Body
Overview
The university requires multi-factor authentication (MFA) to access sensitive University systems and data. This includes information classified as High Risk (Red) or Moderate Risk (Amber), such as student records, HR files, financial information, and other regulated data.
Employees may choose one of the following authentication methods:
Using a personal device is optional. If you choose this option, you must meet the security requirements outlined below.
Your Responsibilities When Using a Personal Device
If you use a personal device for MFA, you are responsible for maintaining its security and keeping it up to date.
Your device must:
- Have at least a four-digit PIN or passcode enabled
- Automatically lock after a period of inactivity
- Have encryption enabled to protect data stored on the device
- Be supported by the manufacturer and capable of receiving updates
Security updates must be installed within 15 days of release. If the device has not been used for some time, it must be fully updated before it is used again for authentication.
You are accountable for all activity performed using your university credentials.
If your device is lost, stolen, or misplaced, you must immediately:
Checking your compliance
Select the title of each accordion panel in order to see its contents.
Verify Device Lock
- Open Settings
- Select Face ID & Passcode or Touch ID & Passcode
- Confirm that:
- Passcode is Enabled
- Passcode length is at least four digits (six or more digits or an alphanumeric passcode is recommended)
Verify Auto Lock
- Open Settings
- Select Display and Brightness
- Select Auto Lock
- Ensure auto-lock is set to a reasonable time (30 seconds, 1 minute, 2 minutes)
Verify Encryption
iOS devices are encrypted automatically when a passcode is enabled.
To confirm:
- Ensure a passcode is set (see Step 1)
- If a passcode is enabled, encryption is active by default
No additional configuration required
Verify Device Support Status
- Open Settings
- Select General > About
- Note:
- iOS version
- Device model
Compliant if: Your device can receive the latest iOS updates from Apple
Not compliant if: Device no longer receives iOS security updates (end‑of‑life hardware)
Verify Recent Security Updates
- Open Settings
- Select General > Software Update
- Install any available updates
Compliant if: Updates are installed promptly (within 15 days of release)
Note: Android menu names may vary slightly depending on manufacturer (Samsung, Google Pixel, etc.).
Verify Device Lock
- Open Settings
- Select Security or Security & privacy
- Select Device Unlock
- Confirm that:
- PIN or Passcode is Enabled
- PIN or Passcode length is at least four digits (six or more digits or an alphanumeric passcode is recommended).
Verify Auto Lock
- Open Settings
- Select Display or Display & Touch
- Select Screen Timeout or Auto‑Screen Off.
- Ensure timeout is set to a reasonable time (30 seconds, 1 minute, 2 minutes)
- Then, go back to Settings
- Select Security or Security & privacy
- Select Device Unlock
- Select Screen Lock
- Select Lock After Screen Timeout
- Set to immediately or five seconds after screen timeout.
Verify Encryption
- Open Settings.
- Select Security or Security & Privacy.
- Select More Security and Privacy
- Select Encryption or Encryption and Credentials
- You should see:
- Encrypted or File‑based encryption active
- If it says Not encrypted, you must encrypt the device (option will appear as Encrypt phone).
Verify Device Support Status
Your device must be supported by the manufacturer and able to receive updates, and security updates must be installed within 15 days of release.
- Open Settings.
- Select Security or Security & Privacy.
- Select System and Updates
- Note:
- Android version
- Device model
Compliant if: Your device can receive the latest Android security updates from the manufacturer
Not compliant if: Device no longer receives Android security updates (end‑of‑life hardware)
Verify Recent Security Updates
- Open Settings
- Scroll to System and Updates and select Check for updates
- Install any available updates
Compliant if: Updates are installed promptly (within 15 days of release)
Not compliant if: Device is too old to receive updates, it may not meet MFA requirements
Personal devices used for MFA may not be used as servers, routers, hotspots, or networking equipment to connect other systems to the university network. Devices must not disrupt university systems or network operations.
The university reserves the right to block or restrict access from devices that are non-compliant or disruptive.
If You Do Not Comply
If you decline these terms or fail to maintain your device according to this standard, access to Microsoft 365 (including Outlook, Teams, and OneDrive) and other sensitive systems may be restricted until compliance is restored.
Exceptions and Questions
If you cannot meet one or more requirements, you may request an exception through the Information Security Standard Exception Request Form. You will need to explain why the requirement cannot be met, how long the exception is needed, and what safeguards you will put in place.
Additional questions and resources
- For questions, contact the Information Security Office at isrc@uoregon.edu.
- For additional information regarding the university’s authentication standard please review, Information Security office: Authentication Standard
- To report a lost device or security concern, contact:
- infosec@uoregon.edu, or
- Cyber Security Operations Center: 541-346-5837