Systems and Applications Authentication Standards


Application


This standard applies to all University systems and applications.

Purpose


To define the standard of authentication that systems and applications must use at the University.  This makes it easier for application owners and implementers to deliver high-quality services that can determine the identity of a user, aligns with the expectations of users, and manages known authentication security risks.  This standard should be read with the Two Step Verification Standard and the Password and Two Step Verification Token Guidelines.

Standards


  1. Access to all University applications and systems that contain restricted data and/or in-confidence data must use some form of authentication
  2. Where authentication is required, all University web-based applications must use the Single Sign-On platform, except where the application does not support SAML/Shibboleth (or any of the Shibboleth enabling options the University uses)
  3. All authentication attempts into University applications and systems through either the University Single Sign-On platform or other forms of authentication must be logged and reportable
  4. Local applications, third-party and cloud services that are used by the University of Auckland to provide a service, must use the University's Single Sign-On application to enable access where practicable
  5. Systems which store or use restricted or in-confidence data must never be configured to allow access using shared or anonymous accounts
  6. The strength of authentication implemented in an application must be suitable for the classification level of the information being accessed and the activities being carried out, such as those that carry financial or reputational risk.  For example applications with restricted data must have Two Step Verification enabled)
  7. Generic or shared accounts and credentials must not be used
  8. Exceptions to the standards 6 and 7 may be granted by the Manager, Identity and Access Management, if the request is supported by a genuine business need and of an acceptable risk profile. There must also be an individual who owns, and is responsible for, the activities undertaken while the exception is in place

Definitions


The following definitions apply to this document:

Authentication  establishes the identity of the user when accessing systems and applications. The authentication process provides identity attributes and enables authorisation and personalisation decisions to be made by systems and applications. These decisions help to ensure that users receive access to only the information and transactions to which they are entitled

Credentials are methods used by an individual to authenticate his or her identity when accessing applications, systems and online services. Examples of credentials include passwords, one-time passwords, software tokens, hardware tokens, and biometrics

In-confidence data is data not classified as restricted, but that, if compromised, would have an adverse effect on the reputation or the performance of the University, its staff members, students, or its partner organisations

Restricted data is data that, if compromised, would place the University in breach of its legal and regulatory responsibilities or the consequence would be serious for the University, its staff members, students, or its partner organisations

Single Sign-On allows an individual to authenticate on entry to a work session and gain access to multiple related but independent systems and applications

Two step verification (also known as 2-factor authentication or 2FA) is a security mechanism that requires two types of credentials for authentication and is designed to provide an additional layer of validation, minimising security breaches.  The University has implemented a system in which the first authentication method uses something known (a password) and the second method uses something the person has (a token which provides a one-time code)

University means the University of Auckland and includes all subsidiaries

Document management and control


Owner: CIO

Content Manager: Director ITSPP

Approved by: CIO

Date approved: 22 January 2016

Review date: 22 January 2018