2-Step Verification

What is 2-Step Verification ?

Fresno State’s 2-Step Verification (2-step Authentication) provides a second layer of protection for your Fresno State account and adds protection to University information, systems and services.   Fresno State’s 2-Step Verification uses the hosted DUO security cloud-based two-factor authentication service.

The first layer (something you know) is your Fresno State user ID and password.  The second layer (something you have) is a smartphone, cell phone, landline or tablet.  This second layer ensures that your account and University information, systems and services are better protected.

Fresno State’s 2-Step Verification requires 2-Steps: first, you sign in with something you know, such as your password, an then with something you have, such as a smartphone, cell phone, landline or tablet.

Presently, Fresno State’s 2-Step Verification, is used for such services as Google Mail accessed via the web, My Fresno State, Learning Management System (Blackboard) and PeopleSoft.

To learn more about 2-Stepclick here

Policies

2-Step Verification Policy

Purpose

Fresno State has implemented 2-step verification, an additional security measure, to provide a secondary layer of protection when accessing level 1 or level 2 information.  Level 1 information is classified as confidential and level 2 data is classified as restricted.  Such information requires protection as mandated by law, regulations and California State University executive orders. The additional security measure is to protect the security, privacy and integrity of Fresno State resources and information.

Background

2-step verification uses two types of authentication to verify your Fresno State account. First, you need to authenticate (logging in) with your Fresno State username and password. Then you need a physical device that you control, such as your smartphone, mobile phone, tablet, landline or hardware token to verify your identity.

Scope

This policy applies to all faculty, staff, and student employees with access to level 1 or level 2 information at Fresno State.

Policy

All faculty, staff and student employees with access to level 1 or level 2 information at Fresno State are required to enroll in 2-step verification in order to access those Fresno State resources or information protected by 2-step verification.

It is strongly recommended that all Fresno State faculty, staff, and students enroll in 2-step verification to protect their own personal information at Fresno State. 

Extent

Technology Services will regularly evaluate and prioritize applications and resources requiring 2-step verification to enhance the protection of Fresno State resources, institutional and personal information.

 -----------------

Level 1– In general, confidential (level 1) information requires protection as mandated by law, regulations and executive orders. See Information Security section 8065.S02 at http://www.calstate.edu/icsuam/documents/Section8000.pdf

 

Level 2 –  In general, restricted (level 2) information is considered institutional data which must be adequately protected. See Information Security section 8065.S02 at http://www.calstate.edu/icsuam/documents/Section8000.pdf

 

11-30-17

2-Step Verification Unenrollment Policy

Overview

This policy defines the unenrollment criteria for 2-step verification at Fresno State. 

Scope

This policy applies to all users enrolled in 2-step verification at Fresno State.

Policy

All Fresno State faculty, staff, and student employees with access to level 1(confidential) or level 2 (restricted) information are required to remain enrolled in 2-step verification while employed at Fresno State.  Individuals in this group are not eligible to request unenrollment from 2-step verification at Fresno State.

Faculty, staff, and student employees previously required to be enrolled in 2-step verification and separating from the university will be unenrolled from 2-step verification on their final separation from Fresno State.

As a general rule, users with only access to level 3 (unrestricted) information or access to only their own personal information were not required to enroll in 2-step verification; therefore, individuals from these groups may request to unenroll from 2-step verification after having previously enrolled.

Students, previously enrolled in 2-step verification, will be un-enrolled from 2-step verification when they graduate, are not enrolled or are inactive for two consecutive semesters at Fresno State.

Unenrollments will be documented and accomplished by appropriate Technology Services staff.

Authorized

The ability to unenroll users is limited to appropriate Technology Services staff members:

  • Technology Services Help Desk staff.
  • Identity Management staff.
  • Information Security staff.

Unenrollment Tracking 

In order to prevent abuses, the following information will be tracked in the Help Desk ticket system each time a user is unenrolled from 2-step verification:

  • Identity proof requester following standard Technology Services Help Desk processes.
  • Name and PeopleSoft ID of user being unenrolled.
  • Date and time of request.
  • Reason for unenrollment.
  • Staff member that unenrolled user.

 -----------------

Level 1– In general, confidential (level 1) information requires protection as mandated by law, regulations and executive orders. See Information Security section 8065.S02 at http://www.calstate.edu/icsuam/documents/Section8000.pdf  

 

Level 2 –  In general, restricted (level 2) information is considered institutional data which must be adequately protected. See Information Security section 8065.S02 at http://www.calstate.edu/icsuam/documents/Section8000.pdf

 

Level 3 –  In general, unrestricted (level 3) information is considered publicly available data. See Information Security section 8065.S02 at http://www.calstate.edu/icsuam/documents/Section8000.pdf  

 

11-30-17

2-Step Verification Hardware Token Policy

Purpose

This policy defines the use of a hardware based token as the second factor when authenticating (login in) to Fresno State computing resources protected by 2-step verification. The use of a second factor when authenticating (logging in), in addition to your Fresno State username and password reduces security risks and mitigates the dangers of a compromised account. 

