Advanced Authentication is the requirement in which you must use "Something You Know" (think password here) and "Something You Have" (think something tangible) to access Criminal Justice Information from a computer or portable device like a laptop, phone, or tablet. However, that is sometimes easier said than understood depending on how your IT network or environment is designed and where you are accessing the information from. The days of using a simple user name and password are long gone in terms of being secure.
It is important to note that although the CJIS Security Policy does not require Advanced Authentication (AA) in all scenarios or cases, it’s highly recommended that agencies consider adapting the use for all access. The technology and evolution of cybercrimes, theft and viruses are so accelerated that agencies should consider using more complex measures of protecting its data even if the CJIS Security Policy doesn't dictate it.
I have seen cases where agencies do not implement proper IT security measures, or do not want to become more advanced because they have "some officers" who cannot adapt to the technology. Your data is only as safe as the weakest officer. They must adapt to the job and the job should not wait for them to catch up. A little trick I did in my own agency that makes everyone an IT expert is this: Get your agency scheduling software and put the software behind all the requirements they need to access everything else in your department. I can guarantee that even that one officer that types with one thumb will learn everything they need to know about IT security just so he can enter his time off and overtime requests!
The Know vs Have Comparison
The rationale behind AA is that it goes beyond a user name and complex password. Something You Know is your password, because you already know it. However to make your system more secure, the Something You Have requirement comes into play. Something You Have is needed because hackers do not have access to it, ever. How is that possible, they don't know my password? Actually that's not entirely true. There are countless ways a hacker can obtain your password. Viruses and unsecured website connections allow hackers to track your key strokes and capture what you type. There is also software that when running, has only one job and that is to constantly generate password combinations over and over, thousands in a second, until it gets your password. This is why clicking links, going to unknown sites and opening unknown files are all important in cyber security. With Something You Have, there is no way a hacker can have it at the same time it is needed to log in which is why this is so important to implement on ALL of your systems ALL of the time.
Let's look at 2 Factor Authentication. Typically, when you want to log into your computer, you type your user name, then your password and hit enter. However with 2 Factor Authentication you must then enter a One Time Passcode or "OTP" that is created by either a USB drive, delivered to you via Text message, or a phone app and then enter that into your computer before gaining access. Because it is delivered and valid only one time, it's generated at the time you need it, and on an external device, there's no way a hacker could have it to use for themselves.
2 Factor Authentication vs Advanced Authentication
The CJIS Security Policy States "Advanced Authentication" for a reason. As 2 Factor Authentication is the most common method, it is not the only method of meeting the policy's requirement. Therefore, instead of the title of 2 Factor Authentication, the FBI uses Advanced Authentication to broaden the solutions available to meet the authentication challenge.
2 Factor Authentication is the method in which a user will log into a device such as a computer or laptop, or a software application, by using a user name, password or PIN number, and a secondary One Time use only Passcode (OTP) is delivered through a secondary method such as phone app or USB device.
However the policy also allows for the use of methods such as Risk Based Authentication to complete the "Something You Have" and Something You Know" challenges. Risk Based Authentication (also called Adaptive Authentication or Contextual Based Authentication) is the process in which multiple factors are collectively calculated to pass/fail a user's access. For example, some basic factors are: Users name, password, a least 5 challenge questions, the geographical location of the computer accessing the network, and other computer forensic information. Together this satisfies the policy's requirement for Advanced Authentication.
Referencing the previous section, a hacker would not be able to duplicate the forensic information of your device well enough to have clear access to a system.
