Information Security Docs
Information Security Docs
Breadcrumbs

Multi-Factor Authentication Standard

1. Purpose

This standard establishes the minimum requirements aligned with current security best practices and developed in response to UTS-165 4.7 to ensure the confidentiality and integrity of UTRGV confidential data.

Adherence to this standard enhances the protection of University information resources against unauthorized access by providing an additional layer of security. These minimum requirements complement all other UTRGV policies as well as applicable federal and state regulations governing the protection of UTRGV’s data.

2. Scope

This standard applies to the implementation of multi-factor authentication to ensure that only authorized users access sensitive information by verifying user identity through multiple forms of evidence.

3. Audience

All faculty, staff, student employees, retirees, ex-employees, contractors, and vendors that are accessing, viewing, or editing confidential data or other critical university resources.

4. Authority

  • UTS 165

5. Definitions

MFA
Multi-Factor Authentication, or MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that requires two pieces of evidence, or credentials, when logging in to an account.

Credentials fall into any of the following three categories:

  • Something you know, such as a password or PIN

  • Something you have, such as a smart card

  • Something you are, such as your fingerprint

Remote Access
Access to University Information Resources that originates from a remote location.

Remote Location
A location outside the physical UTRGV network boundary of the institution, inclusive of University leased or rented properties and locations within the University’s compliance environment.

6. Standard Details

MFA is required in the following situations:

a. When an employee or other individual providing services on behalf of the University, such as a student employee, contractor, or volunteer, logs on to a University network using an enterprise remote access gateway such as VPN, Terminal Server, Connect, Citrix, or similar services.

b. When remotely accessing an online function, such as a web page, to view or modify employee banking, tax, or financial information.

c. When a server administrator or other individual uses administrator credentials to access a server that contains or has access to confidential University data.

d. When an individual described in item 6.a is remotely accessing a web-based interface to University email or an application that houses confidential University data, as defined by the UTRGV Data Classification Standard. Effective 7/31/2021.

7. Exemptions and Non-Compliance

Exemptions must be requested and submitted to the Information Security Office.

Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit or Compliance.

University of Texas Rio Grande Valley employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to University and System rules and regulations, University of Texas Rio Grande Valley employees are required to comply with state laws and regulations.

  • UT System UTS 165 Information Resources Use and Security Policy

  • UTS 165 Standard 4: Access Management

  • Data Classification Standard

  • Center for Internet Security: Two-Factor Authentication Newsletter

  • NIST Back to Basics: Multi-Factor Authentication MFA