CJIS Education: What Does Advanced Authentication Mean?
For many IT service providers in law enforcement, the most confusing part of the new CJIS guidelines is the “advanced authentication” terminology (most prominent in CJIS Policy Area 6). As agencies and IT professionals scramble to ensure they are fully compliant with all CJIS security guidelines by the upcoming September 2014 deadline, many feel that this “advanced authentication” aspect will be their biggest hurdle.
(related blog post: CJIS Compliance: Advanced Authentication and You)
From the new CJIS standards:
“The requirement to use or not use AA [advanced authentication] is dependent upon the physical, personnel and technical security controls associated with the user location...the intent of AA is to meet standards for [multi-factor] authentication.”
So basically, if a user is logging into the system used to access CJIS from a non-secure location (such as outside of a secure police station or agency office), they will need to prove their identity with advanced authentication, also called two factor authentication (2FA).
From the new CJIS standards:
“[two factor authentication] employs the use of two of the following three factors of authentication: something you know (e.g. password), something you have (e.g. hard token). something you are (e.g. biometric). The two authentication factors shall be unique (i.e. password/token or biometric/password but not password/password or token/token).”
So while 2FA might sound complicated, it’s actually something we’re all familiar with. If you’ve ever used an ATM, you’ve used 2FA. At the ATM, you first present your debit or bank card (something you have), and then enter your 4-digit pin (something you know).
2FA provides a greatly enhanced level of security, because a system protected by 2FA is nearly impenetrable to a security breach from outside. After all, even if a hacker somehow acquires or guesses a system password, they would still need to enter another security “factor” in order to access the system—one they simply wouldn’t be able to provide.
For example, stolen laptops have been the source of many a security scandal. In the past, a thief who stole the right laptop would have access to any and all information stored on that laptop and its open applications—like protected sensitive information, personal data, and worse. But if a system is protected by 2FA, the thief still wouldn’t be able to provide the security factors needed to access secure databases and applications.
The biggest challenge for many IT service providers seeking to implement an advanced authentication option for their users is which second security factor to use. The most popular first factor is obviously passwords (something you know). But when it comes to the second factor, even the most experienced of IT professionals are unsure of how to proceed. Many law enforcement officers are on the road all day; will they need to log in over and over again using some complex procedure? Because that’s not going to go over well. Is the department going to have to invest in expensive biometric login tools? Because that’s not going to go over well, either.
Fortunately, today’s 2FA options are more convenient and affordable than ever. There are plenty to choose from, including smart cards, hardware tokens with single-use codes, fingerprint scanners, USB tokens, and more. One of the most affordable and practical options is using a one-time access code that’s generated by a secure mobile app on a user’s smart phone.
With a system protected by 2FA, you can also explore more advanced options like single sign on (SSO). With SSO, a user logs in with two factor authentication and is then taken to their SSO portal screen, where they can automatically sign in to all of their needed applications and websites without having to re-enter their credentials. Because of the 2FA initially required, single sign on satisfies the “advanced authentication” CJIS requirement and can be seamlessly taken on the road, allowing officers to enjoy enhanced security without disruption to their day-to-day operations.