Dual-factor authentication: Why you should care

Two elements required to identify you are something you know and something you have

Computer passwords have become a way of life for most of us. We have to have them to log on to the system at work, there’s another for email and Facebook, and you probably have some more for your bank, for Amazon, and any other online services you use — by the way, if all these passwords are the same, please stop reading and go change them now.

Passwords are like keys. They work if you use them and the locks they operate, but their effectiveness is reduced if you leave them around where they can be stolen or duplicated, or worse yet, don’t bother to use them at all.

The best efforts of IT managers are defeated when people write their passwords down on a desk blotter or ‘Post-It’ note next to the computer, use the same password for all their accounts, and/or choose a password that is easy to guess. When the underground hacker group LulzSec gained access to a state law enforcement agency’s network last year, many of the passwords in use were things like “12345,” “qwerty” and the name of the station where the officer worked.

Fixing a Serious Security Problem
The Criminal Justice Information Services (CJIS) branch of the FBI — those nifty folks who bring you NCIC and its related services — will soon be requiring dual-factor authentication to access some of its services from mobile terminals. Mobile systems are considered to be more vulnerable than those in brick-and-mortar buildings, and thus at greater risk of intrusion.

Whether you will be in the group that is forced to adopt the increased security measures is determined by what information can be accessed from your mobile device and the route it takes between you and the FBI’s data center in Clarksburg, West Virginia.

If your requests go through a state switcher, you may not be required to make the change — yet.

Something You Know, Something You Have
Dual-factor authentication requires two elements to identify you as an authorized user of the system. The dual factors are usually something you know plus something you have. The “something you know” is usually a password, although it can be a security question or an item of data that changes frequently.

You’ve probably run into these on websites that ask for information most people wouldn’t know about you, such as what street you lived on as a child or your father’s middle name. Hotels use passwords that change frequently for access to their guest Wi-Fi networks. The password may be the same for everyone staying at that hotel, but it changes every day.

The “something you have” is the new wrinkle. This second verification token can be an ID card with an embedded RFID chip, a USB drive loaded with a special code, a scanned fingerprint, or even facial recognition. Many laptop computers that incorporate webcams have software that scans the face of the person trying to log onto it. If the software doesn’t recognize you, you don’t get in. The same software stores the image of anyone trying to log on, so attempts to break in are recorded.

Biometric factors such as fingerprints and face recognition can be problematic from a security perspective. Fingerprint readers on most computers capture relatively few data points, so they’re easily spoofed. A “gummy finger” cast made from silicone rubber will fool most of these readers. Similarly, a face recognition system can sometimes be defeated with a photograph of the authorized user. Some of the more recent systems ask the user to turn their head to different angles and make faces, so the system can randomly request a different view and make life more difficult for the interloper.

As the sensitivity of these biometric scanners increases, so does the number of Type I errors, where the system refuses to recognize a legitimate token and locks out an authorized user. This is why second factor tokens such as USB “dongles” or magstripe cards are preferred (by security managers) over biometrics. If you lose or forget the token, it’s useless without your password, but you’re also locked out of the network. It’s a balance between making the system difficult to break into but easily accessed by rightful users.

Given the sensitivity of the information contained in criminal justice networks, it wouldn’t surprise me to see dual-factor authentication become the standard within a few years. You can resist the change, but that doesn’t mean it won’t affect you. 

About the author

Tim Dees is a writer, editor, trainer, and former law enforcement officer. After 15 years as a police officer with the Reno Police Department and elsewhere in Northern Nevada, Tim taught criminal justice as a full-time professor and instructor at colleges in Wisconsin, West Virginia, Georgia, and Oregon.

He was also a regional training coordinator for the Oregon Dept. of Public Safety Standards & Training, providing in-service training to 65 criminal justice agencies in central and eastern Oregon.

Tim has written more than 300 articles for nearly every national law enforcement publication in the United States, and is the author of The Truth About Cops, published by Hyperink Press. In 2005, Tim became the first editor-in-chief for Officer.com, moving to the same position for LawOfficer.com at the beginning of 2008. He now writes on applications of technology in law enforcement from his home in SE Washington state.

Tim holds a bachelor’s degree in biological science from San José State University, a master’s degree in criminal justice from The University of Alabama, and the Certified Protection Professional credential from ASIS International. He serves on the executive board of the Public Safety Writers Association.

Dees can be reached at tim.dees@policeone.com.

Keep up on the latest products by becoming a fan of PoliceOne Products on Facebook

Request product info from top Technology companies

Thank You!

= required Error occured while sending data

By submitting your information, you agree to be contacted by the selected vendor.

Join the discussion

logo for print