Multifactor Policy
Issuing Office
Information Services
Affected Parties
All University Students, Faculty, Staff and Alumni
Policy Language
Liberty University utilizes multi-factor authentication for network access to privileged accounts and non-privileged accounts.
Policy Rationale
The purpose of this policy is to define requirements for accessing Liberty University’s network and information systems whether on or off campus. These standards are designed to minimize the potential security exposure to Liberty University from damages that may result from unauthorized access of the university’s resources. Multifactor authentication adds a layer of security which helps deter the use of compromised credentials. Cyber criminals and attackers are becoming more advanced in their efforts to not only steal information, but also modify data, delete data, spread malicious code, harvest credentials and distribute spam. No organization regardless of size is exempt from such attacks. Password theft has also been on the rise with the use of methods such as key logging, phishing, and pharming. Requiring an additional layer of authentication helps reduce the risk of a compromise.
For additional information, please visit the University’s Multi-Factor Authentication webpage.
Definition of Glossary Terms
Key logging: Recording a log of keystrokes on a computer in order to gain access to passwords and other confidential information
Multi-factor authentication (MFA): Requiring two or more authentication methods for a secure login. Authentication factors are typically something you know (knowledge factor), something you have (possession factor) and something you are (inherence factor).
Phishing: Sending emails appearing to be from a reputable company in an effort to acquire personal information under false pretenses
Pharming: Sending internet users to a false website that mimics a legitimate one
Procedures
Secure all individual non-console administrative access and all remote access to sensitive data using multi-factor authentication for every session.
Incorporate multi-factor authentication for all network access, both privileged accounts and non-privileged accounts.
- The multi-factor authentication should be device specific and need not be required at every login, but on the first login of any new device, and again every 75 days after initial device multi-factor authentication, or upon suspicious changes to the login session.
- Passwords must still be required at every login or after a session timeout.
Sanctions
None specified
Exceptions
Exceptions for active military personnel can be granted on a case-by-case basis.
No exceptions allowed for Faculty/Staff members.
Initial Approval Date
10/11/2018
Date of Last Review
12/15/2022
Date for Review
12/15/2023