BİM.PR.13 — Multi-Factor Authentication (2FA) Procedure
| Document No | BİM.PR.13 | Version | 1.0 | Initial Release | 26.04.2026 |
|---|---|---|---|---|---|
| Owner Group | Network and Security Group | ||||
| Prepared by | IT Directorate — Network and Security Group | ||||
| Approved by | Mehmet ARARAT — IT Director | ||||
| Legal Basis | KVKK Art. 12 · TS EN ISO/IEC 27001:2022 A.5.17 · BİGDES | ||||
| Related Documents | KYS.POL.01 P18 (Authentication), P08 (Remote Access), KYS.POL.02, KYS.POL.04, BİM.PR.05, BİM.PR.12, BİM.PR.14, BİM.PR.27 |
1. Purpose and Scope
Within the framework of KYS.POL.01 P18 (Authentication and Authorisation Policy), this procedure defines the mandatory multi-factor authentication (2FA) requirement for corporate accounts, the supported methods, and account recovery workflows.
Applies to all academic and administrative staff (including part-time), visiting faculty, system administrators, and — progressively from the 2026 Autumn semester — all students.
2. Mandatory Requirement
2FA is mandatory and cannot be disabled on all of the following accounts:
- Corporate Google Workspace accounts (
@hku.edu.tr,<student_id>@std.hku.edu.tr) - VPN connections (BİM.PR.27, KYS.POL.01 P08)
- All systems accessed via
portal.hku.edu.tr - BIM administrator accounts (hardware key mandatory — s.5)
3. Primary Method
Google 2-Step Verification + Google Authenticator (natively compatible with Google Workspace).
- Push notification (preferred) or 6-digit time-based one-time password (TOTP).
- Setup:
myaccount.google.com/securityorportal.hku.edu.tr → Account → 2FA Setup. - 10 recovery codes are generated; single-use and must be stored in a secure location.
4. Backup Methods
| Priority | Method | Use Case |
|---|---|---|
| 1 | Recovery code (10 codes) | Lost or replaced phone |
| 2 | SMS backup | Emergency use only when authenticator is unavailable |
| — | Email backup | Not used (compromise vector) |
5. Additional Requirements for Administrator Accounts
For BIM Director, system administrators (BİM.PR.05 scope), domain admin, and super-admin accounts:
- Hardware key (FIDO2 / YubiKey) mandatory
- Trusted device — disabled for 30 days; 2FA required at every session
- Administrator accounts are not used for daily tasks (P02 — segregation of duties)
- All administrator actions are logged (BİM.PR.10, BİM.PR.24)
6. Trusted Device
The same browser + device combination is remembered for 30 days without requiring re-authentication. Sensitive operations (password change, account recovery, authorisation delegation) require 2FA every time.
7. Lost or Stolen Device
Report to Help Desk within 24 hours → BIM revokes existing 2FA → user registers new 2FA in person with ID → sessions initiated during the lost period are forcibly terminated.
8. Violations
Attempts to bypass 2FA (shared code, account without password) are assessed under KYS.POL.04 s.55 + P18.
9. Entry into Force
26.04.2026; reviewed every January and July.
Hasan Kalyoncu University · IT Directorate
Osmanlı Mah. Havaalanı Yolu Üzeri 8. Km 27010 Şahinbey/Gaziantep
444 6 458 · destek@hku.edu.tr · destek.hku.edu.tr · portal.hku.edu.tr
KEP: hasankalyoncu.unv@hs01.kep.tr