Skip navigation

Procedure: Authentication for access to University resources

Purpose

This procedure establishes the minimum standards for authentication for access to University systems (email, file storage, software, etc.) and services to authorised users within the University community.

Definitions

Definitions of terms used in this document are provided in the overarching Information technology security policy.

Authentication: the act of verifying the identity of a user, process or device as a prerequisite to allowing access to resources in an information system. Includes authentication measures such as passwords, passphrases and multifactor authentication.

Multifactor Authentication: a security measure that requires two or more proofs of identity to allow a user to authenticate. Multifactor authentication typically requires a combination of something the user knows (PIN, secret question), something they have (phone, card, token) or something they are (fingerprint or other biometric).

Passphrase: a sequence of words used for authentication (e.g. pineapple Imagine 99).

Password: a sequence of characters or words used for authentication (e.g. ^Mhall.ifwwa*99btls). The use of the term password(s) also includes passphrase(s). The use of the term password(s) in this procedure does not include Personal Identification Numbers (PINs).

Personal Identification Number (PIN): a sequence of numbers used for authentication.

Standard users: users who do not have privileged or elevated access to University systems, as defined in the Information technology account management and access procedure.

Procedure

  1. ANU is committed to ensuring appropriate security for all systems, technology, data, equipment, and processes within its ownership and control.
  2. The University provides access to:
  1. authorised users within the University community; and
  2. network connecting devices authorised for connection, and that have been allocated an IP address within the University's IP Address range.

University responsibilities

  1. The University is responsible for:
  1. providing and maintaining access to systems and resources for authorised users;
  2. suspending any part of an authorised user's access as a result of a security concern or policy breach, resulting from penalties or disciplinary action; and
  3. maintaining and amending minimum authentication standards as appropriate, to reflect current information security protocols.

User responsibilities

  1. Users:
  1. do not disclose or share their authentication details to anyone else under any circumstances;
  2. do not allow any other individual access to a service or resource authenticated with their credentials;
  3. do not reuse authentication details used for University systems on any other system or service;
  4. comply with published account management and authentication security standards for the system/service that they are accessing; and
  5. report suspected security incidents such as the compromise of authentication details by emailing it.security@anu.edu.au in accordance with the Information technology security policy. Further information is available at https://services.anu.edu.au/information-technology/it-security/reporting-an-it-security-incident.
  6. If a user wishes to record and store authentication details, the following measures are undertaken:
  1. records in electronic format are stored on a secure system such as a password/credentials manager or password vault; and
  2. records in hard copy are stored in a highly secure location such as a locked safe, security container or other secure area with sufficient auditable physical access control measures.
  1. Group or shared passwords are not used unless no reasonable alternative is available. Where group or shared passwords are used, this is signed off by the owner of the account and/ or the relevant delegate and registered with the ANU Information Security Office at it.security@anu.edu.au. The owner of the account is responsible for any misuse of the account. Group passwords are:
  1. only disclosed to individuals who have been authorised to access a particular electronic resource or service as part of that group; and
  2. changed whenever a member of the group leaves the group.

System owner responsibilities

  1. System owners enforce the minimum authentication standards set out in this document when allowing user access to the systems under their ownership.
  2. Owners of systems containing sensitive or highly sensitive data as defined in the Infrastructure security classification standard will:
  1. ensure that authentication requirements are in line with the relevant enterprise systems tier as per the Enterprise systems management standard; and
  2. publish any change in authentication requirements to users of that system directly at the time the account is issued and at least annually thereafter.

Minimum authentication standards

  1. Access to University systems and services is only given to users with secure access via a password and/or multifactor authentication. Information on best practice regarding passwords and authentication is available on the ANU Cyber Sense website at https://cybersense.anu.edu.au/faq.
  2. Standard user passwords meet the following requirements:
  1. are a minimum of 17 characters; or
  2. are a minimum of 10 characters and include at least one character from each of at least three of the following groups:
  • lowercase characters (a - z)
  • uppercase characters (A – Z)
  • digits (0 - 9)
  • punctuation and special characters ($, !, %, ^, (, ), {, }, [, ], ;, :, <, >, ?)
  • unicode characters; and
  1. do not consist of:
  • the account name in any form (as-is, reversed, capitalised, doubled, etc.);
  • the user’s first or last name in any form;
  • simple patterns of letters on keyboards; or
  • any well-known or publicly posted identifiable information.
  1. Any and all exceptions to the minimum authentication standards at clauses 8 and 9 are registered by the system owner with ANU Information Security Office by emailing it.security@anu.edu.au with sign off by the relevant delegate.

Initial and reset authentication generation

  1. All initial and assisted reset passwords are generated randomly and are only recorded upon initial generation. Only one copy is made and this is provided directly to the owner of the password after suitable proof of identity is provided as per clause 13. User passwords are not disclosed to anyone other than the password owner under any circumstances.
  2. Requests for user authentication resets or single-use authentications require suitable proof of identity before being actioned. Suitable proof of identity for authentication includes:
  1. photo ID;
  2. supervisor identification; or
  3. satisfactory challenge responses.
  1. All authentication resets generate an auditable log indicating at a minimum the date, time, account name, and who conducted the reset.
  2. Authentication resets conform to the same controls as set out for initial credential generation.

Information

Printable version (PDF)
Title Authentication for access to University resources
Document Type Procedure
Document Number ANUP_013008
Version
Purpose This procedure establishes the minimum standards for authentication for access to University systems (email, file storage, software, etc.) and services to authorised users within the University community.
Audience Staff, Students, Alumni, Affiliates
Category Administrative
Topic/ SubTopic Information Security
 
Effective Date 27 Sep 2022
Next Review Date 27 Sep 2027
 
Responsible Officer: Chief Information Security Officer
Approved By: Chief Operating Officer
Contact Area Information Security Office
Authority: Information Infrastructure and Services Rule 2020
AS ISO/IEC 27002:2015
Australian National University Act 1991
Australian Government Protective Security Policy Framework
Public Governance, Performance and Accountability Act 2013
Public Governance, Performance and Accountability Rule 2014
Crimes Act 1914 (Cth)
Privacy Act 1988
Telecommunications Act 1997
Telecommunications Regulations 2021
Delegations 0

Information generated and received by ANU staff in the course of conducting business on behalf of ANU is a record and should be captured by an authorised recordkeeping system. To learn more about University records and recordkeeping practice at ANU, see ANU recordkeeping and Policy: Records and archives management.