One Phish / 2-Step Standard

Authority: Vice Chancellor for Information Technology
History: First issued in 2015; Last updated May 15, 2017
Scope: All NC State Google accounts, including generics

In 2015, OIT implemented the One Phish / 2-Step rule to provide greater security for our users and better protect our “ncsu.edu” domain. This rule provides a mechanism for enforcing Google 2-Step verification on an account that has been either phished at least once or compromised (e.g, by password sharing).  

In 2016, NC State University mandated the enrollment in Two-Factor Authentication for all employees (including faculty, staff, student employees, no-pay employees, and retirees) by October 31, 2017. This includes using both Google 2-Step verification for G Suite accounts and Duo for services that use Shibboleth. For more information, see https://go.ncsu.edu/2fa.

Under current policy, students are strongly encouraged but not yet mandated to enroll in both of the university’s two-factor services. They should expect a similar policy to be in effect in 2018.

If an account is phished or otherwise compromised prior to the date when two-factor authentication enrollment is required, then the use of Google 2-Step will be enforced on that account.