Authentication Standard

Table of Contents

1.  Purpose and Background
2.  Standards
     a) User Authentication Requirements
     b) Accounts on Devices and/or Services
     c) Minimum Requirements for Endpoint and Account Access 
     d) Requirements for Access to University of Virginia Data Types
     e) Required Reporting 
3.  Definitions
4.  Related Links
5.  Exceptions

REVISION HISTORY:  March 14, 2022; December 18, 2020

[Return to Library]

1. Purpose and Background

To protect the confidentiality, integrity, and availability of its information technology (IT) resources, the University must implement appropriate user authentication.

The Acceptable Use of the University’s Information Technology Resources (IRM-002) policy  states:

Users must not:

  • Divulge or share passwords, PINs, private keys, hardware tokens, or similar authentication elements to anyone else, and they must not exploit sessions left open, or otherwise misappropriate, assume, or steal the “identity” of another user;
  • Obtain or attempt to obtain unauthorized access to the University’s IT resources;
  • Circumvent or attempt to circumvent security controls on the University’s IT resources; nor Allow unauthorized users access to the University’s IT resources.

This authentication standard details additional requirements that apply to all users.  All administrators or those who create accounts of any kind must follow these requirements.

[Table of Contents]

2. Standards

 

User Authentication Requirements

All accounts at the University of Virginia’s Academic division, UVA Medical Center (Agency 209) and UVA’s College at Wise (Agency 246) must

  • require a user ID and a password, or authentication certificate issued by the University, approved University badge-access, or a University-approved hardware token, and
  • have unique passwords for each account or use and not be a password used for any other purpose, (e.g. Google, Facebook).

Any application accepting UVA or UVA Health passwords must use one of the UVA approved single-sign-on (SSO) applications (e.g., Netbadge).  Alternatively, to accept such passwords directly, you must have an approved policy exception from UVA Information Security.

Users must notify University Information Security within one (1) hour from the time that an  account is suspected or confirmed to be compromised by using Report a Security Incident webpage (preferred) or by telephoning (434) 924-4165. 

 

Accounts on Devices and/or Service

Clear text passwords or passcodes must never be sent via email or printed.

The two tables below describe additional authentication requirements and restrictions.

 

Minimum Requirements for Endpoint and Account Access

Authentication Requirements

Mobile Devices with access to University IT or data resources (e.g., smart phones)
[see note 1 below]

End Points (e.g., laptops, computers)

Administrative Access to servers or IT management accounts
[see notes 2 and 3 below]

Service or server administration accounts (non-user service accounts - no user login)
[see note 3 below]

Minimum Password Length

4

12

25

25

Character Classes

1

3

3

3

Must Expire Every

365 days

365 days

90 days

365  days

Password History

24

24

24

24

Two-step (multi-factor) Authentication

Depends on data type accessed
[see Table 2 below]

Depends on data type accessed
[see Table 2 below]

Yes

No

Logging Requirement

Not applicable

Recommended

Required

Required

Maximum Inactivity before Screen Lockout or Logoff

10 minutes or less

10 minutes or less

10 minutes or less

Not applicable

Notes:

  1. For mobile devices: biometric (e.g. facial recognition or fingerprint), pattern code, or swipe code authentication are acceptable once the password has been set.
  2. For Administrative Access to servers or IT management accounts:
  3. Passwords to these accounts must be changed within 24 hours of a staff member with the password leaving the job.

 

Requirements for Access to University of Virginia Data Types

Authentication Requirements

Highly Sensitive Data 
or mission critical system 

[see note 1 and 2 below]

Sensitive Data

Internal Use Data

Public Data

Minimum Password Length

12

12

12

12

Character Classes

3

3

3

3

Must Expire Every

365 days

365 days

365 days

365 days

Password History

24

24

24

24

Two-Step (Multi-factor) Authentication

Required

Recommended, if possible

Recommended, if possible

Recommended, if possible

Logging Requirement

Required

Recommended

Recommended

Recommended

Maximum Inactivity before Screen Lockout or Logoff

10 minutes or less

10 minutes or less

10 minutes or less

10 minutes or less

NOTES:

  1. The Highly Sensitive Data (HSD) column on this table includes data stored in a mission critical system, even if the data stored on such a system are not HSD.
  2. The High Security VPN is required for user access to Highly Sensitive Data (HSD) on any system in the Academic Division.

 

Required Reporting

Users who suspect or know of a compromise of a password, PIN, private key, etc. or know of or suspect any account compromise must:

  • take immediate action to change the compromised credential,
  • notify the appropriate systems administrator, and
  • report the incident at the Report a Security Incident webpage (preferred) or by telephoning (434) 924-4165 within one (1) hour from the time the incident is identified or suspected.

[Table of Contents]

 

3. Definitions

See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.

[Table of Contents]

 

4. Related Links

[Table of Contents]

 

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Officer