Search This Site


Main menu

Substantive Change: Authentication Standard

Friday, December 18, 2020 - 15:30

Effective: December 18, 2020

The Authentication standard was substantially changed to such degree that it is not possible to list all the changes here.  Reviewing the revised standard carefully is highly recommended.


  • All references to  "UVA Identity Token combined with JointVPN or HSVPN connection" were replaced with "UVA-approved two-factor authentication (e.g. Duo-based High Security VPN)"
  • Use of "physical token" to "hardware token" to be consistent with terminology elsewhere in the standard.
  • Password length and complexity in general from 8 characters and 3 of 4 character classes OR passwords of more than 20 characters two character classes to 12 characters and three of four character classes.
  • "should" to "must" for current password should differ from the user's previous 24 passwords.
  • Clarified and defined the difference between a administrative account and a service account.
  • Overall format of sections with bulletted items to two tables listing requirements.
  • The Purpose and Background was revised to specify the policy under which this standard falls (IRM-002)


  • Clear text passwords or passcodes must never be sent via email or printed.
  • Changed the format of the User Authentication Requirements from bulleted text to two tables to simplify and make easier to understand.
  • Required Reporting  section.
  • Multiple new Related Links were added.  



Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form