Police Tech & Gear
with Tim Dees
Dual-factor authentication: Why you should care
Two elements required to identify you are something you know and something you have
Computer passwords have become a way of life for most of us. We have to have them to log on to the system at work, there’s another for email and Facebook, and you probably have some more for your bank, for Amazon, and any other online services you use — by the way, if all these passwords are the same, please stop reading and go change them now.
Passwords are like keys. They work if you use them and the locks they operate, but their effectiveness is reduced if you leave them around where they can be stolen or duplicated, or worse yet, don’t bother to use them at all.
The best efforts of IT managers are defeated when people write their passwords down on a desk blotter or ‘Post-It’ note next to the computer, use the same password for all their accounts, and/or choose a password that is easy to guess. When the underground hacker group LulzSec gained access to a state law enforcement agency’s network last year, many of the passwords in use were things like “12345,” “qwerty” and the name of the station where the officer worked.
Fixing a Serious Security Problem
The Criminal Justice Information Services (CJIS) branch of the FBI — those nifty folks who bring you NCIC and its related services — will soon be requiring dual-factor authentication to access some of its services from mobile terminals. Mobile systems are considered to be more vulnerable than those in brick-and-mortar buildings, and thus at greater risk of intrusion.
Whether you will be in the group that is forced to adopt the increased security measures is determined by what information can be accessed from your mobile device and the route it takes between you and the FBI’s data center in Clarksburg, West Virginia.
If your requests go through a state switcher, you may not be required to make the change — yet.
Something You Know, Something You Have
Dual-factor authentication requires two elements to identify you as an authorized user of the system. The dual factors are usually something you know plus something you have. The “something you know” is usually a password, although it can be a security question or an item of data that changes frequently.
You’ve probably run into these on websites that ask for information most people wouldn’t know about you, such as what street you lived on as a child or your father’s middle name. Hotels use passwords that change frequently for access to their guest Wi-Fi networks. The password may be the same for everyone staying at that hotel, but it changes every day.
The “something you have” is the new wrinkle. This second verification token can be an ID card with an embedded RFID chip, a USB drive loaded with a special code, a scanned fingerprint, or even facial recognition. Many laptop computers that incorporate webcams have software that scans the face of the person trying to log onto it. If the software doesn’t recognize you, you don’t get in. The same software stores the image of anyone trying to log on, so attempts to break in are recorded.
Biometric factors such as fingerprints and face recognition can be problematic from a security perspective. Fingerprint readers on most computers capture relatively few data points, so they’re easily spoofed. A “gummy finger” cast made from silicone rubber will fool most of these readers. Similarly, a face recognition system can sometimes be defeated with a photograph of the authorized user. Some of the more recent systems ask the user to turn their head to different angles and make faces, so the system can randomly request a different view and make life more difficult for the interloper.
As the sensitivity of these biometric scanners increases, so does the number of Type I errors, where the system refuses to recognize a legitimate token and locks out an authorized user. This is why second factor tokens such as USB “dongles” or magstripe cards are preferred (by security managers) over biometrics. If you lose or forget the token, it’s useless without your password, but you’re also locked out of the network. It’s a balance between making the system difficult to break into but easily accessed by rightful users.
Given the sensitivity of the information contained in criminal justice networks, it wouldn’t surprise me to see dual-factor authentication become the standard within a few years. You can resist the change, but that doesn’t mean it won’t affect you.