Two Step Verification Standard

Application

This standard applies to all users, whether physically located on University property or elsewhere, and all University online applications, systems and electronic services.

Purpose

To define the principles and purpose of Two Step Verification at the University and to establish mandatory processes for allocating and managing two step verification tokens. These standards should be read with the Systems and Applications Authentication Standards and the Password and Two Step Verification Token Guidelines.

Standards

1. Applications, systems and services where restricted data is maintained must have Two Step Verification implemented. This requirement must be taken into account during the high level design, implementation or upgrade of applications and services.

2. The implementation of Two Step Verification on applications, systems and services with in-confidence data is at the discretion of the business owner.

3. Any system configured for Two Step Verification is to be configured to work with both hard tokens and soft tokens.

Note- Google Authenticator and YubiKey are considered to be equivalent in terms of their security.

4. Self-Service options that allow users to manage their own tokens are to be strategically prioritised over assisted options, such as those provided by support teams.

5. All users must be able to authenticate through Two Step Verification where the service has been enabled.

6. If a user leaves or changes role, the systems and services which they are authorised to access, including those where Two Step Verification is enabled, must be adjusted in a timely manner to reflect the change in relationship with the University.

Token Management and Control

7. A user must not share their token with another person and hard tokens must be stored securely.

Note- this means that hard tokens should not be left openly on a desk or plugged into a computer when the user is not present.

8. If any user reports their Two Step Verification token as lost, stolen, or otherwise compromised their token must be locked, unlinked or deleted as appropriate. This applies equally to soft tokens and hard tokens.

9. YubiKey tokens must be returned to the University when they are no longer required.

10. All users who are database administrators or server administrators must use a hard token.

11. If a user has been allocated a mobile, or a mobile connection, by the University they must use a soft token unless they are a database administrator, server administrator or frequent user.

12. Users who are not covered under point 10 or 11 and do have a smartphone must use a soft token.

13. Hard tokens will only be assigned if the user meets one of the criteria below:

  • does not have a smartphone (University or personal)
  • is considered a frequent user
  • requires access to back-end databases and/or servers

Definitions

The following definitions apply to this document:

Authentication establishes the identity of the user when accessing systems and applications. The authentication process provides identity attributes and enables authorisation and personalisation decisions to be made by systems and applications. These decisions help to ensure that users receive access to only the information and transactions to which they are entitled.

Frequent user refers to those who are required to authenticate through Two Step Verification continually throughout the day. For these users it may be simpler to use a hard token which requires them to push one button, rather than a soft token which may require more effort.

Hard tokens (also known as security token) are a small hardware device that the user carries which plugs into a computer and delivers a one-time password to authorise access to online services. Used with a standard username and password, the hard token can provide Two Step Verification to a site, service or application. At the University the hard token used is a YubiKey.

In-confidence data is data not classified as restricted, but that, if compromised, would have an adverse effect on the reputation or the performance of the University, its staff members, students, or its partner organisations.

Restricted data is data that, if compromised, would place the University in breach of its legal and regulatory responsibilities or the consequence would be serious for the University, its staff members, students, or its partner organisations.

Soft tokens (also known as software tokens) are Two Step Verification applications that can be installed and run from a wide variety of devices, including but not limited to personal computers and smartphones. At the University the soft token is the Google Authenticator application which is run on mobile devices such as a smartphone.

Tokens are used to prove your identity electronically in addition to a password. The token acts like an electronic key to access something.

Two step verification (also known as 2 factor authentication, 2fa or 2SV) is a security mechanism that requires two types of credentials for authentication and is designed to provide an additional layer of validation, minimising security breaches. The University has implemented a system in which the first authentication method uses something known (a password) and the second method uses something the person has (a token which provides a one-time code).

User refers to anyone with an identity record authenticating through Two Step Verification at the University.

University means the University of Auckland and includes all subsidiaries.

Key relevant documents

Document management and control

Owner: Chief Digital Officer (CDO)
Content manager: Director ITSPP
Approved by: Chief Digital Officer (CDO)
Date approved: 22 January 2016
Review date: 22 January 2018