The Growing Wave of Two-Factor Authentication in Local Government

As the saying goes, two is better than one — especially when it comes to authentication technologies for securing access to sensitive data.

"The [FBI Criminal Justice Information Services] requirement was a motivator, but we have always been very aware of all kinds of security threats, like hacking and social engineering attacks," says Richard Semple, public safety technology director for Williamson County, Texas. "Two-factor authentication is part of our proactive strategy to block them."

Two-factor authentication requires users to present another form of identification beyond the standard username/password to gain access to the network. The second factor is something the user has, such as a token, smartcard, temporary access code delivered to a smartphone or a biometric identifier.

In 2010, the Department of Justice published FBI CJIS security policies that require the use of two-factor ­authentication for remote access to the national criminal justice database. State and local governments may lose access and incur penalties if they haven't complied by Sept. 30, 2013. The CJIS mandate has driven deployment of two-factor authentication in local government, where the technology often first takes hold in law enforcement and public safety departments.

Authentication Investment

Last September, Williamson County began rolling out Imprivata OneSign two-factor authentication to 850 users — IT staff, law enforcement, emergency medical responders and personnel in the 911 emergency communication center, as well as all city police and fire departments connected to the county dispatch network. The implementation may eventually extend to as many as 2,000 users in Williamson County, which includes Round Rock and other communities in the metropolitan Austin area.

"Any system or user who touches our public safety software was included in the first phase of the advanced authentication project from the beginning, but it will grow as we see the benefits," says Semple.

Imprivata's streamlined approach to single sign-on was a key factor in selecting the company's technology, according to application support specialist Jeff Austin. "The system gave us the security we need but also simplified things for users, cutting their downtime and easing IT support," he says.

Proven integration with Williamson County's SunGard public safety software, its NetMotion virtual private network and the Citrix client virtualization platform used in the county's remote sites was also a crucial consideration in product selection, says Semple.

The county spent roughly $175,000 on the authentication system, which provides options and scalability that will make it useful well into the future, Semple notes. Austin adds, "Risk mitigation is an important intangible when you calculate the return on this kind of investment."

Security in Tight Times

Williamson County's adoption of two-factor authentication is part of a growing wave, says Alan Shark, executive director of the Public Technology Institute, a national association of city and county executives. "The technology had been trickling down from the federal level pretty slowly because of the cost involved and training issues for users and IT staff," says Shark.

In North Carolina, local law enforcement agencies are collaborating with the University of North Carolina School of Government to explore two-factor authentication and winnow their options as they face the CJIS deadline, says ­Lawrence Cullipher, the IT director for the Raleigh Police Department. "There's a lot of information floating around about two-factor authentication. We're trying to sort through it and find the best way for everyone to meet the deadline this year," Cullipher says. "We're lucky to have the university helping us create scenarios and going between us and the FBI."

Do-It-Yourself Compliance

Because Goshen County, Wyo., lacked the funding for a new authentication solution, staff took a creative approach to satisfy CJIS requirements, says Gary Meerkreebs, director of information technology for the county. Law enforcement officers and other remote public safety workers connect wirelessly to the county's WatchGuard Secure Sockets Layer VPN. The first level of authentication is based on the Media Access ­Control address of the endpoint. Only designated MAC addresses are allowed over the VPN and into specific ports through a firewall.

Domain credentials present the second line of defense. Goshen County and the city of Torrington share a network infrastructure that is divided into four partitioned domains. Nobody can access the law enforcement segment of the network without a valid credential; access to law enforcement software requires a user ID and password.

"We can control who is presenting a request to our network, who gets on the network, where they can go and what they can use," Meerkreebs says. "It's probably not the best way to do it, but it works because of the way our domains were set up. We had a CJIS audit recently and did really well. It's hard to spoof a MAC address."

The county IT staff also use the multifactor authentication system, and ­Meerkreebs would like to extend the deployment to some employees, like those in the water department, who work with critical physical infrastructure. "Budget is the only reason we haven't used a vendor solution," says Meerkreebs.

For PTI's Shark, data security tops the list of issues confronting local governments. "Of course, two-factor authentication is a good idea, but the bad guys are so far ahead of us," he says. "At the very least, we need to leapfrog to biometrics. What's missing is awareness in public employees of the security threats that exist. Two-­factor authentication is an important piece of the answer, but not all of it."l