Standard and Process
Authentication is a verification that confirms that a person/account is who the person/account says he or she is. There are three common factors of authentication:
- something you know (e.g., knowledge of something such as password, passphrase, pin),
- something you have (e.g., ownership of something such as smart card, digital certificate) and
- something you are (e.g., characteristic of the person such as fingerprint, retinal pattern).
Single-factor authentication uses a single factor of authentication (e.g., something you know) to verify the identity of the user/account requesting access to resources. User login ID with a password, passphrase or pin is single-factor authentication. Use of multiple passwords is still considered single-factor authentication.
Multi-factor authentication uses two or more factors of authentication (e.g., something you know and something you have) to verify the identity of the user/account requesting access to resources. User login ID and password used in conjunction with a hardware token/phone is two-factor authentication.
Use multi-factor authentication in situations that need a stronger form of authentication.
IT staff are responsible for working with users, data owners and service directors to identify where multi- factor or single-factor authentication is needed.
Users, data owners and service directors are responsible for working with IT staff to properly use the appropriate authentication(s) for their support or user role(s).
- This standard is based on the principles of ISO/IEC 27002:2005.
Document Owner: University Information Security
Document Approvers: Brian Dahlin, Chief Information Security Officer; Patton Fast, University Enterprise Architect
Effective Date: August 2010
Last Reviewed Date: November 2014