University of South Alabama Logo     
Policy No: 2072
Responsible Office: Computer Services Center
Last Review Date: 01/27/2021
Next Required Review: 01/27/2023

Multi-Factor Authentication Policy


1. Purpose

Identity security is one of the most significant challenges that organizations face.  An identity compromise can ruin an organization, and it is the number one attack vector for cyber criminals.  In the case of the University of South Alabama, identity compromise can lead to the loss, theft or release of proprietary research, student records and financial account information, patient health records, employee financial records, personally identifiable information and other sensitive information.  Implementation of multi-factor authentication for email account access is one of the most effective methods to combat identity compromise.

2. Applicability

This policy applies to all University General Division (campus) issued email accounts.  All users of these accounts, to include faculty, staff and students, are required to enable multi-factor authentication.

3. Definitions

Multi-Factor Authentication: (also referred to as “Two-Factor Authentication” or “Two-Step Verification”) is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence (factors) to an authentication mechanism.  In many instances, this second authentication is via an app, installed on the user’s device, or via a text message, in the form of a numeric code, which is sent to a user’s smart phone, or other electronic device after successfully entering a password. 

4. Policy Guidelines

This policy provides requirements and guidance for security protocols for University issued email accounts.  These are the minimum requirements for securing these accounts – other applicable requirements may still apply as well.

5. Procedures

5.1  Individual users must take actions to protect their University issued email accounts from compromise.

5.2  All accounts must be enabled with multi-factor authentication. Current email account users will be notified by the Office of Information Security of this requirement.  New email account users will be required to enable multi-factor authentication during account creation.

5.3  Periodic reviews of University issued email accounts will be conducted by the Office of Information Security to verify compliance.

5.4  Users of accounts found to be non-compliant will be notified of the need to enable multi-factor authentication.  Failure to enable multi-factor authentication may result in the email account being suspended.

5.5.  Please click the link in Section 7 (USA 2-Step Verification Setup Process) to establish your 2-step verification.

6. Enforcement

The responsible parties for oversight and enforcement of this policy are:

  • Policy Oversight – Assistant Vice President and Director, Information Technology
  • Policy Enforcement – Director of Information Security

7. Related Documents

USA 2-Step Verification Setup Process