Complex Password Requirement
It's also important to understand the Complex Password Requirement set by CJIS Security Policy. Most people know what a password is, that's pretty simple. But a complex password must meet a minimum, policy based standard, in order to be acceptable. For the CJIS Security Policy, a complex password is defined as meeting the following requirements (as published in the CJIS Security Policy):
1. Be a minimum length of eight (8) characters on all systems.
2. Not be a dictionary word or proper name.
3. Not be the same as the User's ID.
4. Expire within a maximum of 90 calendar days.
5. Not be identical to the previous ten (10) passwords.
6. Not be transmitted in the clear outside the secure location.
7. Not be displayed when entered
Additionally, an agency may choose a Personal Identification Number (PIN Number) Method as well. This is more common when using 2 factor authentication than it is for general computer access. This would be in place of the complex password but it too has its own requirements (as published in the CJIS Security Policy):
1. Be a minimum of six (6) digits
2. Have no repeating digits (i.e., 112233)
3. Have no sequential patterns (i.e., 123456)
4. Not be the same as the User's ID.
5. Expire within a maximum of 365 calendar days.
a. If a PIN is used to access a soft certificate which is the second factor of authentication, AND the first factor is a password that complies with the requirements in Section 220.127.116.11.1, then the 365 day expiration requirement can be waived by the CSO.
6. Not be identical to the previous three (3) PINs.
7. Not be transmitted in the clear outside the secure location.
8. Not be displayed when entered
Understanding the Decision Tree
CJIS Security Policy Section 18.104.22.168.2 was nice enough to include a Decision Tree when Advanced Authentication was introduced several years ago. Unfortunately it is still a little perplexing to some not familiar with technology. As I mentioned earlier, the safest method is to have advanced authentication turned on for your entire system all of the time regardless of the CJIS Security Policy Requirement. It seems to be the trend on where things are going for not only law enforcement but private sector and personal computer methods as well. However, if this is not right for your agency yet, here is a simple way of determining if you are compliant with the minimum CJIS requirements for AA:
Note: All questions apply to the device/computer accessing Criminal Justice Information:
1 Do you know where the computer is physically located? If you do, then the next question applies. If you do not, then jump to question 4.
2 If Question 1 was a Yes, then does the device have a static IP address or "MAC" address that is assigned to a Physically Secure Location (As defined by the CJIS Policy)? If your answer is no, then Advanced Authentication IS REQUIRED and the rest of this list does not matter. If your answer is yes, then continue to question 3.
3 Is the device connected to Criminal Justice Information or access through networks with appropriate technical controls as set forth in sections 5.5 and 5.10 of the policy? If your answer is no, then Advanced Authentication IS REQUIRED and the rest of this list does not matter. If your answer is yes, then continue to question 4.
4 Is the device controlled by the agency (think Mobile Device Management section of the policy for this)? Does the device have a static IP address or "MAC address? Does the device have a secure certificate that is managed by the agency? If your answer is no to any item, then Advanced Authentication IS REQUIRED and the rest of this list does not matter. If the answer is yes AND you are using Secure Certificates or have a Static IP address assigned to the device, then proceed to question 5.
5 Is the device located in an agency owned police vehicle or what the policy refers to as a "Criminal Justice Conveyance"? If the answer is no, then proceed directly to question 7. If the device is located in a police vehicle, then it must have one of these three questions answered as a YES: Static IP or Mac Address, Secure Certificate, or Mnemonic which are assigned to that vehicle. If none are true, and the device can easily be removed from the vehicle without a lock or other intervention, then proceed to question 6.
6 Is the device issued by the agency or provided by the user (also known as BYOD or Bring Your Own Device)? If it is agency issued and is controlled by the agency (Again, think Mobile Device Management), then AA is not required. If the answer to either is no, then AA is required.
7 Does the agency issued device have a CSO-Approved AA compensating control implemented on it? If the agency cannot meet an above requirement due to legitimate technical or business constrains AND the CSO has given written approval permitting AA compensating controls then AA can be waived with approval. However if the agency cannot, then AA IS required.
Where does Advanced Authentication Work Best?
