Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.
Substantive Change: Authentication Standard
Last modified
August 11, 2023 - 11:04am
Post date
December 18, 2020 - 10:56am
Effective: December 18, 2020
The Authentication standard was substantially changed to such degree that it is not possible to list all the changes here. Reviewing the revised standard carefully is highly recommended.
CHANGED
- All references to "UVA Identity Token combined with JointVPN or HSVPN connection" were replaced with "UVA-approved two-factor authentication (e.g. Duo-based High Security VPN)"
- Use of "physical token" to "hardware token" to be consistent with terminology elsewhere in the standard.
- Password length and complexity in general from 8 characters and 3 of 4 character classes OR passwords of more than 20 characters two character classes to 12 characters and three of four character classes.
- "should" to "must" for current password should differ from the user's previous 24 passwords.
- Clarified and defined the difference between a administrative account and a service account.
- Overall format of sections with bulletted items to two tables listing requirements.
- The Purpose and Background was revised to specify the policy under which this standard falls (IRM-002)
ADDED
- Clear text passwords or passcodes must never be sent via email or printed.
- Changed the format of the User Authentication Requirements from bulleted text to two tables to simplify and make easier to understand.
- Separated into their own columns “Administrative access to servers” and “service or server administration accounts (non-user accounts) based on feedback.
- Recommend the use of a different (separate) account for server administration and management than is used for non-administrative access.
- Required Reporting section.
- Multiple new Related Links were added.
REMOVED
- “moderately" in front of "sensitive data"