Oct 17 2019

Multifactor Authentication Helps Agencies Boost Cybersecurity

Feds are slowly moving toward more advanced forms of authentication technology.

Faced with a continuing assault by hackers, some federal agencies are experimenting with new ways to confirm employees’ identity through state-of-the-art authentication technologies.

The cutting-edge solutions are designed to prevent unauthorized access to sensitive information. As National Cybersecurity Awareness Month continues, agencies including the Department of Defense and the Department of Health and Human Services are looking into methods that both enhance and simplify identification.

Most agencies are considering forms of multifactor authentication for local and network access. MFA includes something you know, such as a password or a personal identification number; something you have, including a token or cryptographic device; and something you are — a biometric identifier such as a fingerprint.

Additional factors can include time of day (would the user normally be logging in at this hour?), and how a user accesses information on their personal devices over time (does the user tap into his email first, or check the weather?). 

Multifactor Authentication Proves Slow to Deploy

The federal government is currently at a 93 percent adoption of standard two-factor personal identity verification cards, according to a 2018 Office of Management and Budget analysis of cybersecurity across agencies. 

But there are challenges in taking the next step in integrating advanced authentication systems across federal networks; for instance, the State Department was called out in a 2018 letter from a bipartisan group of senators for not having enough secure authentication mechanisms.

“Agencies need to move toward a single, authoritative solution for establishing and managing attribute- or role-based access controls for their users,” says the OMB report.

The federal market is moving at “glacial speed” on advanced multifactor authentication adoption, says Andras Cser, vice president and principal analyst for Forrester Research.

“I’m not expecting quick improvement given the size and extent of the deployments that they have — aircraft carriers and ships. It is complex.”

MORE FROM FEDTECH: Find out how the NIST Risk Management Framework helps boost agencies’ cybersecurity. 

Agencies Experiment with New ID Technologies

The Defense Information Systems Agency is working on advanced MFA prototypes but doesn’t want a customized military system. 

“We are working to make the technology commercially viable, and then push for adoption across the Department of Defense,” says Steve Wallace, a systems innovation scientist at DISA’s Emerging Technology Directorate. “We do not want a DOD-specific solution.”

Currently, DISA is testing the incorporation of wearables, virtualization and other advanced biometrics. The agency is considering state-of-the-art factors for identification, including the way a person walks, the way he or she swipes at a touch screen and the way he or she holds a smartphone.

DISA has also added hardware attestation to the test mix. That’s a mechanism for providing cryptographically signed and encrypted data that describes the security state of a device that’s set to receive security credentials. 

DISA is currently working with Samsung, among other companies. The pilots will run over the next two years.

The defense department currently relies on common access cards and personal identification numbers, said Army Maj. Nikolaus Ziegler at AFCEA’s TechNet Cyber event in May. Those are less secure, however, because current protocols don’t require continuous revalidation in order for a user to access sensitive information. 

The Army is considering new MFA technologies to help reserve troops access information from home more easily. One is an authentication application that could be downloaded to a mobile device, avoiding the need for a common access card reader. Another possible technology involves USB devices that specialize in two-factor authentication based on encrypted, one-time passwords. 

MORE FROM FEDTECH: Discover the security benefits of software-defined perimeters. 

Searching Through 240 Indicators of Behavior

The Department of Health and Human Services has a huge trove of personally identifiable information related to healthcare to safeguard. It manages the Centers for Medicare and Medicaid Services, the Centers for Disease Control and Prevention and the Food and Drug Administration. 

Health and Human Services CIO Jose Arrieta is keenly interested in advanced multifactor authentication. While the agency now relies on two-factor systems, he foresees the use of 240 indicators of behavior for authentication

“Rather than just a username and password, I can use your connectivity to your secure Wi-Fi,” says Arrieta. “I can use an ear scan. I can use a facial scan. I can use a thumbprint tag. I can use the fact that you connect to your Whirlpool device when you walk down the steps of your house in the morning. Who do you text? What’s the humidity outside?”

Arrieta is excited by the idea of integrating user authentication with the Internet of Things. “We think it can be transformational and we think it’s directionally at the edges where the marketplace, both consumer and government, is going.”

As exciting as they sound, advanced MFA systems can raise privacy issues when elements of daily life can potentially become authentication factors. 

DISA’s Ziegler said his agency is constantly listening to its beta testers across the defense department, which helps address concerns and the cultural shifts required in making a smartphone and a user’s unique data central to MFA systems. 

“Privacy is essential in assured identity,” said Ziegler. “Continuous multifactor authentication ensures the factors about you do not leave the phone, and we look for products that align to that.”

Bank215/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT