10/27/2022 0 Comments User authentication policyShared accounts should not be used to access high risk data and should be avoided when accessing moderate risk data. This requirement does not apply for systems that are inaccessible form outside the institution network. discontinues employment with the UW System and/or its institutions.changes roles where knowledge of the secret is no longer necessary or.Service account secrets and shared account secrets must be changed within five business day s when an employee with knowledge of said secrets: Initial secrets that are provisioned for new user accounts must be changed during first use or, if not technically feasible, within five business days of first use.ĭefault, non-unique passwords for accounts that are embedded in new devices or applications must be changed during the initial device or application configuration, or if not technically feasible, within five business days of device or application activation, unless those accounts are locked. This includes discovery of plaintext and/or hashed secrets. Passwords and passphrases must be changed immediately if a compromise of credentials has been independently discovered, publicly disclosed, suspected, or if a device has been lost or stolen. Non-Interactive/Connector Account (Service Account) When MFA is not incorporated into all internet-facing instances when an account is used, passwords and passphrases must be changed on a regular basis, in accordance with the following: Account Type #USER AUTHENTICATION POLICY PASSWORD#Frequency of Password and Passphrase Changes Privileged accounts, excluding service accounts, must also use MFA. This requirement does not apply when students are exclusively accessing their own information. User accounts and shared accounts that are used to access high risk data must use MFA. Alternatively, risk-based or adaptive authentication techniques may be used to identify user behavior that falls within, or out of, typical norms, and enforce lockouts accordingly. Administrators may choose to have a time-based lockout (minimum 5 minutes) or a hard lockout which requires the user to follow a process to reset their secret. Public facing authentication systems, those of which allow for authentication from outside of institution networks, must include an account lockout mechanism to be triggered after a maximum of 14 invalid password entries. The session must be terminated (i.e., logged out) when either of these time limits are reached. Users must also reauthenticate following any period of inactivity lasting 30 minutes or longer with accessing moderate or high-risk data. Reauthentication procedures must be commensurate with the initial authentication process used to access the application. Users accessing moderate or high risk data must reauthenticate to the application hosting the data at least one per 12 hours during an extended usage session, regardless of user activity. Periodic reauthentication of sessions must be performed at various time intervals in additional to elapsed periods of user inactivity. Enforce history requirements, such that secrets associated with accounts must not be the same as any of the last 24 secrets for that account.Be compared against a dictionary of weak or known passwords, if such functionality natively exists in the authentication system and.Not contain the accounts username or other account identifier.* Note that whether an account is classified as a user account or a shared account does not affect password and passphrase length requirements.Īdditionally, passwords and passphrases must: Non-interactive/Connector Accounts (Service Accounts) Privileged Accounts and accounts with access to high risk data System password and passphrase requirements must also meet or exceed all applicable federal statutes and administrative code, and other applicable industry standards, such as Payment Card Industry Data Security Standards, that apply to those systems. Minimum Password and Passphrase Requirementsįor authentication systems that use passwords or passphrases as an authenticator type, the following password and passphrase length requirements represent a minimum standard for UW System accounts. Terms and definitions found within this policy include:Ĥ. Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Responsible UW System OfficerĪssociate Vice President for Information Security 3. This document describes the minimum authentication standards that must be met by University of Wisconsin (UW) System institutions. Original Issuance Date: September 14, 2016
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |