Note: The Identity and Authentication Rule is expected to be issued summer 2026 with an effective date at the end of December. See this webpage for more information about the rule.
Anyone with access to university IT resources, including students, faculty, staff and third-party entities, must comply with RUL 08.00.19 – Identity and Authentication Rule. The rule outlines the minimum identity and authentication requirements the university must follow to protect its data.
This article will help campus users better understand their responsibility in following the rule.
Password Lifetime
Due to changing industry best practices, regular password changes are no longer required for all Unity accounts.
- Low- and medium-risk accounts: A password change is required only when it is suspected that the password has been compromised.
- High-risk accounts: Passwords must be changed every 365 days.
Password Managers
An enterprise password management solution provides better centralized oversight and reduces organizational risk. While an enterprisewide solution is not yet in place, this is the current recommendation:
- Low- and medium-risk accounts: An approved password manager is strongly recommended, but browser-based password managers may be used.
- High-risk accounts: Use an approved password manager. If these accounts, such as privileged (.admin) accounts and those with access to sensitive data, were compromised, there would be a significant impact to the university.
Multifactor Authentication (MFA)
MFA is required for all Unity accounts.
- High-risk accounts: Phishing-resistant MFA methods, such as security keys, will be required once universitywide plans for sustainable funding and support have been solidified.
Storage of Physical Credentials and Secrets
There are many physical methods we use to verify our identity. These methods must be kept secure.
- Backup codes: Printed backup codes must be physically secured in a locked office, locked cabinet or through another method. Alternatively, backup codes can be stored digitally in an approved password manager.
- Security keys: Physical authentication devices like security keys must be securely stored when not in use, such as by keeping them on you at all times or by storing them in a locked drawer.
- Mobile devices: Any mobile device used for MFA must have the screen-lock feature enabled, if capable.