Weak Authentication: Agencies Slow to Fix Security Gaps
Most Federal employees can still log onto Federal computer systems with nothing but a password – 11 years after President George W. Bush ordered agencies to secure their information systems with strong authentication technologies.
Even among so-called privileged users – those with access to government data, systems, and controls – the rate of adoption continues to lag. Barely half the largest Federal agencies have deployed strong authentication across 95 percent of privileged users, according to the White House annual report to Congress on the Federal Information Security Management Act (FISMA).
Two-factor or “strong” authentication requires users to provide at least two means of identification to access a system. Each means must come from one of three buckets: something known, such as a user name or password; something physical, such as a smart card or other device; or a unique personal characteristic, such as a fingerprint or iris scan.
President George W. Bush signed in 2004 Homeland Security Presidential Directive 12, requiring a national standard for secure government identification cards, and the National Institute for Standards and Technology (NIST) published Federal Information Processing Standard 201, “Personal Identity Verification of Federal Employees and Contractors,” two years later. It has been revised twice since.
Today, there are more than 5.3 million Federal government Personal Identity Verification (PIV) cards in circulation. In addition, the Defense Department has a similar but distinct smart card program, known as Common Access Cards (CAC). Both cards contain an embedded computer chip which stores identifying data, while public key encryption keeps the data secure. Each card is unique to its user.
But while the Pentagon already has achieved universal CAC compliance, most Federal agencies are not yet using the PIV as a network control device, but rather as an ID and card key for building access.
Hildegard Ferraiolo, PIV program lead and a computer scientist at NIST, expressed disappointment that agencies haven’t made greater use of the cards. “Acceptance has been gradual,” she said, “not as we would have hoped.”
She sees as a turning point, however, the data breach at the Office of Personnel Management led to the compromise of personal information for more than 21 million current, former, and prospective Federal employees.
“Due to the recent cybersecurity attacks and threats, there really is a push to get the departments and agencies to use the PIV card to do user authentication,” she said.
According the White House annual report on FISMA, “more than half of Federal civilian cyber incidents were related to, or could have been prevented by, strong authentication.”
At the Department of Veterans Affairs (VA), Chief Information Security Officer Stan Lowe ordered VA computer users to begin using two-factor authentication effective June 30. The only exceptions: VA staff directly responsible for patient care. Other leading agencies are the General Services Administration (GSA), the Labor and Treasury departments, the Small Business Administration (SBA), National Science Foundation (NSF), and the Nuclear Regulatory Commission (NRC).
Why are so many other agency’s struggling? There are three principal reasons:
- Outdated systems: “Some systems have not been accommodating to the PIV card,” Ferraiolo said. “Mainframes and other legacy systems … haven’t changed that much over the years. These are cases where PIV card use and two-factor authentication isn’t easily done.”
- Mobile devices: NIST is working with industry to develop standards for mobile authentication through use of a token or with some other form of verification. PIV cards could work with smartphones by means of the same near-field communication technology that gets employees through security entrances each morning. Some Android phones have that capability, as does the iPhone 6, although Apple has so far not allowed developers to access the phones’ NFC chip and limited its use to its ApplePay POS purchasing system
- Job turnover and part-time workers: At the Environmental Protection Agency (EPA), many employees are not eligible for a PIV card. An EPA spokesman said card holders must work more than 20 hours per week, work for the agency for more than six weeks, and work on-site. So interns, part-time employees, and contractors may not qualify. Overall, 69 percent of EPA network accounts use strong authentication
Increasing the numbers is a matter of getting non-IT managers to recognize the importance of two-factor authentication to enhance security. The EPA gives managers regular reports on authentication compliance so they can see where their particular offices stand. “Once managers view these reports, they typically want to work quickly to change the compliancy percentage for their organization,” the spokesman said.
Jerry Irvine, a member of the U.S. Chamber of Commerce’s Cybersecurity Leadership Council and CIO of Prescient Solutions, said managers need to view the cards as a tool and not as a solution. Like any tool, it’s only valuable if it’s put to work. That’s harder than it looks, he said.
“You still need to integrate [authentication] into each of the systems independently, for every individual type of server or even for every application, since those may be going across multiple directories or multiple domains,” Irvine said.
Every system or application a user might log into must be programmed to incorporate two-factor authentication and that takes time, money, or both, Irvine said. Cash-strapped IT departments may not have the funds or the drive to get the job done. Universal logins could mitigate the challenge, but that, too, requires substantial back-end programming.
Physical infrastructure may be a problem for agencies, as older computers lack smart card readers. But with many card readers standard on most business laptops and desktop computers today, newer models may have card readers that aren’t being used.
OPM, still reeling from its unprecedented data breach, aims to secure its systems via two-factor authentication. But progress is slow. The agency says 100 percent of its PIV-enabled users will use multifactor authentication by the end of fiscal 2017 – nearly 30 months after the breach occurred. Officials are also examining alternative two-step verification solutions for part-time users and subcontractors.
Biometrics and Beyond
Biometrics meanwhile, promise improved verification because it’s harder to fake your way onto the network. But it’s not clear how long it will take before fingerprint readers, which are already built into many smartphones, are cheap enough to put on every desktop. Iris scanners are another alternative. A number of banks are testing iris scanners in new cardless automatic teller machines.
Bank systems interestingly depend first and foremost on personal mobile devices. It is possible mobile phones will become a common form of identification. Already, it’s common for banks and others to verify users by sending a one-time numeric passcode by SMS or through some other app. The passcode is time-sensitive and if it expires before access is gained, the user must re-initiate the process.
For even greater security, some advocate three-factor identification using a password, a card or device, and a fingerprint. Each additional layer makes it harder to defeat the access controls.
But such a system doesn’t mean a multifactor ID is a silver bullet. Two-factor access “has got to be done in combination with other safeguards,” Irvine said. “You still have to do patch management. You still have to do your vulnerability assessments. This doesn’t solve every problem.”
Security is ultimately about making it harder for the bad guys to get in. And in an age of perpetual cyber probing and espionage, every bit of added security is worth the effort.
Adam Stone writes on technology management, business, government and military topics. His recent work has appeared in USA Today, Federal Times, Public CIO, Government Executive, and many other publications.