Multi-Factor Authentication Policy

Posted on by
Title: Multi-Factor Authentication Policy
Policy Owner: Information Technology Services / Chief Information Security Officer
Applies to: All Workforce Members, Students
Campus Applicability: All UConn Campuses, except UConn Health
Approval Date: March 4, 2026
Effective Date: March 9, 2026
For More Information, Contact: UConn Information Security Office
Contact Information: techsupport@uconn.edu  or security@uconn.edu
Official Website: https://security.uconn.edu/

PURPOSE

To help prevent unauthorized access to University information systems.

DEFINITIONS

Hardware Token: A small hardware device that serves as a second authentication mechanism either in place of or in addition to the an MFA mobile app.

University Information System: Devices and/or components managed or contracted by the University for collecting, storing, and processing data and for providing  information, knowledge, and/or digital products. For purposes of this policy, information technology devices and components managed exclusively by UConn Health are not considered University Information Systems.

Multi-Factor Authentication (MFA): MFA is a method of system access control in which a user is granted access only after successfully providing at least two pieces of authentication, usually including knowledge (something the user knows such as a password), possession (something the user has such as a token generator), or inherence (something the user is such as the use of biometrics).

POLICY STATEMENT

Users of University Information Systems must adhere to Multi-Factor Authentication (MFA) requirements, where available, to ensure authorized access to University Information Systems and protected or confidential data.

University Information Systems must include effective MFA protections for authentication unless granted an exception from this policy by the Information Security Office (ISO). The Information Security Office (ISO) may mandate implementation of MFA for any University Information System.

The Information Security Office is authorized to publish and maintain any necessary standards, procedures, and guidelines to effectuate and enforce this policy.

MULTI-FACTOR AUTHENTICATION PROCEDURES

User Requirements

  1. Users must maintain a device that can receive MFA authentication requests in a secure manner via a University approved mobile app or another mechanism, such as SMS, phone, or Hardware Token.
  2. When an attempt is made to access a MFA protected system or application, the system will challenge the user by requesting a second factor of authentication which may include an acknowledgement of a push notification via a University approved MFA mobile app, a code via SMS, or a Hardware Token.
  3. If users receive an MFA notification when not conducting a recent authentication, the authentication shall be denied and immediately reported to the Technology Support Center. Users shall update their NetID password, or credential associated with the authentication, if they reasonably believe their password is compromised.
  4. Users may not approve MFA requests for another user’s account or register a device for MFA which is not within their individual control.

Frequency or Type of User Challenges

The frequency with which a user may be challenged, or the type of challenge depends both on policy and use.

  • Policy based – depending on information being accessed, more frequent authentications may be required.
  • Usage based – While user challenges may be “remembered” for a period of time, use of other hardware, browsers, or other behaviors may trigger additional verification using a second factor.

Lost or Stolen Devices

If a user’s registered multi-factor device is lost, stolen, or the user has reason to suspect their UConn NetID has been compromised, the user must contact the Technology Support Center immediately. As a precaution, they should change their NetID password at netid.uconn.edu.

Off-Hours and Emergency Access to Systems and Applications

UConn Information Technology Services will maintain internal procedures for processing emergency access requests if issues arise with the multi-factor authentication process. Users should contact the Technology Support Center for additional information.

Use of Automated Systems

Automated systems that intend to interfere with the approval component of multi-factor authentication are hereby prohibited.

ENFORCEMENT

Users may not attempt to circumvent login procedures, including multi-factor authentication, on any computer system or otherwise attempt to gain unauthorized access. Attempts to circumvent login procedures may subject individuals to disciplinary action. Financial losses incurred due to the use of multi-factor circumvention techniques are the responsibility of the user, and the University may seek financial restitution from users who violate this policy.

Violations of this policy and any related procedures may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the University of Connecticut Student Code.

EXCEPTIONS

ITS will review and document any requests for exceptions to this standard. ITS will also have available solutions for the intermittent failure of various second factors, which may include the allowance of temporary access codes upon verification of an individual’s identity.

PROCEDURES/FORMS

Questions about this policy or suspected violations may be reported to any of the following:

Information Technology Services Tech Support –  https://techsupport.uconn.edu (860-486-4357)

Information Security Office – https://security.uconn.edu

POLICY HISTORY

Policy created: March 29, 2023 (Approved by Senior Policy Council)

Revisions: March 4, 2026 (Approved by the Senior Policy Council and President)