classification, must use multi-factor authentication. Other applications or utilities not directly accessing high risk data may also require the use of multi-factor authentication.

Multi-factor authentication (MFA) is required to be used by all users with critical access to WINS, HRS and SFS data or with access to other people’s sensitive or restrictive information in those systems. Users of other systems that contain high risk data, as defined in the Information Asset Classification Policy, must also use MFA. At UW – Whitewater MFA is achieved through the use of a special one time password (OTP) authentication generated from an approved hardware token (fob) or smartphone application, in addition to their campus credentials. 

Access to restricted data will be determined based on your job duties and responsibilities. Violations of approved policies and procedures could result in the revocation of system access.  

This document specifies user responsibilities and procedures when using UW – Whitewater provisioned MFA tokens. It is organized into the following sections: 

  1. Policy 
  2. Procedure/Processes 
  3. Definitions 
  4. Authorization Form 

Policy 

  1. When authenticating using MFA all users must use the generated OTPs from their approved hardware token (fob) or smartphone app as a second factor security login, in addition to their campus credential. 
  2. Only approved and registered hardware tokens (fob) or smartphones registered with the approved MFA app may be used for OTP generation. 
  3. If using a smartphone app, users must notify the ITS Help Desk when they change their smartphone device, even if they keep the same phone number. ITS will assist users with the process of registering their new smartphone device. 
  4. Lost, stolen or damaged devices must be reported immediately to the ITS Helpdesk (helpdesk@uww.edu or 262-472-4357).
  5. Devices must be properly secured, not shared.
  6. Users are expected not to leave their OTP devices unattended in a public place. 
  7. Users should not mark their hardware fobs or smartphones with any identifying information such as name, Net-ID, password, or any reference to the HRS, SFS or WINS systems. 
  8. Follow

    UW-Whitewater Information Security Account Lifecycle – Change of Role and Separation Practice Directive

    when access is no longer needed.

Procedure/Processes 

Every Multi-Factor Authentication (MFA) user must choose to use either a hardware token (fob) or a smartphone application as the OTP authentication device. There may be situations where an MFA user may be required to use multiple forms of authentication device.  Approved hardware tokens (fob) and the smartphone OTP applications will be supported by UW-Whitewater. When the hardware fob or smartphone are not being used, they should be physically secured from being accessed by others. Users of X-IDs may only use the hardware fob. During the COVID-19 Social Distancing period exceptions may be granted with adequate mitigating controls within each office. Refer to X-ID guidelines for additional information regarding X-IDs.

Users are expected not to transport their OTP fobs in the same bags as Hardware Token (fob)

Smartphone 

  1. User is responsible for furnishing his/her personal smartphone, or a state-issued smartphone (if a user already has a state-issued smartphone). The UW-System and UW-Whitewater will not issue smartphones exclusively for users to use as multi-factor authentication devices.
  2. UW - Whitewater only supports the OTP app, not the smartphone itself. Each user is responsible for making sure his/her smartphone is in working condition. The UW-System and UW-Whitewater are not responsible for the cost of repairing or replacing the personal smartphones used as OTP devices or for any costs associated with data plan usage.
  3. The UW – Whitewater approved OTP app from Duo must be installed and used to generate the OTP. Refer to  installation instructions. 
  4. Users are required to leverage the electronic security provided by their smartphones, including but not limited to use of a screen lock utility to access their smartphones (e.g., PIN, Password, or biometric such as a fingerprint scan). 
  5. Users must agree to uninstall the OTP application once their need to use it expires. 

OR 

Hardware Token (fob)

  1. If a non-XID user requires a hardware token (fob) the department org-code will be charged $11 or the then current hardware token cost, whichever is higher.
  2. Users are expected to return their hardware tokens (fob) to their supervisor when they terminate their affiliation with UW – Whitewater or no longer have access to any of the systems that require multi-factor authentication. 
  3. Users must take reasonable care for the hardware token (fob) which is assigned to them. Reasonable care includes, but is not limited to:  
    1. Protecting from water/moisture. Fobs are not water resistant. 
    2. Protecting from loss or theft. 
    3. Users are expected not to store their OTP fobs in the same office or near a computer used to access WINS or UW System common systems (SFS or HRS). 
    4. Users are expected not to transport their OTP fobs in the same bags as laptops that are used to access any system or application using MFA. 
  4. In certain instances a  user will be assigned a specific type of hardware fob that plugs into the usb port of a device. It is critical that these fobs are not left unattended in the device or stored with the device. Failure to properly store and use the fob will result in the loss of access to a usb fob.

Contingency Access

Multi-Factor Authentication (MFA) users are able to use either one of the following options to request temporary one-time passwords when they don’t have their OTP device to authenticate to UW System and UW – Whitewater systems which require MFA authentication: 

Contact the ITS Helpdesk during normal business hours to request a temporary one-time password. 

  • Two (2) forms of identification will be required.
    1. UW-W Affiliation: Hawkcard Card (UW-W ID card), UW-W Health card, HR Verification Form, Notary Public Form.
    2. Government-issued ID: State-issued Photo ID, US Military Card, Passport.
  • Once a user’s identity has been verified an Access Code will be generated and they will be given a code to access MFA protected applications and systems for 8 hours. After the code has expired they will be required to repeat the process again. Users are expected to use the chosen device in addition to their campus credential to authenticate to any system that requires strong authentication. Currently there is no limit on how many times a user can request a temporary OTP. However, UW-Whitewater and the UW System monitors the pattern of contingency access usage and may also issue a report to the supervisor of a user if the user requests temporary OTP more than five times in a month. 

Definitions

Term, Acronym or Abbreviation Definition
Fob A state-issued device used to generate a Onetime Password.
Multi-Factor Authentication (MFA) Multiple forms of authentication used to increase the likelihood that the credentials are from the individual to whom they were assigned, and reduce the risk of impersonation or the use of compromised credentials by an unauthorized individual. The types of credentials typically fall into three categories - something you “know,’ such as a PIN or password, something you “have”, such as a one-time passcode generator, token or smart card, and something you “are”, such as a fingerprint or other biometrics
OTP Onetime Password.
OTP Device The device that is used to generate Onetime Password. This refers to both fob and smartphone.
Smartphone OTP App UW – Whitewater authorized and managed smartphone app that is used to generate OTP
X-ID An account assigned to a student employee whose role requires access to high risk data and MFA

UW-Whitewater Inactivity Timeout Settings:

Campus workstations have a timeout for inactivity setting set at 30 minutes to align with recommended security practices and to align the HRS and SFS timeout window. Exemptions to the 30 -minute timeout will be considered on a case-by-case basis.

UW-Whitewater X-ID Onboarding/offboarding process

X-ID On-Offboarding (PDF)

UW-Whitewater X-ID Guidelines

X-ID Guidelines

UW-Whitewater MFA Authorization Form

MFA Authorization Form

Related Documents 

Scheduled Review

This document will be reviewed on an annual basis, or as deemed necessary.

Revision/Review Log

Date Approver Action Description
02/10/22 Revised to reflect the expanded use of MFA for Users of other systems that contain high risk data, as defined in the Information Asset Classification Policy, and procedure/process changes resulting from migration of Symantec VIP to DUO.

University of Wisconsin Whitewater
COOKIE NOTICE

We use cookies on this site. By continuing to browse without changing your browser settings to block or delete cookies you agree to the UW-Whitewater Privacy Notice.