Original Issuance Date: September 14, 2016
Last Revision Date: September 14, 2016

1. Purpose of Procedures

The purpose of these procedures is to define the specific authentication methods employed in the day-to-day operations of systems that are subject to the information security policies of the University of Wisconsin System.

2. Responsible UW System Officer

UW System Chief Information Officer (CIO)

3. Definitions

Authentication: The process of verifying that someone who holds an account on an IT system is who they purport to be.

Level of Assurance: The degree of confidence that someone who holds an account on an IT system is who they purport to be.

Level of Assurance 2:  National Institute of Standards and Technology (NIST) Special Publication 800-63 level of assurance 2 authentication requires a strong password and that the account holder’s identity has been validated.

Level of Assurance 3: National Institute of Standards and Technology (NIST) Special Publication 800-63 level of assurance 3 requires a strong password, and that the account holder’s identity has been validated, and that a second factor (such as an external device or biometrics) is used for authentication.

Moderate Risk Data: Data assets classified as being of moderate risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification.

High Risk Data: Data assets classified as being of high risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification.

Compensating Control: A data security measure that is designed to satisfy the requirement for some other security measure that is deemed too difficult or impractical to implement and that meets the intent and rigor of the original control.

Institutions: All four year campuses of the UW System, UW Colleges, the University of Wisconsin- Extension, and UW System Administration.

4. Procedures

These procedures establish a minimum baseline for authentication to all current and future systems. It may be permissible to substitute a compensating control for a particular item below provided it meets the rigor and intent of the original control. Compensating controls and their rationale must be documented in writing and submitted by the institutional CIO to the UW System CIO for approval. If there are any concerns, the two CIOs will engage with subject matter experts as needed. Resolution will be documented by the UW System CIO and forwarded to the institutional CIO.

At a minimum, authentication systems must adhere to the following:

  1. Authentication systems used by the UW System for access to moderate and high risk data that employ passwords must meet these requirements:
    1. Passwords must be at least 12 characters long
    2. Passwords must include characters from any 3 of the following 4 categories:
      • Uppercase letters:  e.g. A – Z
      • Lowercase letters:  e.g. a – z
      • Digits:  e.g. 0 – 9
      • Non-alphanumeric characters:  e.g.  ~ ` @ # $ % ^ & * ( ) + = \ | [ ] { } ? < >
    3. Passwords may not contain a string of characters that is identical in whole to the account holder’s login ID.
    4. Password history requirements are enforced such that either:
      • A user defined password associated with a user account cannot be the same as was used in the last four passwords within the previous year; or
      • A user defined password associated with a user account cannot be the same as any of the last 99 passwords for that account.
    5. Passwords associated with any user account must not be older than 180 days.
    6. Default passwords for user accounts must be changed either on the first use or, if that is not technically feasible, within thirty days of the first use.
    7. Accounts must be temporarily locked after 7 incorrect password login attempts. Accounts can be automatically unlocked after a period of not less than 30 minutes.
    8. Accounts with access to moderate and high risk data must re-authenticate after 30 minutes of inactivity.
    9. Individuals with access to moderate and high risk data must not use a shared account. If, due to system limitation or problems, the shared account must be used, campus must establish procedures for documenting, approving, and monitoring the use of the shared account.
  2. The current NIST entropy calculator must be used to determine the strength of the password which must meet LOA2 requirements.
  3. Access for staff members that have been discharged must be revoked immediately. The University will work with the former employee to arrange appropriate access to data for a limited period of time.
  4. If the account credentials of a user or system have been disclosed or otherwise compromised, the password must be changed immediately.
  5. Each UW System institution should have appropriate controls in place to provide reasonable assurance that both end users and those with administrative privileges:
    1. Do not use the same password for more than one account;
    2. Are trained in detecting social engineering practices, which are designed to steal account credentials;
    3. Are trained in techniques to create strong passwords;
    4. Are advised to never write down a password, or communicate a password by telephone, e-mail, or instant messaging; and
    5. Are trained to not use easily guessed passwords or passwords that could be easily compromised through a brute force attack.
  6. Authentication for users with access to high risk information must employ multi-factor authentication mechanisms and commensurate controls to
    1. Ensure integrity of the credentialing process;
    2. Secure control of the credentials (i.e., devices); and,
    3. Determine the de-authorization of the credential.

5. Related Documents

Regent Policy Document 25-5 – Information Security
UW System Administrative Policy 1030, Information Security: Authentication
UW System Administrative Policy 1031, Information Security: Data Classification
NIST Special Publication 800-63 Electronic Authentication Guideline

6. History

First approved: September 14, 2016