CJIS Two Factor Authentication
CJIS ISO Program Office
George White and Ron Buchanan from the CJIS ISO Program Office with the Federal Bureau of Investigation. There has been lots of discussion across the state regarding two-factor authentication and what constitutes compliance, the staff has invited Ron and George to provide us with a presentation regarding compliance through CJIS. George went through the process that the ISO program office used to devise the process and what would be considered compliance through the FBI. George stated that authentication is the process of verifying a claimed identity, determining if the subject is really who he/she claims to be. It is based on at least one of the following three factors: something a person has (smart card, token, key, swipe card, badge), something a person knows (password, passphrase, PIN), something a person is (fingerprint, voice, retina/iris characteristics). *Strong, or two-factor, authentication contains two out of these three methods. George also stated that a single form of authentication (standard authentication* = password) is not a very secure means of authentication. Therefore, many organizations have introduced into policy a second means, or form of, authenticating a person's identity. Additionally George stated, for the purpose of the CJIS Security Policy (CSP), the process of requiring more than a single factor of authentication is most often referred to as Advanced Authentication, or AA. George also expressed that the requirement to use AA is dependent upon the physical, personnel and technical security controls associated with the user's location. George explained that AA shall not be required for users requesting access to CJI from within a physically secure location and when the technical security controls have been met and AA is required when it can't be determined from where a user is originating, e.g. utilizing wireless or web. George also made the point those agencies that bought equipment to be in compliance for the previous set of protocols, are still good for a few more years, but need to look into the cost of being in compliance for the new set of authentication protocols. CJIS does not endorse any product; however they will assist an agency who has a potential solution to ensure that the potential solution is in compliance.
Local Law Enforcement Agency Solutions
The City of High Point presented their solution to two-factor authentication to the CJIN Board. Please click here to view that presentaton.
The NC State Highway Patrol also presented their solution to two-factor authentication for the CJIN Mobile Data network. Please view that presentation here.
ITS also presented a possible solution from a State level, which was sent to the FBI for approval, that presentation and flowchart is located here. The letter that was submitted to the FBI can be seen here.