Identity and Authentication Rule: Supplemental Guidance for IT Staff


Note: The Identity and Authentication Rule is expected to be issued summer 2026 with an effective date at the end of December. See this webpage for more information about the rule.

This supplemental guidance is for IT audiences and provides detailed guidance in support of RUL 08.00.19 – Identity and Authentication Rule.

Account Risk Levels

As defined in the Account Requirements section of the Identity and Authentication Rule, identity and authentication requirements vary depending on account risk levels (low, medium or high).

Note: Some risk categories can include outliers. For example, if a Unity account has privileged access to a system that stores, accesses or processes highly sensitive information, it is considered a high-risk account.

For the purposes of identity and authentication, NC State University has the following account risk levels:

Low Risk

The following account types are low risk:

Medium Risk

The following account types are medium risk:

High Risk

The following account types are high risk:

Account Controls

As specified throughout this section, the following account controls for identity and authentication vary based on account level (low, medium or high risk):

Password History

The password history account control specifies the minimum number of previously used passwords that must be remembered to prevent password reuse.

The higher the risk, the higher the minimum password history.

Table 1. Password History
Risk Level Minimum Description
Low 0 No need to remember previously used passwords.
Medium 10 Must remember at least 10 most recent passwords.
High 100 Must remember at least 100 most recent passwords.

Password Managers

Note: NC State Password Guidelines for more information

Storage of Physical Credentials and Secrets

Account Provisioning

This section refers to verifying a person’s identity.

Table 2. Account Provisioning
Risk Level Identity Proofing Provisioning
Low No identity proofing required Automatic access granting is allowed
Medium

Medium identify proofing:

  • Employees, including most non-paid affiliates, must pass background checks
  • Students must pass the matriculation process
Automatic access granting is allowed
High

Strong identity proofing:

  • A university employee must confirm the identify of the account user with photo ID and the NC State photo database, which can be found in ServiceNow
Granting account access requires human interaction and validation

Account Risk Changes

When raising an account’s risk level, that account must meet the higher level of account requirements. For example, an account moving from medium to high risk must meet the high-risk requirements before access is provisioned.

Account Deprovisioning

An account must have access and authorization disabled after it is no longer required. Removal of accounts, while recommended, is subject to the technical requirements of each individual system. Programmatic/automatic deprovisioning of accounts is preferred.

Table 3. Account Deprovisioning
Risk Level Deadline
Low After an appropriate grace/cleanup period
Medium Next business day
High Immediately upon termination of employment/duties

Password Lifetime

Table 4. Password Lifetime
Risk Level Default Passwords Password Change Frequency Upon Security Breach
Low Must be changed upon account creation Not required Immediately
Medium Must be changed upon account creation Not required, recommended annually Immediately
High Must be changed upon account creation Required annually 
(365 days)
Immediately

Password Strength

If your system supports entropy calculations, they are preferred over rule-based requirements. Any system using a PIN authentication mechanism must submit an IT exception.

Table 5. Password Strength
Risk Level Rule-based Entropy Zxcvbn gl_10 score
Low 12 characters 60 8
Medium 16 characters 95 10
High 24 characters 160 Greater than 10

MFA

Table 6. MFA
Risk Level MFA Requirement MFA Method
Low Optional All MFA methods are allowed.
Medium Required

SMS (text), voice call, and email-based verification are not allowed.

All other MFA methods are allowed.

High Required Only phishing-resistant MFA methods are allowed such as FIDO2/WebAuthn Security Keys (YubiKeys)

Account Recovery Methods

Table 7. Account Recovery Methods
Risk Level Account Recovery Method
Low

Both are required:

  • A memorized secret. Examples could include:
    • Security question and answer
    • PIN
  • A possession factor of authentication. Examples could include:
    • Duo
    • Credential reset link/OTP sent to a known email address
Medium Same as above (medium and low are the same for this control).
High

An IT employee must verify the user’s identity before resetting the account password.

Note: A government-issued ID with photo is required for user identification.

Account Lockout Periods

Table 8. Account Lockout Periods
Risk Level After 10 Failed Attempts
Low Must be locked out for a minimum of 30 minutes
Medium Must be locked out for a minimum of 30 minutes
High Must be locked out until an IT employee resets the password 

Controls for Systems that Require Authentication Credentials

These systems are defined as those which are not using Single Sign On (SSO) and which are receiving user credentials. For example, a system doing LDAP authentication receiving the credentials may be storing them locally.

Single Sign-on/Centralized Authentication

In order of preference:

  1. Entra ID (formerly Azure AD SSO)  (OIDC, SAML, OAuth, OpenID)
  2. Shibboleth (SAML) (Through 2026)
  3. Wolftech AD Kerberos
  4. Wolftech AD LDAPS
Secure Password Hashing Methods for Local Authentication

Glossary