Table of Contents
1. Purpose and Background
2. Standards
a) User Authentication Requirements
b) Accounts on Devices and/or Services
c) Minimum Requirements for Endpoint and Account Access
d) Requirements for Access to University of Virginia Data Types
e) Required Reporting
3. Definitions
4. Related Links
5. Exceptions
REVISION HISTORY: March 14, 2022; December 18, 2020
1. Purpose and Background
To protect the confidentiality, integrity, and availability of its information technology (IT) resources, the University must implement appropriate user authentication.
The Acceptable Use of the University’s Information Technology Resources (IRM-002) policy states:
Users must not:
- Divulge or share passwords, PINs, private keys, hardware tokens, or similar authentication elements to anyone else, and they must not exploit sessions left open, or otherwise misappropriate, assume, or steal the “identity” of another user;
- Obtain or attempt to obtain unauthorized access to the University’s IT resources;
- Circumvent or attempt to circumvent security controls on the University’s IT resources; nor Allow unauthorized users access to the University’s IT resources.
This authentication standard details additional requirements that apply to all users. All administrators or those who create accounts of any kind must follow these requirements.
2. Standards
User Authentication Requirements
All accounts at the University of Virginia’s Academic division, UVA Medical Center (Agency 209) and UVA’s College at Wise (Agency 246) must
- require a user ID and a password, or authentication certificate issued by the University, approved University badge-access, or a University-approved hardware token, and
- have unique passwords for each account or use and not be a password used for any other purpose, (e.g. Google, Facebook).
Any application accepting UVA or UVA Health passwords must use one of the UVA approved single-sign-on (SSO) applications (e.g., Netbadge). Alternatively, to accept such passwords directly, you must have an approved policy exception from UVA Information Security.
Users must notify University Information Security within one (1) hour from the time that an account is suspected or confirmed to be compromised by using Report a Security Incident webpage (preferred) or by telephoning (434) 924-4165.
Accounts on Devices and/or Service
Clear text passwords or passcodes must never be sent via email or printed.
The two tables below describe additional authentication requirements and restrictions.
Minimum Requirements for Endpoint and Account Access
Authentication Requirements | Mobile Devices with access to University IT or data resources (e.g., smart phones) | End Points (e.g., laptops, computers) | Administrative Access to servers or IT management accounts | Service or server administration accounts (non-user service accounts - no user login) | |
Minimum Password Length | 4 | 12 | 25 | 25 | |
Character Classes | 1 | 3 | 3 | 3 | |
Must Expire Every | 365 days | 365 days | 90 days | 365 days | |
Password History | 24 | 24 | 24 | 24 | |
Two-step (multi-factor) Authentication | Depends on data type accessed | Depends on data type accessed | Yes | No | |
Logging Requirement | Not applicable | Recommended | Required | Required | |
Maximum Inactivity before Screen Lockout or Logoff | 10 minutes or less | 10 minutes or less | 10 minutes or less | Not applicable |
Notes:
- For mobile devices: biometric (e.g. facial recognition or fingerprint), pattern code, or swipe code authentication are acceptable once the password has been set.
- For Administrative Access to servers or IT management accounts:
- Recommend the use of a different (separate) account for server administration and management than is used for non-administrative access and the use of scoped privileges, and if needed, multiple non-shared administrative accounts.
- Passwords to these accounts must be changed within 24 hours of a staff member with the password leaving the job.
Requirements for Access to University of Virginia Data Types
Authentication Requirements | Highly Sensitive Data | |||
Minimum Password Length | 12 | 12 | 12 | 12 |
Character Classes | 3 | 3 | 3 | 3 |
Must Expire Every | 365 days | 365 days | 365 days | 365 days |
Password History | 24 | 24 | 24 | 24 |
Two-Step (Multi-factor) Authentication | Required | Recommended, if possible | Recommended, if possible | Recommended, if possible |
Logging Requirement | Required | Recommended | Recommended | Recommended |
Maximum Inactivity before Screen Lockout or Logoff | 10 minutes or less | 10 minutes or less | 10 minutes or less | 10 minutes or less |
NOTES:
- The Highly Sensitive Data (HSD) column on this table includes data stored in a mission critical system, even if the data stored on such a system are not HSD.
- The High Security VPN is required for user access to Highly Sensitive Data (HSD) on any system in the Academic Division.
Required Reporting
Users who suspect or know of a compromise of a password, PIN, private key, etc. or know of or suspect any account compromise must:
- take immediate action to change the compromised credential,
- notify the appropriate systems administrator, and
- report the incident at the Report a Security Incident webpage (preferred) or by telephoning (434) 924-4165 within one (1) hour from the time the incident is identified or suspected.
3. Definitions
See the list of definitions for the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies.
4. Related Links
- Acceptable Use of the University’s Information Technology Resources (IRM-002)
- Health System Policy IT-002: Use of Electronic Information and Systems
- Health System Password Management
- Security of Connected Devices Standard
- Electronic Access Agreement Standard
- ITS Computing Accounts Page
- University of Virginia’s College at Wise Password Complexity Requirements
5. Exceptions
If you think you need to request an exception to these requirements, please refer to the Exceptions Process.