Expect three factor authentication to be implemented following OPM hack
A Department of Homeland Security official said federal personnel will soon be required to use a three-factor authentication method that includes a smartcard, a password and their fingerprints before logging on to computers, according to a report by Nextgov.
The decision to enforce the government-wide, three-factor authentication sign-on is designed to boost government agency security measures, following the successful hacking of the Office of Personnel Management by foreign spies.
“Several organizations are looking at three-factor authentication,” said Shonnie Lyon, acting director of the DHS Office of Biometric Identity Management. “I think that’s the way things are going to have to go.”
Sixteen of the 24 major federal departments, including OPM, can log into government systems with just a username and password, according a recent report on compliance with the Federal Information Security Management Act.
The proposed three-factor sign-in procedure would require federal workers to slide in a smartcard that contains a digitized fingerprint, swipe a finger against a touchpad, and enter a PIN to access any government network.
The new procedure offers more privacy than a setup in which the computer user’s fingerprint is crosschecked against prints stored in a big biometrics database, said Lyon.
Homeland Security Presidential Directive-12 (HSPD-12), a post-9/11 policy, requires federal employees to use a smartcard and PIN to access all agency networks and facilities.
And while many federal employees carry personal identity verification (PIV) cards, only a few departments have activated the card’s digital capabilities, meaning that the card serves as nothing more than a flash pass.
“Whether or not private citizens are going to want to have a PIV-type card” is questionable, Lyon said during the event. “But for OPM or any kind of government action, I think that you are going to see more and more organizations start going to three-factor authentication, so that they know who is in their network, who is logging in and you have the rights and the privilege to do that.”
Meanwhile, the Defense Researcher Advanced Projects Agency “is actually looking at using biometrics — but not biometrics like face, print and iris — active authentication like keystrokes and mouse movement,” Defense Department biometrics chief engineer Will Graves said at a forum hosted by the American Council for Technology and Industry Advisory Council.