Multi-Factor Authentication (MFA)

Statement

All privileged and non-privileged individual accounts are required to use multi-factor authentication.

The goals of this procedure are as follows:

1. To keep personal, private, and confidential information on College owned or managed systems from unauthorized access 
2. Protect the security, confidentiality and integrity of computing network accounts.
3. Protect system administration accounts from misuse.

The goal of Multi-factor authentication is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a computing device, network or database.  If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Multi-factor authentication can protect against many common type of attacks such as credential stuffing, credential theft from things such as phishing and key loggers, and password spraying.

Definitions

MFA: An authentication method or process in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).

Phishing: The sending fake emails designed to deceive the receiver into sharing their username and password or sending them to a fake site used to gather the person's username and password or other personal information.

Credential Stuffing: A type of attack where an attacker uses publicly available username and password combinations found in other breaches in an attempt to gain access to Geneseo accounts.

Password Spray: A type of attack where an attacker attempts to authenticate with a system using common passwords

OATH Software Token: Software that displays a code to enter into the login screen as your second factor code, usually found in password managers or "authenticator" apps. Implements RFC 6238.

OATH Hardware Token: A small device, often a key fob, that can generate a code at the press of a button to enter into the login screen as your second factor code. Implements RFC 6238.

SMS (short message service): A text messaging service component of most telephone, Internet, and mobile device systems

FIDO2: A project to create strong authentication for the web.

Conditional Access: The protection of content by requiring certain criteria to be met before granting access to the content.

Procedure

Multi-Factor Authentication shall be used by all privileged and non-privileged user accounts for system and network access.

All users should register at least two multi-factor authentication methods. Acceptable methods of providing a second factor are: SMS, telephone, Microsoft Authenticator App, third-party authenticator app supporting OATH software token (e.g., 1Password, Authy, Apple iCloud Keychain, Google Authenticator), OATH hardware token, or FIDO2 token (e.g., Yubico Security Key).

All account holders are discouraged from using only cellular telephone or SMS as a second factor to avoid losing account access if their device is lost or in the event of international travel. Account holders in high value positions (i.e. financial, executive leadership, IT admins) are discouraged from using SMS or cellular telephone as a second factor.

1. Multi-factor authentication is device and browser specific.
2. Multi-factor authentication is not required on every login. It is required on first login from any device or browser. MFA is again required 14 days last successful multi-factor login or after explicitly logging out or deleting cookies.
3. Multi-factor authentication will be required when the authentication provider suspects a login to be suspicious.
4. A password change may be required by the authentication provider after repeated suspicious activities.
5. Passwords are still required at every login or after session timeout.

A default conditional access configuration is applied to new applications. The configuration includes criteria for when and under what circumstances a user must use MFA to access an application or service. An application owner may request a more or less restrictive conditional access configuration. The MFA working group will access the risk and approve or deny the request. 

Related Links

NIST SP 800-53 rev 5

• IA-5 Authenticator Management
• IA-11 Re-authentication

NIST SP  800-171

• 3.5.3 Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
• 3.7.5 Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

NYS Policy S14-006

Your Pa$$word Doesn't Matter lays out Microsoft's research across billions of logins explaining why passwords are insecure and how MFA results in protecting against all but the most targeted attacks.

An Empirical Study of Wireless Carrier Authentication for SIM Swaps research into how sms and telephone systems are susceptible to compromise in targeted attacks.

The Snapchat Thief - a podcast describing how SIM swapping occurs against high value targets.

Contact(s)

Paul Jackson
Interim CIO & Director, Computing & Information Technology
jackson@geneseo.edu

Rick Coloccia
Director, Network & Information Security Operations, Computing & Information Technology
coloccia@geneseo.edu