Highline College

Explore Highline College

Connect with Highline College

Toggle Sliding Bar Area

Highline College Logo
Apply Now

1.11 Authentication Standard

Home/IT Security/IT Security Policy/1.11 Authentication Standard
1.11 Authentication Standard 2026-02-04T08:13:54+00:00

1.11 Authentication and Password Standard

    • 1.11.1. Implementation
      • a. Potential situations that may cause a failure of established identification and authentication mechanisms must be considered when selecting, designing, and reviewing the college’s IT resources and authentication systems.
      • b. Implemented authenticated access methods must meet or exceed the controls required determined by the category of data.
      • c. Highline College shall maintain an inventory of its authentication and authorization systems, including those hosted on-site or by a remote service provider. This inventory shall be reviewed at least yearly.
      • d. Access control measures must be reviewed at least yearly. All access control measures, privileges and security or permission group memberships, found must be confirmed to be authorized and appropriate. Use of automation is encouraged where feasible.

 

    • 1.11.2 Authentication
      Authentication is used to validate the identity of users accessing devices, systems, services, and other information technology resources.

      • a. Unauthenticated Access
        • i. Unauthenticated access may only be granted to category 1 public data, forms submission, FTP file uploads, etc.
        • ii. Attendees of remote phone, video or other types of calls or meetings must be authenticated before any category 2 or above information is mentioned, discussed, displayed, disclosed, shared, etc.
      • b. Authenticated access
        • i. Identities of users or devices must be authenticated (or verified) before allowing access to information technology systems. For identification of persons, see Identity Verification Standard. IT systems must authenticate an identity prior to:
          • 1. Permitting access to modify any data regardless of category.
          • 2. Providing access to category 2 data or higher. See Data Classification Standard.
        • ii. In order to access systems or data classified as category 1 or above:
          • 1. Identity must be proven using at least one factor of authentication. In the case of category 1, this applies when authentication is used or identity verification is needed.
          • 2. Encrypted authentication protocols must be used. In the case of category 1, this applies when authentication is used or identity verification is needed.
      • c. Centralization
        • i. Highline College shall centralize access control and account management for all accounts and enterprise assets, where feasible.
        • ii. One Single Sign On (SSO) solution shall be used for all account authentication and login processes, where feasible.
          • 1. ITS will evaluate necessity and feasibility as part of the processes of onboarding or upgrading of systems, services, and other things that need identification to protect information with respect to involved data classifications and asset functions.

 

    • 1.11.3 Authentication Factors
      • a. Unique authentication factors are required for individual user access to any system.
      • b. Sharing of individual user’s authentication factors, such as usernames, passwords, or any other form of identification is strictly prohibited. Temporary passwords may be communicated to the student by employee account support staff. To provide first time access or to reestablish access, unique temporary authenticators must be used. All temporary factors must be changed immediately after first use to establish initial access.
      • c. Passwords
        • i. Password rules must be technically or procedurally enforced.
        • ii. Life Duration
          • 1. A password change must be required and enforced immediately after first use of an initial or temporary password.
          • 2. A minimum password lifetime restriction of one (1) day, except for temporary passwords must be enforced through technical means, where able.
          • 3. Passwords will expire 365 days after the last change or sooner depending on account type. See Account standard for details.
          • 4. Expired passwords must be changed before the account is usable again.
        • iii. Reuse
          • 1. Users should use passwords that are significantly or sufficiently different from all previous passwords used. Passwords that increment (ex: Password1; Password2; Password3; …) are not considered significantly or sufficiently different.
          • 2. Password reuse of the last nine (9) passwords/passphrases will be prohibited. This will be enforced technically, where feasible.
        • iv. Contents
          • 1. First-time passwords and reset passwords must be set to a unique value.
          • 2. Contain at least three of the following character classes: uppercase letters, lowercase letters, numerals, special characters.
          • 3. IT Security Standard 1.5 Password) Not contain the user’s student ID, name or initials, username, or college name.
          • 4. Not consist of a single complete dictionary word, but can include a passphrase.
          • 5. Beginning January 1, 2026: Passwords must be a minimum of 15 characters in length.
      • d. Multi-Factor Authentication (MFA)
        • i. Implementation
          • 1. Accounts must utilize Multi-Factor Authentication where required or enforced.
          • 2. MFA must be enforced on all administrative access accounts for all enterprise assets, where supported.
        • ii. Contents
          PIN codes used in multi-factor authentication schemes must:

