BGSU Multi-Factor Authentication Standards

The purpose of this webpage is to establish standards for implementing multi-factor authentication (MFA) to protect Bowling Green State University’s (BGSU) sensitive data and systems from unauthorized access.

These standards apply to all employees, contractors, and vendors who access BGSU's systems, applications, and data. These standards also apply to any third-party service providers who provide access to university systems, applications, or data.

BGSU shall implement multi-factor authentication (MFA) for all access to its systems, applications, and data. The MFA method shall be based on industry best practices and the sensitivity of the data being accessed.  The implementor shall utilize university standardized SSO and MFA solutions when applicable.  In order to comply with the concept of MFA, the user shall use at least two of the following three factors for authentication:

• Something the user knows (e.g., a password, passphrase, or PIN)

• Something the user has (e.g., a smart card, token, or phone)

• Something the user is (e.g., a biometric feature such as a fingerprint, facial recognition, or voice recognition) 

The organization shall use the following MFA methods based on the sensitivity of the data being accessed:

• Low sensitivity university data: Two-factor authentication (2FA) with a password and either a one-time code sent via phone call or SMS, or a mobile notification prompt from the current MFA tool in use for BGSU.

• Medium-High sensitivity university data: Two-factor authentication (2FA) with a password and a soft (mobile application) or hard token (physical token device).

Exceptions to these standards must be approved by BGSU’s Information Security Officer (ISO) or designated representative.

Failure to comply with these standards may result in disciplinary action.

These standards shall be reviewed annually and updated as necessary to ensure their effectiveness and compliance with applicable laws, regulations, and industry best practices.