Cybersecurity
PASSWORDS HAVE BEEN SUPPLANTED AS AN AUTHENTICATION FACTOR, REPLACEMENT OPTIONS COULD INCLUDE IRIS SCANNERS, FINGERPRINT READERS, FACIAL RECOGNITION AND OTHER AUTHENTICATION FACTORS.
more about cost than people,” she added. “Now we heard that the Obama and then the Trump administrations didn’t want to put funding in place to control the user element. Technical solutions can only go so far.”
Furthermore, MFA methods are not foolproof, and fingerprint readers and retinal scanners have the potential to be “wonky,” Marchese said. However, CAC authentication might not be too burdensome on a trusted computer if administrators post a certificate on the computer every 30 days using Google Authenticator or something similar, she added.
“PINs, fingerprints, biometrics — you can use those, but how do you work through the human factor?” Marchese said. “Sometimes it’s just ignorance on the part of the users because no one explained it so they could understand or be invested in understanding.”
She said people open attachments sent from unknown users via email despite being warned not to. “People still do this even after training,” Mar- chese added. “But how do you push that down the organization to middle managers [and] the day-to-day work- ers?” Senior leaders don’t want to be responsible, “but you have to make cyber hygiene part of people’s day-to- day thought process in a non-intrusive way somehow. You’ve got to have lay- ered security. We need layers that don’t break the mission of the agency but also don’t break the security of the network.”
MFA solutions for the federal gov- ernment cannot be one size fits all, so how an agency implements MFA should depend on the sensitivity of its data and where MFA would be used within the agency’s architecture.
“There are certain places where it may make sense for all agencies to use 2FA,” said Michael Bahar, former minor- ity staff director and general counsel for the House Permanent Select Committee on Intelligence and now a partner at Eversheds Sutherland law firm. “How- ever, it won’t make sense for agencies
to always implement MFA in the same way or even for every instance where authentication is required. A layered defense strategy may be useful.”
Authentication factors beyond CACs
With DOD pushing fairly aggressively to eliminate CACs, there are implica- tions for the authentication factors that will be usable replacements. Security experts say soft tokens that feature secure mobile applications (e.g., RSA SecurID) will offer reliable security in the near term.
“For years, the market has produced authentication solutions that offered better security but often at the expense of the user experience,” said David Lon- don, a senior director in the security services practice at the Chertoff Group. “For example, two-factor authentication solutions often require users to ‘break stride’ to log in — such as those that not only require a password but also require a user to find a hardware token, copy a number off it and then enter it into an application. As a result, these solu- tions have had uneven implementation and uptake.”
Instead, commercial tools such as Apple Touch ID or Windows Hello, which are face- or fingerprint-based, could have useful government applica- tions if properly deployed. And most smartphones and laptops now ship with “primitives” built in to deliver strong MFA that allows password- less login experiences that are more secure and easier for the user, said Jeremy Grant, former senior execu- tive adviser for identity management at NIST.
“In these cases, factor 1 is a biomet- ric that is matched on the device and only on the device — it cannot leave it,” said Grant, who is now Venable’s managing director for technology busi- ness strategy. “Once matched, it then unlocks factor 2: the private key of a public/private cryptographic key pair that is used to log in the user. There are a number of great options in the market to get this these days, and they
34 August 2017 FCW.COM