Transcription
Advanced Authentication – CJIS and NetMotion WirelessCJIS Advanced Authentication Requirements and Solutions
AgendaWhat is the CJIS mandate?What is 5.6.2.2 Advanced Authentication?Examples of Authentication TypesChallenges and RecommendationsNetMotion ServicesQuestionsFor Questions use the Question ControlPanel2
Advanced Authentication – CJIS RequirementsWhat is CJIS? Mandated at the National Level ISO (Information security officer) There are 50 – one foreach state ISO’s are essentially the Auditors for each stateWhat does CJIS require?CJIS 5.6.2.2: Advanced Authentication Advanced Authentication (AA) provides for additional security to the typical useridentification and authentication of login ID and password, such as: biometricsystems, user-based public key infrastructure (PKI), smart cards, softwaretokens, hardware tokens, paper (inert) tokens, or “Risk-based Authentication”that includes a software token element comprised of a number of factors, such asnetwork information, user information, positive device identification (i.e. deviceforensics, user pattern analysis and user binding), user profiling, and high-riskchallenge/response questions.3
Advanced Authentication Methods1. Biometric systems2. Smart cards3. Out of Band (OTP)4. Risk Based5. Hardware tokens (OTP)6. Paper (inert) tokens7. DL Swipe - magnetic stripe & 2d barcode8. Proximity badges commonly used for building access
BiometricsFingerprint biometrics are only viablesolution User swipes or places finger on a sensorand enters PIN Solution works well if readers already invehicle or built in to laptop Nothing extra to carry, lose, forgetNotable: Inconvenient if users are frequentlyexposed to dirt, dust, or othercontaminants Readers must be cleaned frequently Does not work with gloves.IN APPLICATION:Ease of use:Easy (90% of the time)Feedback from the field:Like it when it works.Hate it when it doesn’t.
Smart CardsLeverage Microsoft Certificate Services asopposed to 3rd party certificates User inserts card into smart card reader orinserts a token into a USB slot at OS logon OS recognizes certificate stored on device User enters PIN, OS logon occursNotable : High security: Used by USG (FBI, DoD, etc.)Mature technologyPortableRequires users to logon with Active DirectoryConsider if MDTs have embedded readersAdditional option is to use USB SmartCards ifUSB slot available.IN APPLICATION:Ease of use:EasyFeedback from the field:Users forget card in readerInfrastructure is complex to deployOptional USB:Ease of use:EasyFeedback from the field:Another thing to carryWorry about losing card/key
Risk BasedUtilizes Advanced Authentication solution toprofile level of risk per user User provides user name at logon Solution analyzes risk factors associated withuser’s profile and end-point, if risk is determinedthen the user is required to answer one or moresecurity questions prior to submitting passwordNotable : Nothing to carry, nothing to loseTruly tokenlessNo environmental issuesLeast secure / Prone to hackingUser’s tend to forget answers to their questionsIf the policy tightens, RBA may no longer be anoptionIN APPLICATION:Ease of use:EasyFeedback from the field:Doesn’t appear to be secureUsers may forget answers
Out of Band (OTP)Phone is used to receive OTP User connects with Mobility XE and receivesa phone call, text message, or pushnotification on a Smart Phone User completes authentication buy providinga PIN/OTP PIN or by using voice biometricsNotable: Requires the user has a cell phoneIN APPLICATION: Does not require the user to carry somethingextra if they already have a cell phoneEase of use:Easy User may not have or be willing to usepersonal phone if not issued by the agency Worth considering if agency issues phonesFeedback from the field:Power loss issuesNot all officers have agencyissued phones
Hardware Tokens (OTP)User Method: Connects with Mobility XE Retrieves OTP from device Inputs user name and PIN OTP codeNotable: Requires a physical token Users cannot read in low light The token will eventually run out ofbattery power Requires something extra for the user tocarryIN APPLICATION:Ease of use:HardFeedback from the field:Hard to read at nightSafety concerns at nightUsers lose and break thetokens
Paper (or inert) TokensEntrust GRID card is the only real option dueto patent User connects with Mobility XE User is prompted to enter coordinates onGRID cardNotable: Requires a paper token Token cards can be printedIN APPLICATION: Well suited for remote access and in high userpopulations that don’t authenticate on a dailybasisEase of use:Mixed No environmental issues. Users cannot read in low light Requires something extra for the user to carryFeedback from the field:Does not work in low light
DL Swipe – Magnetic/2d bar codeLeverage what you already have User swipes DL or agency issued ID at OS orapplication logon and enters PIN.Notable: Requires reader, but you may already havethem in vehicles Does not require the user to carry somethingextra Users understand how to use the technology Low failure rate No environmental issues Worth considering if agency has magneticstripe/2d bar code readers in the vehicles.IN APPLICATION:Ease of use:EasyFeedback from the field:Users like it
Proximity CardsLeverage what you already have User taps badge at OS or application logonand enters PINNotable: Requires reader but many options areavailable Very easy to use. Does not require the userto carry something extra Users understand how to use the technology No environmental issues Worth considering if agency uses proximitytechnology for building accessIN APPLICATION:Ease of use:Very easyFeedback from the field:Users love it
Common ChallengesCommon challenges heard from agencies: One policy, 50 states, many different opinions No budget Concerned that the policy will change or bepushed back Lack of local expertise No USB ports available MDTs not on domain, not connected to ActiveDirectory Officers log on locally to MDTs
Recommendations1. Leverage what you have:No need to reinvent the wheel2. Participate in a ride along with one of your usersEducate them on the policy and ask them whatthey would prefer3. Know your State Information Security Officer4. Understand your end user environment andwhat solution would have the least impact onthe users
NetMotion Wireless Professional ServicesAdvanced Authentication Solution Pricing varies Turn-Key Solution! Full Advanced Authentication Solutionimplementation Includes Advanced Authenticationproduct, pre-install consultation andinstallation and configuration Pre-installation consultation includesdetermining the best solution based oncustomer needs and environment15
NetMotion Wireless Professional ServicesAdvanced Authentication Assistance Pricing varies Pre-planning discussion done viaconference call Remote support and assistance forintegrating an existing AdvancedAuthentication product with NetMotionWireless products Onsite is optional if required Focus on NetMotion Wirelessconfiguration but assistance anddirection provided for theAuthentication solution16
Questions?Contact: services@netmotionwireless.com
CJIS 5.6.2.2: Advanced Authentication Advanced Authentication (AA) provides for additional security to the typical user identification and authentication of login ID and password, such as: biometric systems, user-based public key infrastructure (PKI), smart cards, software tokens, hardware tokens, paper (inert) tokens, or “Risk-based .