Scope

This policy applies to Fresno State faculty, staff, and student employees required to enroll in 2-step verification and those Fresno State faculty, staff, and student employees that have opted-in and also enrolled in 2-step verification.   

Policy 

The use of hardware tokens is approved and can replace the use of a smartphone, tablet, mobile phone, or landline as the second factor when authenticating (logging in) to Fresno State computing resources protected by 2-step verification. 

Eligibility and Use

An employee is eligible for the issuance of a token if they do not have access to another second factor, such as a landline, smartphone, mobile phone, or tablet at the locations from which they are required to work.  The employee’s supervisor must submit a request to Technology Services.

Returning Token

Employees, upon final separation from Fresno State, must return tokens issued by Technology Services to their appropriate manager.

Reporting Lost/Stolen/Damaged Token

Employees must report the loss, damage or theft of a hardware token to Technology Services as soon as possible so the hardware token can be deactivated by Technology Services.

Token Replacement Costs

The initial hardware token is issued at no cost to the employee. Employees will be responsible for the non-refundable costs of replacing any lost or damaged hardware token. 

Individually Owned Token

Individually owned hardware tokens must be compatible with the 2-step verification system and upon request will be loaded by Technology Services. 

2-Step Verification Backup Code Procedure

Overview

This procedure describes how requests, issuance, and tracking of 2-step verification backup codes will be processed by designated staff in Technology Services.

Background

Users may occasionally find themselves unable to gain access to 2-step verification protected Fresno State resources or information due to a broken or lost enrolled device.  Therefore, a backup code provides a one-time solution for granting access.

Backup Code Request

The following is how backup codes requests will be handled:

  • Identity proof requester following standard Technology Services Help Desk processes.
  • Confirm that no registered devices are available:
  • Look at DUO Admin Panel to see what devices are enrolled.
    • Ask why any enrolled devices are not available. 
    • Confirm that enrolled devices are not available.
      • If user has enrolled smartphone or tablet, then make sure that user is aware that the Duo Mobile app will work even without cellular service.
      • If a user has a hardware token enrolled, confirm that the token is not with the user at this time or doesn’t simply need to be resynced.
  • Attempt to register a permanent replacement device
    • Inquire about the availability of a mobile device or tablet to replace the unavailable device, either as a permanent back-up device or as the new primary device.
    • Encourage, but not require, the need to have two devices enrolled at all times.
  • If no permanent device can be enrolled:
    • Instruct user on how to enroll a permanent device as soon as possible. 
    • Instruct user on how to receive 5 passcodes to use until a permanent device can be enrolled (if applicable).

Backup Code Issuance 

Only authorized and designated Technology Services staff members can issue a backup code. The following is how backup codes will be issued:

  • One-time bypass code is used to get the user logged in one time and the code expires within 12 hours (720 minutes).
  • Go to the lower section of the User Screen.
  • Click on “Add Bypass Code” button.
  • Click on “Change options.”
    • Expire bypass codes at “After ___Minutes” enter no more than 720 (12 hours) 
  • At it can be re-used: Click on “One time only”
  • Click on “Generate Bypass Code.”
  • Scroll down to “Bypass Code” section and click on “Show.”
  • Read bypass code to the user.
  • User will enter that bypass code to gain access using the passcode option.

Backup Code Documentation 

In the Technology Service ticket system record name and PeopleSoft ID of user, date and time of backup code was issued, why the backup code was necessary and the staff member that issued the backup code.

Standards

2-Step Verification Device Enrollment Standard

Purpose

This standard defines the use of and supported devices and authentication options as the second factor, when authenticating (logging in) to Fresno State computing resources or information protected by 2-step verification.

2-step verification uses two types of authentication to verify your identity.  First you log in with your Fresno State username and password.  Then you need a physical device that you control, as the second step, to verify your identity. The physical device can be a smartphone, tablet, mobile phone, landline or hardware token.

Standard

Users, to set up 2-step verification, must choose a primary verification device that you will use to verify your identity when accessing 2-step verification protected Fresno State resources or information.

Your verification device should not be the computer you use to do your work, but a second device, like a smartphone, that you have with you when you are working.  In addition to your smartphone, you can also use a tablet, mobile phone, landline or hardware token.  The enrolled physical devices must be under your control.

Supported Devices and Authentication Options

The 2-step verification default is set to remember your identity for 12 hours in your browser / device. A user will be required, to verify their identity using the secondary step, once during a normal working day for each browser and device.

The following devices and authentication options can be used to provide the second factor in 2-step verification.  Users are encouraged to enroll their smartphone and another device, but users are not required to enroll more than one device.

