The purpose of this policy is to ensure that the person supplying an identity is the person to whom the supplied identity has been assigned.
Authentication: Authentication is the process of verifying the identity of users. Generally, it is accepted that the forms of authentication come in three types that may be used separately or together: something the user knows (e.g., a password), something the user carries (e.g., an ID card) or something about the user (e.g., a fingerprint).
The system owner or his or her designee for the system involved will, with input from data owner(s) and system administrator(s), make the decision about the level and type of authentication that will be deployed. The following types of authentication listed in order of strength are permitted for use on Longwood systems:
- Network Address/Physical Location: May be used to restrict access to data or a particular service to persons using a specific networked device or any Longwood University networked device in general. "Proxy"-type services may be deployed where it is necessary to provide this access to Longwood users who are not physically attached to a Longwood network segment (e.g., library databases). An additional form of authentication will be necessary to ensure that the person accessing this proxy mechanism is indeed a member of the Longwood community and as such authorized to access the network address-protected services.
- Personal Identification Number (PIN): PIN authentication will be available for use as a security measure for mobile phones. The PIN must be 4 to 5 digits. Users will be responsible for safeguarding the integrity of their PIN.
- Password: Passwords or passphrases may be used for applications where access to data or information systems requires individual or personal identification, and where this single password or passphrase is sufficient to authenticate this identity. Passphrases differ from passwords in that they are much longer (typically 20 to 40 characters) making them more secure against "dictionary attacks." The secure password or passphrase should be used for systems requiring a high-level of individual accountability. See the Password Management policy for more information on the use of passwords.
- Authentication Device: This level of protection makes use of password token technology in addition to a password, for systems requiring a higher level of individual accountability than a password alone can provide. The user must physically possess the device and know the associated PIN, in addition to knowing the password associated with the account.
- Biometrics: Biometric authentication verifies a user's identity by requiring the capture of a biometric sample (e.g., fingerprint) and comparing that sample to a stored biometric sample that was enrolled by the user. This level of protection is appropriate for systems requiring a higher level of accountability than a password can provide and when a system for secure enrollment of users' biometric samples is present.
All information used for authentication, either stored or in transit, must be protected. The data must be encrypted according to the Minimum Encryption Standards. Only the minimum amount of access necessary should be granted to allow the authentication process to function.
The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action, in addition to possible cancellation of information technology (IT) resources and systems access privileges. Users of IT resources and systems at Longwood are subject to all applicable local, state and federal statutes. This policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal and international laws and regulations.
Approved by the Board of Visitors April 1, 2005.
Revised and approved by the Board of Visitors, September 15, 2006.
Revised and approved by the Board of Visitors, December 5, 2008.