Multifactor Policy

Issuing Office

Information Technology

Affected Parties

All University Students, Faculty, Staff

Policy Language

Liberty University utilizes multi-factor authentication for network access to privileged accounts and non-privileged accounts.

Policy Rationale

The purpose of this policy is to define requirements for accessing Liberty University’s network and information systems whether on or off campus. These standards are designed to minimize the potential security exposure to Liberty University from damages that may result from unauthorized use of the university’s resources. Multifactor authentication adds a layer of security which helps deter the use of compromised credentials. Cyber criminals and hackers are becoming more clever in their efforts to not only steal information, but also modify data, remove data entirely, or spread malicious code, propaganda and spam. No organization is too big or small for such an attack. Password theft has also been on the rise with the use of methods such as key logging, phishing, and pharming. Requiring an additional layer of authentication will help alleviate the risk of a breach.

Definition of Glossary Terms

Key logging: Recording a log of keystrokes on a computer in order to gain access to passwords and other confidential information

Multi-factor authentication (MFA): Requiring two or more authentication methods for a secure login. Authentication factors are typically something you know (knowledge factor), something you have (possession factor) and something you are (inherence factor)

National Institute of Standards and Technology Cybersecurity Framework (NIST CSF): Provides a policy framework of computer security guidance for how private sector organizations in the United States can access and improve their ability

Pharming: Sending internet users to a false website that mimics a legitimate one

Phishing: Sending emails appearing to be from a reputable company in an effort to acquire personal information under false pretenses



Secure all individual non-console administrative access and all remote access to sensitive data using multi-factor authentication for every session. 

Incorporate multi-factor authentication for all network access, both regular users and administrators, and including third-party access for support or maintenance originating from inside or outside Liberty’s network. 

1. The multi-factor authentication should be device specific and need not be required at every login, but on the first login of any new device, and again every 30 days after initial device multi-factor authentication, or upon suspicious changes to the login session. 

2. Passwords must still be required at every login or after a session timeout.


Not specified