Find Policy by Category
Academic Affairs

Click here to view policies by affected party

Click here to view restricted faculty-only policies

Click here to view policies by issuing office

Multifactor Policy

Policy Information

Issuing Office

Information Services

Affected Parties

All University Students, Faculty, Staff and Alumni

Policy Language

Liberty University utilizes multi-factor authentication for network access to privileged accounts and non-privileged accounts.

Policy Rationale

The purpose of this policy is to define requirements for accessing Liberty University’s network and information systems whether on or off campus. These standards are designed to minimize the potential security exposure to Liberty University from damages that may result from unauthorized access of the university’s resources. Multifactor authentication adds a layer of security which helps deter the use of compromised credentials. Cyber criminals and attackers are becoming more advanced in their efforts to not only steal information, but also modify data, delete data, spread malicious code, harvest credentials and distribute spam. No organization regardless of size is exempt from such attacks. Password theft has also been on the rise with the use of methods such as key logging, phishing, and pharming. Requiring an additional layer of authentication helps reduce the risk of a compromise.

For additional information, please visit the University’s Multi-Factor Authentication webpage.

Definition of Glossary Terms

Key logging: Recording a log of keystrokes on a computer in order to gain access to passwords and other confidential information

Multi-factor authentication (MFA): Requiring two or more authentication methods for a secure login. Authentication factors are typically something you know (knowledge factor), something you have (possession factor) and something you are (inherence factor).

Phishing: Sending emails appearing to be from a reputable company in an effort to acquire personal information under false pretenses

Pharming: Sending internet users to a false website that mimics a legitimate one

Procedural Information

Procedures

Secure all individual non-console administrative access and all remote access to sensitive data using multi-factor authentication for every session.

Incorporate multi-factor authentication for all network access, both privileged accounts and non-privileged accounts.

  1. The multi-factor authentication should be device specific and need not be required at every login, but on the first login of any new device, and again every 75 days after initial device multi-factor authentication, or upon suspicious changes to the login session.
  2. Passwords must still be required at every login or after a session timeout.

Sanctions

None specified

Exceptions

Exceptions for active military personnel can be granted on a case-by-case basis.

No exceptions allowed for Faculty/Staff members.

Initial Approval Date

10/11/2018

Date of Last Review

12/15/2022

Date for Review

12/15/2023