Two Step Verification Standard


Application


This standard applies to all users, whether physically located on University property or elsewhere, and all University online applications, systems and electronic services.

Purpose


To define the principles and purpose of Two Step Verification at the University and to establish mandatory processes for allocating and managing two step verification tokens. These standards should be read with the Systems and Applications Authentication Standards and the Password and Two Step Verification Token Guidelines.

Standards


1.    Applications, systems and services where restricted data is maintained must have Two Step Verification implemented.  This requirement must be taken into account during the high level design, implementation or upgrade of applications and services.

2.    The implementation of Two Step Verification on applications, systems and services with in-confidence data is at the discretion of the business owner

3.    Any system configured for Two Step Verification is to be configured to work with both hard tokens and soft tokens

Note- Google Authenticator and YubiKey are considered to be equivalent in terms of their security 

4.    Self-Service options that allow users to manage their own tokens are to be strategically prioritised over assisted options, such as those provided by support teams

5.    All users must be able to authenticate through Two Step Verification where the service has been enabled

6.    If a user leaves or changes role, the systems and services which they are authorised to access, including those where Two Step Verification is enabled, must be adjusted in a timely manner to reflect the change in relationship with the University

Token Management and Control

7.    A user must not share their token with another person and hard tokens must be stored securely

Note- this means that hard tokens should not be left openly on a desk or plugged into a computer when the user is not present

8.    If any user reports their Two Step Verification token as lost, stolen, or otherwise compromised their token must be locked, unlinked or deleted as appropriate. This applies equally to soft tokens and hard tokens

9.    YubiKey tokens must be returned to the University when they are no longer required

10. All users who are database administrators or server administrators must use a hard token

11. If a user has been allocated a mobile, or a mobile connection, by the University they must use a soft token unless they are a database administrator, server administrator or frequent user

12. Users who are not covered under point 10 or 11 and do have a smartphone must use a soft token

13. Hard tokens will only be assigned if the user meets one of the criteria below:

  • does not have a smartphone (University or personal)
  • is considered a frequent user
  • requires access to back-end databases and/or servers

Definitions


The following definitions apply to this document:

Authentication establishes the identity of the user when accessing systems and applications. The authentication process provides identity attributes and enables authorisation and personalisation decisions to be made by systems and applications. These decisions help to ensure that users receive access to only the information and transactions to which they are entitled

Frequent user refers to those who are required to authenticate through Two Step Verification continually throughout the day.  For these users it may be simpler to use a hard token which requires them to push one button, rather than a soft token which may require more effort

Hard tokens (also known as security token) are a small hardware device that the user carries which plugs into a computer and delivers a one-time password to authorise access to online services. Used with a standard username and password, the hard token can provide Two Step Verification to a site, service or application.  At the University the hard token used is a YubiKey

In-confidence data is data not classified as restricted, but that, if compromised, would have an adverse effect on the reputation or the performance of the University, its staff members, students, or its partner organisations

Restricted data is data that, if compromised, would place the University in breach of its legal and regulatory responsibilities or the consequence would be serious for the University, its staff members, students, or its partner organisations 

Soft tokens (also known as software tokens) are Two Step Verification applications that can be installed and run from a wide variety of devices, including but not limited to personal computers and smartphones.  At the University the soft token is the Google Authenticator application which is run on mobile devices such as a smartphone

Tokens are used to prove your identity electronically in addition to a password. The token acts like an electronic key to access something.

Two step verification (also known as 2 factor authentication, 2fa or 2SV) is a security mechanism that requires two types of credentials for authentication and is designed to provide an additional layer of validation, minimising security breaches. The University has implemented a system in which the first authentication method uses something known (a password) and the second method uses something the person has (a token which provides a one-time code)

User refers to anyone with an identity record authenticating through Two Step Verification at the University

University means the University of Auckland and includes all subsidiaries

Document management and control


Owner: CIO

Content Manager: Director ITSPP

Approved by: CIO

Date approved: 22 January 2016

Review date: 22 January 2018