Device Type Authentication Options Supported Platforms
Smart Phone
  • Mobile push notification
  • Mobile password
  • Phone call
  • iOS
  • Android
  • Windows Mobile
Tablet
  • Mobile push notification
  • Mobile password
  • iOS
  • Android
  • Windows Mobile
Mobile Phone
  • Phone call
  • Mobile phones
Landline
  • Phone call
  • All phones
Hardware Token
  • Passcode
  • A "keychain" hardware token displays 2-step codes at a push of a button.

Procedures

2-Step Verification Account Lockout Procedure

Overview

This procedure describes how to process requests to unlock 2-step verification locked accounts.

Account Lock

A user is locked out of their 2-step verification account whenever there are 10 consecutive failed authentication attempts.  Some common reasons for an account lockout are:

  • Mobile app issue (i.e. app needs to be reactivated).

  • A 2-step verification protected resource set to automatically log in continues to re-authenticate when the user is unaware.

  • Human error (Selecting an incorrect device, such as a home landline when in the office).

 2-step verification account lockouts are not likely to be fraudulent attempts to gain access to a 2-step verification protected resource or information since both a username and password combination and a physical device in the user’s possession are needed.

Automatic Lockout Reset

2-step verification account lockouts will be automatically reset to the “Active” status after 10 minutes using the “auto-lockout expiration” feature.

Manual Unlock Procedure

Only authorized Technology Services staff can manually unlock a locked 2-step verification account.  If the user requires an immediate account unlock before the automatic unlock occurs, then document the process using the Help Desk ticket system:

  • Identity proof requester following standard Technology Services Help Desk processes.

  • Name and PeopleSoft ID of user and date and time of the request.

  • Discuss lockout with user, informing the user when the account will automatically unlock and how to prevent lockouts in the future.

  • Unlock the account for the user by setting the locked account back to the “Active” status

  • Staff member that unlocked user account.

Alerts

Whenever a push notification is sent to the user, the user has the option to accept or deny the notification. If the user denies the notification, then they are given the option to report the authentication attempt as fraud.

The user must first “deny” an authentication attempt sent via a push notification; then, the user must confirm that he/she wants to report the authentication attempt as fraud.

A notification is automatically sent once the user confirms a fraudulent attempt.  Once notified, authorized Technology Services Help Desk staff will lock the user’s 2-step verification access and contact the user (using a mobile phone number or landline associated with the user account).

Once the user has contacted the Technology Services Help Desk, authorized staff will:

  • Identity proof the user following standard Technology Services Help Desk processes.

  • Unlock the account and then instruct the user to change his/her password.

  • Ask the user to set their security questions if not already set.  

  • After confirming that the user’s password has been changed, then the user’s 2-step verification account will be set back to an “Active” status.

  • Document the details using the Help Desk ticket system.

11-30-2017

2-Step Verification Backup Code Procedure

Overview

This procedure describes how requests, issuance, and tracking of 2-step verification backup codes will be processed by designated staff in Technology Services.

Background

Users may occasionally find themselves unable to gain access to 2-step verification protected Fresno State resources or information due to a broken or lost enrolled device.  Therefore, a backup code provides a one-time solution for granting access.  

Backup Code Request

The following is how backup codes requests will be handled:

  • Identity proof requester following standard Technology Services Help Desk processes.

  • Confirm that no registered devices are available:

    • Look at DUO Admin Panel to see what devices are enrolled.

    • Ask why any enrolled devices are not available.

    • Confirm that enrolled devices are not available.

      • If user has enrolled smartphone or tablet, then make sure that user is aware that the Duo Mobile app will work even without cellular service.

      • If a user has a hardware token enrolled, confirm that the token is not with the user at this time or doesn’t simply need to be resynced.

  • Attempt to register a permanent replacement device

    • Inquire about the availability of a mobile device or tablet to replace the unavailable device, either as a permanent back-up device or as the new primary device.

    • Encourage, but not require, the need to have two devices enrolled at all times.

  • If no permanent device can be enrolled:

    • Instruct user on how to enroll a permanent device as soon as possible.

    • Instruct user on how to receive 5 passcodes to use until a permanent device can be enrolled (if applicable).

Backup Code Issuance

Only authorized and designated Technology Services staff members can issue a backup code. The following is how backup codes will be issued:

  • One-time bypass code is used to get the user logged in one time and the code expires within 12 hours (720 minutes).

  • Go to the lower section of the User Screen.

  • Click on “Add Bypass Code” button.

  • Click on “Change options.”

    • Expire bypass codes at “After ___Minutes” enter no more than 720 (12 hours)

  • At it can be re-used: Click on “One time only”

  • Click on “Generate Bypass Code.”

  • Scroll down to “Bypass Code” section and click on “Show.”

  • Read bypass code to the user.

  • User will enter that bypass code to gain access using the passcode option.

Backup Code Documentation

In the Technology Service ticket system record name and PeopleSoft ID of user, date and time of backup code was issued, why the backup code was necessary and the staff member that issued the backup code.