One Phish / 2-Step Standard

Authority: Vice Chancellor for Information Technology
History: First issued in 2015; Last updated May 08, 2020
Scope: All NC State Google accounts, including generics

In 2015, OIT implemented the One Phish / 2-Step rule to provide greater security for our users and to better protect our domain. This rule provides a mechanism for enforcing Google 2-Step verification on an account that has been either phished at least once or compromised (e.g., by password sharing).  

In 2016, NC State University mandated the enrollment in Two-Factor Authentication for all employees (including faculty, staff, student employees, no-pay employees, and retirees) by October 31, 2017. This includes using both Google 2-Step verification for Google Workspace accounts and Duo for services that use Shibboleth. For more information, see Two-Factor Authentication (2FA) at NC State.

Under current policy, students are strongly encouraged but not yet mandated to enroll in both of the university’s two-factor services. They should expect a similar policy to be in effect in 2020.

If an account is phished or otherwise compromised prior to the date when two-factor authentication enrollment is required, then the use of Google 2-Step and Duo Security will be enforced on that account.