Identification and Authentication Systems Policy

Summary

To ensure the security and integrity of both University data and data belonging to individuals, all owners of Emory University computer systems and networks must develop and implement access control policies.

This policy addresses requirements for identifying and authenticating users of Emory computer systems and networks, and describes AAIT's centrally-supported identification and authentication facilities.

1. Identification and Authentication Policy
2. Identification: General
3. Identification: Network ID
4. Authenticaion: General
5. Authentication: LDAP
6. Identification and Authentication: Local Systems
7. Sources of More Information

1. Identification and Authentication Policy

Authentication is the secure identification of system users. The system owner is responsible for determining which authentication method to use among those that may be available for a particular system. Systems with non-public resources should implement policies and recommended access control procedures and systems based on user identities.

System owners are strongly encouraged to rely on the authentication service provided by Emory's AAIT organization rather than using system-specific authentication methods. This service provides secure authentication and consistent campus-wide identification.

2. Identification: General

a. Management of Identifiers (Network ID)

Uniqueness - Each Identifier, i.e., Network ID, is unique and is therefore associated with a single person only.

One Identifier per Individual - An individual may have only one Network ID.

Non-Reassignment - Once an Identifier (Network ID) is assigned to a particular person it is always associated with that person. It may not be subsequently reassigned to identify another person or entity.

3. Identification: Network ID

a. Emory University Network Identifiers - Network ID's consist of the first initial of the first name and/or middle name and the first six characters of the last name or some variation of the middle initial, the last name and numeric characters.

b. Types of Network ID's

Regular Network ID's are available to:

Authorized, registered students, as defined by the Registrar
Regular faculty and staff, and emeritus faculty and staff.

b. Sponsored Network ID's may be available to others, subject to the following conditions:

ID is to be used by a specific, named individual
ID is sponsored by a person who is an eligible manager or supervisor
Sponsor accepts responsibility for ensuring that the sponsored ID is used in support of activity consistent with the University's mission of instruction, research, and public service, and in a manner consistent with the University's policies.

c. Establishing a Network ID - Network ID's are established and maintained via on-line procedures.

4. Authenticaion: General

a. Authentication Methods - Authentication methods involve presenting both a public identifier (a network id) and private authentication information, such as a password.

b. Eligibility for Authentication Entry - A user must be associated with an entry in the authentication service to be able to use most centrally-supported systems and services.

Network ID - Eligibility for an entry in the authentication service begins when the individual accepts the offer of student registration or employment. Eligibility ends when a person's active association with the University ends; i.e., when an employee is no longer employed (and does not have emeritus status) or a student is no longer registered. A grace period may be allowed as a courtesy after eligibility ends.

Sponsored Network ID - A sponsored Network ID is sponsored for a specific period of time. The sponsorship is generally for one year from the time of creation; sponsorship must be renewed to keep the ID valid. There is no grace period: the entry becomes invalid immediately at the end of the sponsorship period.

Reactivation - An entry may be reactivated if the individual subsequently rejoins the University, either via regular association or sponsorship.

Suspension - The use of an authentication entry may be revoked if it is used in a manner inconsistent with Emory policies or if an individual is subject to other administrative action that denies him/her University privileges.

c. User Responsibilities

Use of Service - Use of the authentication service to identify oneself to an on-line system constitutes an official identification of the user to the University, in the same way that presenting an ID Card does. Users can be held responsible for all actions taken during authenticated sessions.

Integrity - Regardless of the authentication method used, users must use only the authentication information that they have been authorized to use; i.e., users must never identify themselves falsely as another person or entity.

Confidentiality - Regardless of the authentication method used, users must keep their authentication information confidential; i.e., users must not knowingly or negligently make this information available for use by an unauthorized person.

Security Precautions - Users are strongly encouraged to change their password regularly (at least once every three months), to limit possible abuse of passwords that may have been compromised without the user's knowledge. Passwords should be chosen so that they are not easily guessable; e.g., not be based on the user's name or birthdate. See Emory University's 'Password Policy' for additional information.

Reporting Problems Users who suspect that their authentication information has been compromised should contact the AAIT Security team:

SecurityTeam-L@listserv.emory.edu

or by entering an Emory Help Desk request at:

https://www.app.emory.edu/helpdesk/

or by phoning the Emory Help Desk at 404-727-7777.

5. Authentication: LDAP

LDAP is the preferred authentication method for use with centrally-supported systems and services at Emory.

a. Identifiers - Emory's LDAP system uses Network ID's to name its entries for individual users.

b. Use - Each LDAP entry is associated with a password maintained by the user. LDAP allows users to authenticate to network services using their Network ID and password.

c. Changing a Password - Password changes may be made via the following web page:

https://pws.cc.emory.edu/cgi-bin/pwdchangen.pl

or by calling the Emory Help Desk at 404-727-7777.

d. Reissuing Passwords - When a Network ID holder forgets the password associated with an LDAP entry, or if it is compromised and no longer private, he or she should immediately try to reset it themselves at:

https://pws.cc.emory.edu/cgi-bin/pwdchangen.pl

or contact the Emory Help Desk at 404-727-7777 for assistance in having a new password issued.

6. Identification and Authentication: Local Systems

This section contains recommendations and requirements for systems and services that use local identification and authentication methods rather than the centrally-supported methods.

a. Use Emory Network ID's - Systems should use Network ID's to identify their users. This will be less confusing for users, and will ease future transition to centrally-supported authentication.

b. Avoid 'Clear-Text' Passwords - Systems must not transmit reusable passwords across the network unencrypted. Such passwords are vulnerable to capture and abuse.
c. Support Password Quality - Systems should check proposed passwords and reject those that are likely to be easily guessable. See Emory's 'Password and Network I.D. Account Policy'.

7. Sources of More Information

Emory AAIT's Security Team Web Page, http://security.it.emory.edu

AAIT Security Team, SecurityTeam-L@listserv.emory.edu