IT Website KB - Multi-Factor Authentication (MFA) Standard

Document Control

Field
Standard Owner	UW-IT Information Security
Approval Authority	CISO
Date of Issue	09/9/2025
Last Reviewed	04/19/2025
Next Review Date	4/12/2027
Document Number	APS-2.6.STN-03.01
Related Policies	Executive Order (EO) 63: The Vice President for UW Information Technology and Chief Information Officer is responsible for “...information security and privacy" of all University of Washington units, regardless of fund source. EO 63 and APS 2.4 for "...overseeing the creation and maintenance of UW information security and privacy policies." NIST standards: SP 800-63B: Defines AALs and MFA methods; all digital identity systems SP 800-53 Rev. 5: Lists specific MFA requirements for controls; federal agencies and high-security systems SP 800-171 Rev. 2: Requires MFA for CUI protection; federal contractors, research institutions

Purpose

To define the requirements and implementation standards for MFA to protect access to University systems, data, and services, especially those involving sensitive, regulated, or mission-critical information.

Scope

All university-managed systems
University faculty, staff, students, contractors, affiliates, and third-party users

Exemptions to the University’s MFA standard may be required in specific operational contexts where MFA use is impractical, prohibited, or poses a risk to critical processes. These may include clean-room environments where physical interaction with authentication devices is restricted, sterile medical settings where contamination risks must be minimized, or specialized research facilities with tightly controlled access mechanisms. In such cases, compensating controls—such as physical access restrictions, session monitoring, or network segmentation—must be implemented and documented to maintain equivalent security assurance.

Standard Requirements

MFA Enrollment

1. All users must enroll in the University’s approved MFA solution, inclusive of all applications and systems.

Roles and Responsibilities

Role	Responsibility
CISO	Owns and enforces MFA standard
Academy Department IT Leads	Ensure compliance within their unit
UW-IT IS	Supports remediation and monitors for compliance.
Users	Adhere to usage guidelines and report incidents

Compliance

Non-compliance may result in restricted access to University IT systems and potential disciplinary action. Exceptions must be approved, documented, and reviewed annually.

Definitions

Critical Systems: University systems essential for operations, research, or compliance.

MFA: Authentication requiring at least two of the following:

Something you know (e.g., password)
Something you have (e.g., phone, token)
Something you are (e.g., biometric)

Privileged Access: Elevated permissions allowing configuration or administrative control.

University-Managed System: A system under the control of UW-IT staff or a contracted third party that adheres to institutional standards and is therefore subject to centralized monitoring, patching, and incident response.

References

NIST SP 800-171
FERPA
UW Administrative Policy Statements 2.4, 2.5, 2.6
UW Executive Order 63