At the University, we will be implementing two-factor authentication (2FA) with our username for remote access and for administrative access to servers. For our application, the two components of two-factor authentication are something you know (password) and something you have (a mobile device, landline phone, or hardware token).
In certain limited instances, Information Security may consider an exemption to avoid system incompatibilities or work disruptions. An exemption request must be submitted to the Chief Information Security Officer.
The overall two-factor authentication exemption process is as follows:
- Requester gathers and provides documentation justifying the exemption (see list below)
- Requester submits request for exemption using the online exemption request form.
- The Chief Information Security Officer (CISO) makes the decision
- The CISO communicates the decision
- Denial – notify the requester with an explanation for denial
- Approval – notify requester, assign expiration date
Supporting documentation for the exemption request includes, but isn’t limited to:
- Individual identifier for the device or service
- Owning department, along with responsible personnel (dean/director/chair, requester, etc.)
- How the device or service is currently being used
- The reason(s) two-factor authentication cannot be used
- A business case based on the above reasons
- Any compensating controls put in place to reduce the risk of unauthenticated access
Note: If you are not able to access the online form, download the form to your computer by right-clicking on this link: Exemption Request Form
- Internet Explorer – “Save Target As …”
- Firefox – “Save Link As …”
- Chrome – “Save link as …”
1. Download the form to your computer (requires Microsoft Excel 2007 or later)
2. Read tab “1-Instructions Page”
3. Fill out tab “2-General Form”
4. Fill out tab “Two Factor Authentication”
5. Begin collecting the necessary signatures
For more information regarding the exemption process, please contact Information Security at grc@uthscsa.edu, or the Information Security Hotline at 210-567-0707.