A newer version of this procedure was approved on October 4, 2019. It will become effective on March 17, 2020. Please seeto familiarize yourself with the new procedure. Further communication will occur prior to the effective date. The version of the procedure below is the prior version that will be effective until March 17, 2020.
Original Issuance Date: September 14, 2016
Last Revision Date: January 9, 2019
1. Purpose of Procedures
The purpose of these procedures is to define the specific authentication methods employed in the day-to-day operations of systems that are subject to the information security policies of the University of Wisconsin System.
2. Responsible UW System Officer
UW System Associate Vice President (AVP) for Information Security
Authentication: The process of verifying that someone who holds an account on an information technology system is who they purport to be.
Multi-Factor Authentication: Multiple forms of authentication used to increase the likelihood that the login credentials are from the individual to whom they were assigned. The types of credentials typically fall into three categories: something you know, such as a PIN or password; something you have, such as a one-time passcode generator, token or smart card; or something you are, such as a fingerprint or other biometric.
Level of Assurance: The degree of confidence that someone who holds an account on an information technology system is who they purport to be.
Level of Assurance 2: National Institute of Standards and Technology (NIST) Special Publication 800-63 Level of Assurance 2 (LOA 2) authentication requires a strong password and that the account holder’s identity has been validated.
Moderate Risk Data: Data assets classified as being of moderate risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.
High Risk Data: Data assets classified as being of high risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.
Compensating Control: A data security measure that is designed to satisfy the requirement for some other security measure that is deemed too difficult or impractical to implement and that meets the intent and rigor of the original control.
Institutions: All research and comprehensive UW System universities and associated branch campuses, UW Shared Services, and UW System Administration.
These procedures establish a minimum baseline for authentication to all current and future systems. It may be permissible to substitute a compensating control for a particular item below provided it meets the rigor and intent of the original control. Compensating controls and their rationale shall be documented in writing and submitted by the institutional CIO to the UW System Chief Information Security Officer (CISO) for review. If there are any concerns, the institutional CIO and UW System CISO will engage with subject matter experts as needed. Upon recommendation by the UW System CISO, in concurrence with the UW System CIO, the compensating control will be routed to the UW System AVP for Information Security for approval. Resolution will be forwarded to the institutional CIO.
At a minimum, authentication systems shall adhere to the following:
i. Authentication systems used by the UW System for access to moderate and high risk data that employ passwords must meet LOA2 entropy requirements as calculated by the NIST SP 800-63 Password Checker worksheet. Any permutation of password complexity and password rules that meets or exceeds NIST LOA2 entropy requirements is acceptable for the purpose of this procedure. The password features that can be adjusted are as follows:
- Number of Characters
- Use of Password complexity
- Dictionary Check
- Lockout Duration
- Allowed Failed Attempts
- Password Lifespan
Below are examples of LOA 2 compliant password complexity rules. This list is non-exhaustive and any password that meets LOA 2 entropy can be used.
|Number of Characters||10||12||14|
|Lockout Duration||45 M||30 M||15 M|
|Password Lifespan||60 D||180 D||90 D|
(M=minutes; H=hours; D=days)
- Password parameters shall also meet or exceed all applicable federal statues, state statutes and other applicable industry standards, such as Payment Card Industry Data Security Standards.
- Passwords may not contain a string of characters that is identical in whole to the account holder’s login ID.
- Password history requirements are enforced such that either:
- A user defined password associated with a user account cannot be the same as was used in the last four passwords within the previous year; or
- A user-defined password associated with a user account cannot be the same as any of the last 24 passwords for that account.
- Passwords associated with any user account must not be older than 180 days.
- Default passwords that are provided for new user accounts shall be changed either on the first use or, if that is not technically feasible, within five business days.
- Default passwords that are embedded in new devices or applications shall be changed upon first use or, if that is not technically feasible, within five business days.
- The inactivity period for accounts accessing moderate and high risk data will be set to 30 minutes or less, after which time the account holder shall re-authenticate.
- Individuals with access to moderate and high risk data shall not use a shared account. If, due to system limitation or problems, the shared account must be used, the institution shall establish procedures for documenting, approving, and monitoring the use of the shared account.
ii. Access for staff members that have been discharged shall be revoked immediately. The institution may work with the former employee to arrange appropriate access to data for a limited period of time.
iii. Access rights for staff members who have changed roles or responsibilities shall be updated immediately. Passwords shall be changed if necessary.
iv. If the account credentials of a user or system have been disclosed or otherwise compromised, the password shall be changed immediately.
v. Each UW System institution should have appropriate controls in place to provide reasonable assurance that both end users and those with administrative privileges:
- Do not use the same password for more than one account;
- Are trained in detecting social engineering practices, which are designed to steal account credentials;
- Are trained in techniques to create strong passwords;
- Understand passwords are never to be communicated via writing, telephone, e-mail, or instant messaging; and
- Are trained to not use easily guessed passwords or passwords that could be easily compromised through a brute force attack.
vi. Authentication for users with access to high risk information shall employ multi-factor authentication mechanisms and commensurate controls to
- Ensure integrity of the credentialing process;
- Secure control of the credentials (i.e., devices); and,
- Determine the de-authorization of the credential.
5. Related Documents
Regent Policy Document 25-5 – Information Security
UW System Administrative Policy 1030, Information Security: Authentication
UW System Administrative Policy 1031, Information Security: Data Classification and Protection
NIST Special Publication 800-63 version 1 Electronic Authentication Guideline
Information Security Compensating Control Request Form
Revision 3: January 9, 2019
Revision 2: January 25, 2018
Revision 1: July 31, 2017
First approved: September 14, 2016