Draft Authentication Management

Published: June 25th, 2013

Category: Security Team Blog

UPDATE: This policy was approved July 11, 2013.

The Authentication Management policy is intended to replace the existing Gatorlink Password Management Policy. The most significant change in the policy is that it will apply to all uses of passwords as UF, rather than only to Gatorlink passwords.

The Authentication Management Standard maintains the concept of password levels (ex P2, P3, etc), but includes a change in the definition of P4 to include users with access to more than limited amounts of Restricted Data. It is anticipated that this will mostly impact clinicians with access to patient records. Anticipating the expanded number of P4, especially in the clinical environment, the policy also expands phone resets to P4s – however it is anticipated this will take a while to become available, since we’ll need to find better methods to verify the identify of callers.

The Password Complexity Standard has two significant changes: a doubling of maximum password age for P2-P5 and a corresponding decrease in the number of failed attempts before lockout; and the addition of pass phrases as an alternative to passwords. If a user selects a password that is 18 characters or greater, than it is no longer subject to complexity or dictionary checks.

Please submit feedback on these drafts in the comment section of this page.

Tagged as:

Comments are currently closed.