One factor in deciding a solution and even what to implement is at what point is AA required? AA is required when ACCESSING Criminal Justice Information (CJI). That means if you do not have CJI residing on your portable device/laptop, but the software on the device does access CJI, then the software really needs it and technically the device does not. However if CJI resides on the device/laptop, then the device needs AA as well as full disk encryption and mobile device management. This would include any fragments of information left behind by Email programs or CAD/RMS software that may run on a device.
Most software vendors are learning the need for AA quickly and implementing it into their products. However, if your agency is using a Virtual Private Network (VPN) to connect from the car into your secured environment, or if you have multiple programs or Email on the device, then it is easier for the user, and more secure to put AA at the sign on to the device instead of the software. You could certainly do both but then you will also slow down the officer's work flow.
Is your Two Factor REALLY Compliant?
There are different deliverables in which you can receive 2 Factor Authentication. You can have your One Time Passcode sent to a text message or email, a USB can generate the code, there are devices that have constantly changing numbers you can use, or a simple phone app. There are solutions you can run in your own environment and then there are those that are hosted.
But before shelling out big bucks, here are some things to consider when choosing a 2 Factor Authentication vendor. First, look at the deliverables that may not be in the form of a phone app. For example, some companies offer physical products that "expire" or have batteries that cannot be replaced and you need to re-purchase every couple of years. Others have devices that never expire unless you break or lose them. They normally charge a subscription fee on top of that which means your hardware renewal year will be just as much as your first year sometimes.
Second, how much expense and cost of ownership do you want to invest? Think in house (on-premise) vs cloud. Do you want another server? Something else to physically manage or can you just host it in a cloud environment and simply use the product?
If you go the cloud route, keep in mind the CJIS compliance when considering your vendor. Find out where your One Time Passcode (OTP) is really created. If your OTP is being actually generated in a cloud environment that is not CJIS compliant, then your AA solution is not compliant. Makes sense, right? How can you consider AA CJIS compliant if the location where the OTP is generated is not CJIS compliant?
Let me explain this point a little more. When you log into your device using a user name and complex password, the password has to be challenged to make sure you entered the right password and you're a valid user, either locally or using your in house network. The AA solution needs to integrate to that so it knows if the user is a valid user or not. So when you log in, your network tells the AA Solution a pass or fail code. Usually it sends a zero or a one to the AA solution (a "yes their okay "or "no they're not" message). The AA solution then says "Okay thanks" and then creates an OTP and sends it to the user.
The key component to the whole solution here is where that transaction takes place and the code is made. So if that is done in your station OR if that is done securely to a CJIS compliant hosted product, then you're compliant. If that pass/fail message is sent to a server sitting in a public cloud then you're probably not compliant.
Before You Purchase
Most people prefer a phone app for agency issued phones or for officers who do not mind having it on their personal phone. Be cognizant that the trend may be to move away from allowing this due the amount of phone hacking going on. Having a two factor app on a phone that is hacked is basically like leaving the keys in the front door of your house. Although this is not mentioned in the CJIS Security Policy, conversational trends seem to be moving away from this and staying with the separate devices such as the USB drive.
Out of Band Requirement
Effective with CJIS Security Policy Version 5.4 issued in 2016 there came a new requirement. This is called the Out of Band Requirement. Simply put, you can no longer receive your OTP on the same device you are securing. For example, if you receive your OTP via Email, and you receive those Emails on the device you are securing, then that device is no longer compliant. Therefore, when looking for a solution, consider purchasing deliverables that are not on the same device you are securing to avoid losing compliance.
To conclude the members of the APBNet Board and CJIS Division of the FBI do a great job of securing IT from a policy perspective. However keeping up with security trends would mean a new Security Policy every week and we all know that's not practical. Agencies must make it incumbent upon themselves to make sure they are secure, even if it means going above and beyond the needs of the CJIS Security Policy.
No one likes adding complexity and change to their department. But no one likes being hacked, losing data, or winding up in the news over it either. We all know officers complain. Consider using Advanced Authentication 100% of the time. After all, if they're going to complain anyway, at least your data will be more secure!