Top Searches:

Panorama Presents Animapalooza Dec 5, 2025

The Nutcracker Dec 5-7, 2025

UNCSA Cantata Singers Holiday Concert Dec 7, 2025

UNCSA Guitar Studios in Recital Dec 7, 2025

Photona Dec 12, 2025

Balourdet Quartet - Learning to Fly Jan 13, 2026

See All Events
 

Identity and Authentication Standard

Purpose

The purpose of this standard is to establish guidelines for the management of identity and authentication processes at the University of North Carolina School of the Arts (UNCSA). The goal is to ensure secure access to university systems and resources, protect user identities, and provide a seamless authentication experience for users while adhering to best practices in identity management.

Scope

This standard applies to all faculty, staff, students, contractors, and any other individuals who access IT resources at UNCSA. It governs the use of authentication methods, including Multi-Factor Authentication (MFA) and Single Sign-On (SSO), to control and secure user access to institutional systems, applications, and data.

Authentication Models

1. Multi-Factor Authentication (MFA)

Overview: Multi-Factor Authentication (MFA) enhances the security of systems by requiring users to provide two or more verification factors to gain access to their accounts. These factors typically include something the user knows (password), something the user has (security token or smartphone), or something the user is (biometric data).

Key Principles:

  • Required MFA for Sensitive Systems: MFA must be enabled for access to high-risk systems, sensitive data, and applications (e.g., financial systems, administrative dashboards, student records, email).
  • Factors of Authentication:
    • Knowledge Factor: A password or PIN.
    • Possession Factor: A device, such as a smartphone for receiving a one-time passcode or a hardware security token.
    • Inherence Factor: Biometric data, such as fingerprints or facial recognition (if available).
  • User Enrollment: Users must enroll in MFA at the time of first login, providing their secondary authentication factor (e.g., phone number for SMS, mobile app for push notifications).
  • MFA Solutions: UNCSA will use industry-standard MFA solutions (e.g., Google Authenticator, Duo, Microsoft Authenticator) to secure access.
  • Exceptions: In cases where MFA cannot be used due to technical limitations or exceptional circumstances, an alternative authentication process may be authorized by the IT department on a case-by-case basis, with additional security measures.

Example MFA Process:

  1. Step 1 (Knowledge Factor): The user enters their password.
  2. Step 2 (Possession Factor): The system sends a one-time passcode to the user's registered device (e.g., smartphone app or text message).
  3. Step 3 (Verification): The user enters the passcode, or the app provides a one-click approval to authenticate.

2. Single Sign-On (SSO)

Overview: Single Sign-On (SSO) enables users to authenticate once and gain access to multiple systems and applications without needing to re-enter their credentials. SSO simplifies the user experience by reducing the number of login prompts and helps reduce password fatigue.

Key Principles:

  • Centralized Authentication: SSO will centralize authentication across all university systems and applications, including email, learning management systems (LMS), internal administrative applications, and more.
  • Integration with Identity Providers (IdP): UNCSA will integrate with identity providers (e.g., Active Directory, Azure Active Directory, or a federated identity service) to support SSO authentication.
  • Secure Token-Based Authentication: Once the user authenticates through SSO, the system generates a secure token (such as a SAML or OAuth token) that grants access to other linked systems without re-authenticating.
  • SSO-enabled Applications: All critical university systems and applications must support SSO for ease of access and improved security. This includes both cloud-based services (e.g., Office 365, Google Workspace) and on-premises applications.
  • Session Timeout & Reauthentication: After a specified period of inactivity, users will be logged out and required to re-authenticate. This reduces the risk of unauthorized access in case of session hijacking.

Example SSO Process:

  1. Step 1: The user logs into the university portal using their credentials (e.g., username and password).
  2. Step 2: The system verifies the credentials via the identity provider.
  3. Step 3: Upon successful authentication, the user is granted access to multiple services (e.g., email, LMS, library resources) without having to log in again for each service.

Authentication Requirements

1. Password Policy

  • Minimum Length: Passwords must be at least 14 characters long.
  • Complexity: Passwords must contain at least one uppercase letter, one lowercase letter, one number, and one special character.
  • Expiration: Passwords must be changed every 180 days. Users will be notified 14 days before expiration.
  • History: Users cannot reuse any of their last 7 passwords.
  • Lockout Policy: Accounts will be locked after 20 consecutive failed login attempts and require IT intervention to reset.

2. MFA Enrollment

  • Mandatory MFA Enrollment: All users must enroll in MFA when they first gain access to the university systems.
  • Recovery Options: Users must set up backup authentication methods (e.g., alternate phone number, email recovery) in case they lose access to their primary MFA method.
  • MFA Enforcement: MFA will be enforced for accessing critical systems and sensitive data, such as administrative dashboards, financial systems, student records, and email systems.

3. Role-Based Access Control for Authentication

  • Role-Based MFA Requirements: MFA will be required for users in specific roles based on the sensitivity of the data or systems they access. For example, administrators, faculty, and staff members accessing financial or health records will be required to use MFA.
  • Role-Based SSO Integration: Access to different services through SSO will be based on a user’s role. For example, students may only have access to learning management systems and library services, while faculty will have additional access to grade books and administrative resources.

4. Authentication Logs and Auditing

  • Logging: All authentication attempts, both successful and failed, will be logged and monitored for signs of suspicious activity.
  • Auditing: The IT department will conduct regular audits of authentication logs to ensure compliance with security policies and detect unauthorized access attempts.
  • Access Review: User access rights will be reviewed at least annually to ensure they align with each individual's roles and responsibilities. IT Security will be responsible for notifying stakeholders, tracking progress, and reporting on third-party system access reviews. Departments will be accountable for conducting the reviews and verifying the appropriateness of access for each of their third-party systems.

Compliance

Failure to comply with this IT Standard for Identity and Authentication may result in revoked access privileges, disciplinary action, and/or termination of employment or student status. The IT department is responsible for enforcing this policy, and it will conduct regular audits and reviews to ensure compliance.

Conclusion

The University of North Carolina School of the Arts (UNCSA) is committed to providing secure, seamless, and efficient access to university resources. By implementing Multi-Factor Authentication (MFA) and Single Sign-On (SSO), the university enhances security, improves user experience, and protects sensitive institutional data. All users are required to comply with this standard to maintain a secure IT environment.

June 02, 2025