This document shows the various policies and procedures associated with one-time password tokens in UW Digital ID.
Note: This guide pertains to the UW Digital ID service. For policies regarding your local institutions' multi-factor authentication please contact your local IT staff.
Multi-Factor Authentication Core User Policy and Procedures
To view the Multi-Factor Authentication Core User Policy and Procedures Agreement, click the following link:https://uwdigitalid.wisconsin.edu/policy_and_procedures.htm
You will be prompted to log in with your institutional credentials.
If you experience problems logging into this page, please refer to the following KB document: Wisconsin Federation - Logging into an application
Smart Phone Responsibilities
As outlined in section 1.b.iv of the Multi-Factor Authentication Core User Policy and Procedures Agreement, Smart Phone User Responsibilities are as follows:
Core Users are expected to leverage the electronic security provided by their smartphones, including but not limited to use of a screen lock utility to access their smartphones (e.g., PIN, Password, or biometric such as a fingerprint scan).
Core Users must notify their campus LRA when they change their smartphone device, even if they keep the same phone number. The LRA will assist users with the process of registering their new smartphone device.
Core Users must agree to uninstall the OTP application once their need to use it expires.
LRA - Inventory Management of OTP Tokens
The hardware fobs for the Multi-Factor Authentication project have both physical and system level value. The fobs cost approximately $20 each and are a part of the system being used to protect highly sensitive data. This document provides listed requirements for hardware storage and management.
There will be two types of inventories, the Master inventory and the LRA (campus) level inventory.
The Master inventory of hardware fobs shall be kept at UW -Madison, by the UW Digital ID team. This inventory comes from the manufacturer of the fobs, and will be a central distribution point for all the UW Campuses. The UW Digital ID team will provide inventory control and secure storage for these devices. The definition of a secure location is a location in which access to the devices are physically limited to the UW Digital ID team only. Such a location would be secured, at a minimum, by a locked file cabinet within an office that should be locked whenever unoccupied.
The LRA level inventory is defined as hardware fobs in unused inventory, at each individual campus. UW Digital ID recommends each campus have a 10% surplus (e.g. if they distribute 100, then 10 should be the surplus on hand). They will provide inventory control and secure storage for these devices. The definition of secure is a location in which access to the devices are physically limited to the campus LRA(s) only. Such a location would be secured, at a minimum, by a locked file cabinet within an office that should be locked whenever unoccupied.
Any time a hardware fob is removed from inventory, its reason for removal should be logged.
All hardware fobs in unused inventory must be stored in a location owned by the university. Hardware fobs may not be stored off-site in a private location such as a home.
A contingency access procedure must be in place, for situations in which the LRA is unable to physically access the unused hardware fob inventory.
All hardware fobs shipped to UW-System campuses, shall be shipped by a carrier which provides chain of custody controls and which provides proof of delivery.
All broken hardware fobs should be shipped to the UW Digital ID team at UW-Madison, by a carrier which provides chain of custody controls and which provides proof of delivery.
For any questions regarding any of these policies please contact firstname.lastname@example.org.