          • 1. Be a minimum of 5 digits in length.
          • 2. Not be composed of all the same digit. For example, PINs consisting of 11111, 22222 are not acceptable.
          • 3. Not contain more than a three consecutive digit run. For example, PINs consisting of 12347, 98761 are not acceptable.
      • e. Passcodes
        Pass codes used to secure mobile devices must:

        • 1. Be a minimum of six alphanumeric characters.
        • 2. Mobile devices (phones, tablets) owned by Highline College must utilize an authentication mechanism to access the device, such as a PIN, password.
        • 3. The device must be rendered unusable after 10 failed login attempts.

 

    • 1.11.4 Protections of Credentials and Secrets
      • a. The identity of individuals must be verified before they are provided credentials and/or authentication factors related to their account, including, but not limited to password, Multi-Factor Authentication, PIN codes, passcodes, or other authentication-related secrets or resets.
      • b. Obscure feedback of account credentials and authentication information. Ensure that passwords are not visible in plain text when entered to help reduce the potential for “shoulder surfing”.
      • c. UserID/password combinations are Category 3 data and must be protected accordingly.
      • d. Store and transmit only cryptographically-protected passwords may be stored and/or transmitted. One example of a Cryptographically-protected password uses a salted one-way cryptographic hashes of passwords.
      • e. Sharing of user authentication credentials, such as usernames, passwords, or any other form of identification, to access systems with anyone but authorized individuals is strictly prohibited. See the Account Management Standard for details.
      • f. Identity, authentication, and authorization secrets must be protected. This includes secrets not managed or owned by Highline College as well as secrets not documented in the IT security program. Some examples of identity, authentication, and authorization secrets are: root credentials, API keys, built-in account, and system passwords/passphrases, database root passwords, password manager/password vault master passwords, encryption keys.

 

    • 1.11.5 Account Lockout
      • a. For network assets, establish a maximum of five incorrect login attempts and lock the account for a minimum of 15 minutes or until reset by an administrator.
      • b. After 15 minutes of user inactivity, all laptops and desktops must automatically lockout access until the user has unlocked the device using their account.
      • c. All classroom workstations will be logged out after a period of inactivity not to exceed 45 minutes.
      • d. Attempts to work around or bypass the lockout efforts by any means are prohibited.

 

    • 1.11.6 Availability
      • a. Accounts are to be reviewed at the end of every academic year (June 30th), or more frequently. For each, a decision should be made to keep, disable or otherwise retire the account.

 

    • 1.11.7 Remote Access
      • a. Remote access solutions must be protected with encryption.
      • b. Remote access solutions must prompt for re-authentication and/or perform automated session termination after 30 minutes of inactivity, where supported.
      • c. When remotely accessing the college’s on-premises IT resources, Highline College’s Virtual Private Network (VPN) connection solution must be used.
      • d. Cloud environments belonging to, or managed by, the college must limit both administrative and elevated access to specific Internet Protocol (IP) addresses and address ranges.
      • e. Accounts that have elevated or administrative access to assets and resources on the local campus networks must use college VPN to access those resources.
      • f. Multi-Factor Authentication (MFA) is required for all VPN connections.
      • g. MFA is required for any and all remote access to information technology resources including, but not limited to, VPN and cloud services.

