Data Lockup: The FBI Moves to Advanced Authentication for Law Enforcement Organizations

Last updated: 21 March 2014

Terrorists. Organized crime and drug cartel kingpins. Fraudsters. Serial killers. Sex offenders. Name a criminal and there is one place you can find them all—the US Federal Bureau of Investigation’s Criminal Justice Information System (CJIS).

After the 9/11 commission showed that terror attacks on the World Trade Center might have been prevented by better communication, US law enforcement agencies have become much more effective at sharing information. The focal point for that exchange at all levels—federal, state, local and tribal—is the FBI-operated CJIS system.

Now the FBI is strengthening its security requirements, mandating a new level of “advanced authentication” to access that information. Advanced authentication or two-factor authentication, essentially recommends using a personal security device, such as a token or a smart card-based credential, whenever accessing CJIS from outside a secure police facility, such as from a police cruiser, an investigation scene, a hotel room or from home.

What makes advanced authentication more secure is that both factors are required. Let’s say someone knows your PIN code but does not have your bank card; they cannot steal money from your account. So in the CJIS, if someone steals your login ID and password but does not have your authenticator, they cannot access the law enforcement network.

The deadline for compliance with the advanced authentication mandate is September 30, 2013. That might sound far off but in fact this gives partner agencies a very tight implementation timeline.

The primary rationale for implementing advanced authentication is that passwords are weak protection for highly confidential and personal information stored on a network. If you are a managing IT security for a police department, to implement advanced authentication you need to provide your users with authenticators and upgrade the identity and access management infrastructure to work with them.

The first step is to choose an authenticator technology, or even a combination of them. One good alternative is a hardware-based one-time password (OTP) token.  The big advantage of OTP is that it can be implemented quickly because it does not require changes at the user device level and so is simple to administer.

Another good choice is to use smart card identity credentials with digital certificates. Smart cards are a well-established digital security technology that today protects more than two billion mobile phones and 600 million smart credit cards from fraud worldwide. By putting a digital ID certificate on a smart card, you not only create a very powerful advanced authentication authenticator, you also get a highly secure ID credential for secure visual identity verification and physical access control.

In these times of criminal hackers, hacktivists and potential cyber warfare, advanced authentication is now an essential tool for law enforcement information security at every level of government. It’s good to see this included in the CJIS mandate.