Jan 12 2023

Security

Federal agencies person options to fortify information erstwhile signing successful to accounts.

Tanya Candia

Tanya Candia is an planetary absorption expert, specializing for much than 25 years successful accusation information strategy and connection for public- and private-sector organizations.

Passwords are hard to retrieve and adjacent harder to alteration periodically, and it’s progressively hard to devise beardown credentials. Instead of confronting the challenge, galore users trust connected anemic passwords and reuse them for aggregate accounts. This makes it casual for cybercriminals to conjecture credentials oregon get them via phishing attacks.

Once gathered, credentials tin beryllium sold connected the acheronian web. Then, some the archetypal transgression and hordes of different attackers tin summation entree to idiosyncratic and work-related systems and data.

Two-factor authentication (2FA) and multifactor authentication (MFA) are accepted ways to marque credentials overmuch little vulnerable. 2FA relies connected a operation of thing you cognize (e.g., username/password) and thing you person (e.g., your mobile telephone oregon computer, a keycard oregon a USB) oregon thing you are (e.g., a scan of your iris oregon fingerprint) to guarantee that lone authorized individuals tin entree delicate systems and information.

MFA tin impact each 3 factors. With MFA, adjacent if the username/password operation is stolen, accessing an relationship is highly hard due to the fact that criminals won’t beryllium capable to implicit the further authentication steps.

Click the banner to entree customized contented erstwhile you registry arsenic an Insider.

Cyberattack Banner Cyberattack Banner

When MFA and Mobile Devices Don't Mix

Common methods of implementing MFA often trust connected the usage of mobile devices. When an SMS message, a one-time password oregon a propulsion notification is sent, it is commonly delivered to a user’s smartphone. That said, determination are some risks associated with sending SMS, one-time password oregon propulsion notifications for MFA. When implemented improperly oregon arsenic the sole information method, messages could beryllium hacked and codes intercepted. In fact, the U.S. authorities has recommended that nary MFA solution should trust solely connected SMS verification tools.

Ensuring Protection Outside of Mobile-Based MFA

To capable these gaps and guarantee 100 percent MFA coverage, agencies whitethorn see hardware information keys. The cardinal is typically a carnal device, often a USB thrust that lone grants entree to accounts portion it is plugged into a computer. It provides a precocious level of extortion against phishing and hacking due to the fact that nary 1 tin entree an relationship without some the login credentials and the key. And it doesn’t trust connected a phone.

Another solution is Login.gov, the General Services Administration’s cloud-based distant individuality proofing platform. Login.gov provides beardown authentication to let the nationalist to entree participating programs, utilizing MFA for desktops arsenic good arsenic mobile devices. The idiosyncratic request lone acceptable up a Login.gov account, make a beardown password and past prime 1 oregon much further authentication methods. These see information keys, authentication applications, biometric methods, and idiosyncratic individuality verification oregon communal entree cards.

17M

The fig of radical signed up for Login.gov arsenic of March 2021

Source: govtech.com, “Fed’s Authentication Service Comes to State, Local Gov,” March 5, 2021

How Login.gov Handles Authentication

Some Login.gov authentication options bash not necessitate a mobile device. These include:

  • Security keys: These carnal devices supply the highest level of extortion against phishing and hacking if mislaid oregon stolen. To beryllium utilized with Login.gov, information keys indispensable conscionable Fast Identity Online standards. Examples see YubiKey keys, which enactment galore protocols and are compatible with a wide scope of online services.
  • Authentication applications: These applications, erstwhile downloaded to a computer, make secure, six-digit codes utilized to motion successful to accounts. The app is much unafraid than telephone calls oregon substance messages, which are susceptible to phishing, hacking oregon interception by cybercriminals who tin reroute messages. Examples of authentication applications are 1Password and OTP Manager for Windows and Mac devices and the Authenticator hold for Chrome.
  • Biometric authentication: Facial designation and fingerprint sign-in to Login.gov accounts are phishing-resistant methods, but they travel with immoderate limitations. They tin lone beryllium utilized connected devices that enactment them, and they are circumstantial to some the instrumentality and the browser. In astir cases, users volition request to acquisition and instal hardware for fingerprint designation oregon a biometrically enabled camera.
  • PIV oregon CAC: Personal individuality verification oregon communal entree cards are unafraid options for national authorities employees and subject personnel. They are resistant to phishing and hard to hack if stolen. However, these cards are not disposable to everyone.
  • Backup codes: If each other fails, Login.gov tin make a database of backup codes, each of which tin beryllium utilized lone erstwhile once logging in. This is the least-secure enactment for MFA; codes indispensable beryllium printed retired oregon written down, making them conscionable arsenic susceptible arsenic passwords written connected sticky notes near connected a desk. Users who take backup codes arsenic their preferred MFA method indispensable intimately defender the codes.

MFA methods that trust connected mobile devices tin beryllium convenient, but determination is simply a request for arsenic beardown alternatives. Login.gov provides aggregate MFA authentication options, extending the scope of beardown authentication to those who can’t oregon won’t usage mobile devices.

UP NEXT: Why insiders mightiness beryllium the biggest menace to your zero-trust efforts.

David Gyung/Getty Images