 

    • 1.11.8 Additional Requirements by Account Type
      • a. Accounts for Guests, Training and Demonstrations
        • i. Passwords
          • 1. Passwords must be changed on a frequent, regular basis. For example, passwords are changed manually or automatically on a weekly or more frequent basis.
        • ii. MFA
          • 1. MFA is not enforced. These accounts are for on campus use only and are extremely limited in what they can access – desktop or Wi-Fi only.
      • b. Student Accounts
        • i. Availability
          • 1. A student’s myHighline account will be available when the student is eligible to enroll (term-activated) for a current or future term.
          • 2. The myHighline account will be disabled when the student is no longer eligible to enroll. This occurs when:
            • a. the student has graduated (degree credential has been processed by Enrollment Services and the student’s program has been concluded); or
            • b. the student is no longer eligible to enroll due to lack of enrollment activity (4 consecutive quarters with no enrollment) or for other procedural reasons.
      • c. Standard Accounts for Employees
        • i. Availability
          • 1. Accounts should be disabled upon separation, as identified by Human Resources according to procedure, or after going unused or inactive for one year.
      • d. Specially Designated Lab Environments
        • i. Passwords
          • 1. The passwords should meet standard requirements expressed elsewhere in this document where feasible.
        • ii. MFA
          • 1. Multi-Factor Authentication (MFA) should meet standard requirements expressed elsewhere in this document where feasible if remote or off-campus access is enabled, implemented, or utilized.
      • e. Third-Party Maintenance Accounts
        • i. Availability
          • 1. Accounts must also be reviewed at the end of contract, agreement, project (activity, or immediate need), change of staffing (or employment).
      • f. Third-Party Access Accounts
        • i. Availability
          • 1. Accounts must also be reviewed at the end of contract, agreement, project (activity, or immediate need), change of staffing (or employment).
      • g. Service Accounts
        • i. Availability
          • 1. Accounts must also be reviewed at the end of the functional need.
        • ii. Passwords
          • 1. Passwords must have a length of at least 24 characters, where supported.
          • 2. Passwords, (or if no password is used, authentication keys, other authentication secrets, or recovery keys), must be changed after an employee that had knowledge of, access to, or exposure to the password no longer works for the college.
          • 3. Update all passwords and account credentials or recovery keys at least annually.
        • iii. MFA
          • 1. MFA may be required depending on the systems and data accessed by the service account.
          • 2. Where utilized, MFA must be managed through a credential management solution.
      • h. Administrative, and Other Accounts
        • i. Availability
          • 1. All administrative accounts must be reviewed at the end of the functional need or annually, whichever comes first.
          • 2. Administrative accounts issued to individual employees, should be disabled upon separation, as identified by Human Resources according to procedure, or after going unused or inactive for one year.
        • ii. Passwords
          • 1. Requires a hardened password as defined with an extended password length of at least 24 characters where supported.
          • 2. Update all passwords and account credentials (including other kinds of secrets) and recovery keys at least annually.
          • 3. Authentication secrets, such as passwords or keys, must be changed after an employee that had knowledge of, access to, or exposure to the secrets no longer works for the college. Change efforts may be prioritized by criticality, however the goal is to update all in scope of this within 30 days.

 

    • 1.11.9 Additional Requirements by Data Classification
      Additional requirements must be applied to all accounts depending on the highest level of data the account is, will, or could be able to access or be exposed to. Implementation must meet or exceed all applicable requirements.

      • a. MFA is required for accounts capable of accessing systems or data classified as category 3 or above.
      • b. For identity verification, authentication, and authorization when accessing category 4 data:
        • i. The MFA requires the individual first unlock the token, then use a hardware, software, or digital certificate token. Some examples of tokens are hardware, software, digital certificates, SSH Keys, or device certificates. An example of hardware is a FIDO2-complaint Yubikey. Some examples of software are Okta, MS Authenticator, Google Authenticator.

 

  • 1.11.10 Risk Management and Emergency Provisions
    • a. At the discretion of the CISO, stronger than normal protections can be applied to an account to help protect it further. For example, additional protections could be implemented to help protect an account that has significantly elevated access, such as, but not limited to: administrative access; information categorized as sensitive or confidential, or accounts that were compromised at any point in the past.
    • b. The implementation of such protections do not necessarily need to be part of a process or procedure, but should be included when appropriate and foreseen.

 

HISTORY

Date By Summary
02/03/2026 Tim Wrye Update approved.