1610 PR.04 Multifactor Authentication

Revision Date: 
December 2, 2019

Contents

1.     Scope

2.     Reason for this Procedure

3.     Multi-Factor Authentication Process Overview

4.     Duo Registration

5.     Trust Interval (Grace Period)

6.     Exception Requests

7.     Lost or Stolen Device Procedures

8.     Emergency Access Procedures

1.  Scope

This procedure is driven by Policy 1610, Systems and Network Security, which establishes security requirements for members of the Yale community regarding access to University information and information systems who use computing or communications systems during the course of their work and studies at Yale University.  This includes systems used on-campus, as well as from remote locations, such as home, hotels and other off-campus locations.

2.  Reason for this Procedure

The goals of this procedure are as follows:

1. Protect the identities of University systems from compromise.

2. Protect the security, confidentiality and integrity of computing network accounts.

3. Protect system administration accounts from misuse.

The goal of Multi-factor authentication is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a computing device, network or database.  If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

3.  Multi-Factor Authentication Process Overview

Many systems on Yale’s campus may be protected by multi-factor authentication (“MFA”).  These include Central Authentication Services (CAS), Outlook Web Application (OWA), the Virtual Private Network (VPN), system administration tools & privileged accounts or High Performance Computing (HPC) clusters.  You are required to register a device to provide a secure method for Yale to contact you during the authentication (logon) process.  If you do not register, you will not be able to use MFA— if MFA is required for that system or service, you will not be able to use the system.

When you try to log into a Yale system protected by MFA, the system will “challenge” you by requesting a secret security code.  This code will be provided through the secure method you selected during registration or as a confirmation request in the Duo application.  If you enter the correct code, you will be allowed into the system.  Failed attempts will be handled according to current university account policies and procedures.

4.  Duo Registration

Users will use the Duo self-enrollment process to register their authentication device(s) and install the Duo Mobile application.  Users without a supported device may use a land line phone.  The process guide for registration is located here: http://guide.duosecurity.com/enrollment.

5.  Trust Interval (Grace Period)

Once a user has authenticated through the MFA process on a specific device, that user will not need to use the multi-factor authentication process again for the following time intervals:

Authentication To

Trust Period

Virtual Private network (VPN)

VPN Session (each new connection will require MFA)

Central Authentication Service (CAS)

Up to 1 Day

Outlook Web Application (OWA)

Up to 1 Day

Other services and applications

Consult service or application owner

This grace period will allow users to reconnect to those services from that specific device without presenting a new security code.

6.  Exception Requests

The University Information Security Office (ISO) processes exception requests for IT systems and devices.  Users may request a multi-factor authentication exception for a specific computer (i.e. Kiosk or classroom computer).  Please note that these exceptions are device-specific and NOT user-specific — an exception for your desktop will not exempt your laptop, for example.  Exceptions can be requested via the University policy exception process.

All exception requests must be received from department leadership or the user’s DSP.  ISO staff will respond to requests within 10 business days of receiving them from your department or Distributed Support provider (DSP).  Urgent requests should include any information ISO staff members may need to know prior to evaluating an exception request and must include the text “URGENT” in the subject line.

A. Request Format

Users may request an exception for select computers or devices by addressing the following questions in an e-mail sent to (1) their manager, director or department chair and (2) their DSP, local IT support provider (“IT Partner”) or the ITS Help Desk.

1. Contact your DSP, local IT support provider or Help Desk and ask them to submit an exception request for you.  

2. Include a brief description of the type of data you work with.  Please be certain to indicate if you see patients, handle electronic protected Health Information (ePHI), handle financial data, handle student academic records (e.g. grades or test scores), process credit card payments, deal with Social Security numbers or work with children.

3. Provide the IP address, Mac address, operating system, device name and location of the device.

B. Evaluation of Exception Requests

The ISO will evaluate exceptions by conducting a risk analysis for each request.  The ISO evaluates risk to information security, computing system security and compliance requirements Yale must meet under law, contract or policy; other individuals within the user’s department or the University may be consulted concerning the business or academic need for the exception the user is requesting.  The ISO will determine, at a minimum, if the following base requirements can be met or have been met before approving an exception:

  • The computer, device, or workstation must not be used for processing confidential or sensitive data (e.g. e-PHI, SSNs, Credit Cards)
  • The exception must not place persons, the University, university systems, or the university network at risk
  • If the device is used as a kiosk or in a classroom setting, the computer or device is re-imaged at least quarterly

For additional information, please see the Policy Exception Request webpage.

If the request is granted, the device or computer will be placed on a different segment of the Yale network designed to house devices that do not require multi-factor authentication.

C. Periodic Review and Recertification

Due to the evolving nature of technology and the changing roles of users at the University all requests will be reviewed periodically and at the discretion of the University Information Security Office.  This review will verify that the need stated in the request is still valid and/or that the employee still requires the approved access.

7.  Lost or Stolen Device Procedures

If you have had data stolen, have lost data, have had a device stolen, or believe that an individual has broken into your computer, please follow the instructions at the following cybersecurity website IMMEDIATELY: https://cybersecurity.yale.edu/lostorstolen.

8.  Emergency Access Procedures

ITS shall maintain internal procedures for the processing for emergency access requests if issues arise with the MFA authentication process. Users should contact the ITS Help Desk for access in the event of an emergency.