Two-Factor Authentication to Georgetown Systems
The purpose of this policy is to establish minimum standards for authentication and authentication management for Georgetown University network systems. This policy is designed to ensure that the technology system administrators manage authentication in a consistent manner and to safeguard NetID-based access to information assets in accordance with data protection best practices and industry standards; and, to ensure that account holders that have access to University technology systems are authenticating in accordance with data protection best practices and industry standards.
Two-factor authentication is recognized as an industry best practice in preventing unauthorized access to an institution’s enterprise accounts, financial, operational, and academic systems.
The two-factor authentication policy and supporting requirements applies to all authentication administered throughout the Georgetown network, whether centrally managed by UIS, managed by a designated technology service provider, or departmentally managed. This policy is applicable to all University community members, including faculty, staff, students and associates who are authorized to access the University’s information systems and data with a NetID.
Georgetown University NetID accountholders are required to use University-authorized two-factor authentication for all NetID-enabled access to technology resources that store, process, transact or transmit any data classified as Personally Identifiable Information, financial information, protected health information, and data critical to the operation of the University (including but not limited to research, electronic mail, library and archives, and other University business systems). Authentication prompts (in-app, voice, or SMS) are to be approved only if the login attempt is known and initiated by the NetID account owner. Authentication prompts that are unknown login attempts and those initiated by others should be denied and reported to the UISO Cybersecurity Operations Center as potential account compromise events.
In accordance with the policy statement, any technology system connected to the University network must apply the appropriate authentication and access controls to prevent unauthorized access to University administrative, operations and academic systems and data.
Those account holders, system owners and administrators that are non-compliant with this policy are subject to NetID account limitations or restrictions, network/system access limitations or restrictions, and other measures commensurate with University and cybersecurity policies.
REVIEWED AND APPROVED July 2020
- UNIVERSITY CHIEF INFORMATION OFFICER
- UNIVERSITY CHIEF INFORMATION SECURITY OFFICER