Managing Effective Migration to Two Factor Authentication

In June 2015, the US Office of Personnel Management (OPM) was the victim of a data breach that exposed the confidential records of over 20 million government employees and contractors.  About a year earlier, a report issued by OPM’s Office of the Inspector General found “significant deficiencies” in OPM’s IT security.  The report cited, among several other findings, that OPM did not require the use of multi-factor authentication to access OPM systems.

This post discusses securing the access to Federal networks and computer systems through the implementation and deployment of Two-Factor Authentication, or 2FA, as a method of access.

2FA was patented in 1984 and its strength is due to the fact that a user must provide two different types of identification.  The first type of identification, for example username and password, is something that the user knows.  The second type of identification (for example a code sent via text message to a cell phone) is something that the users have (e.g., the cell phone).

Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors (HSPD-12) was introduced in 2004 to require agencies to deploy a secure and interoperable document (access card) for physical access to facilities as well as for access to networks.   While 90% of agencies issued Personal Identity Verification (PIV) Cards in 2015, only 42% were using them for computer and network access.  The cyber sprint that was initiated in response to the OPM breach in the summer of 2015 increased PIV card usage to 83%, but this alone does not solve the secure access challenge across government[1].

Through Dovel’s work with the GrantSolutions system for the Department of Health and Human Services (HHS) Administration for Children and Families Grants Center of Excellence (ACF/COE), we continuously face significant security challenges that come with building and maintaining an interconnected system used across the Federal Government.  These challenges required us to develop repeatable and tested solutions that meet Federal data security guidelines and mandates while assuring that these solutions are cost effective and maintainable in a highly dynamic business environment.  Moreover, our security solutions do not add any unnecessary burden on the system users – rather, they provide added users’ confidence that their data is safe and secure.

GrantSolutions is one of the largest enterprise-wide grants management systems in the Federal government today and is being used across more than 20 Federal agencies representing 800+ grant programs. The GrantSolutions system is responsible for the management of over $65B in annual Federal grants funds and supports more than 50,000 users. Further, the GrantSolutions system interfaces with several Federal government accounting systems as well as with the Treasury’s Payment Management System (PMS) for fund disbursements.  Finally, GrantSolutions interfaces with many Federal reporting data resources such as USASpending.gov.

 

GrantSolutions is an HHS-operated system, supporting both HHS and non-HHS users as well as government and non-government users. The implementation of a PIV card-based 2FA solution was relatively easy for users within the Department. However, implementing a secure 2FA access system for non-HHS, non-PIV users, was complex and required an efficient and innovative approach.

Between Dovel’s inherent responsibility to tightly secure the GrantSolutions system, the various OMB mandates, and mounting pressure from HHS leadership, our team had to act quickly yet confidently to produce an expedient solution. There was not time to build a new security architecture – as we needed to find an immediate path to 2FA for all non-PIV grantor users accessing GrantSolutions.

Dovel, in partnership with the Grants Center of Excellence incrementally developed, tested and implemented a solution, detailed below, within a month.  This security solution greatly enhanced the secure access to the GrantSolutions system while meeting all Federal guidance and mandates.

GrantSolutions.gov 2FA Solution

As soon as the mandate to implement 2FA was delivered, we established a small number of implementation criteria:

  1. Architecture Simplicity
  2. Low cost
  3. Support to a wide range of usages

After a thorough review of Commercial Off-the-Shelf (COTS) products available in the market today, we found that the licensing fees and call-back costs for 2FA were cost prohibitive. Determined to find a cost-effective solution, we decided on using a internally-developed, open source solution that uses the industry standard Time-based One-time Password Algorithm (TOTP). This algorithm computes a one-time password from a shared key and the current time.

The 2FA solutions rely on the users’ registered User Name and Password as the first factor of the 2FA.  The second factor is a specific one-time, unique code, generated by a trusted system, and delivered to the user in one of the following three options:

  1. A Smart phone with an installed Authentication App that generates specific code that is used as the second factor used to login to the application.
  2. A code delivered as a text message to users who prefer this.
  3. A code sent via a voice message to the user’s registered phone (landline or mobile phone).

The above three options provide users with the widest flexibility of receiving the second factor of their 2FA – covering the range of situations system users face and meeting the user’s preference at any one time.

The main feature of Dovel’s 2FA solution lies in its simplicity and its low upfront and on-going costs.  The code generated on a Smart phone (option 1) is free, the code delivered via text message is free to the majority of the users and the code delivered via a call back (option 3) is implemented using a low cost commercial service.

As an example of low operation cost, during six months of operation use on GrantSolutuions, the costs were:

  • Registration Cost for the call back option  – $10/month x 6 months = $60
  • Call back costs for 6 months (option 3) = $70 (0.0075 cent per call back)
  • One time carrier lookup cost  (used as part of option 2) = $2 (0.005 cent per lookup)

Beyond cost, the Dovel 2FA solution has a very small footprint on any system and little to no impact on system performance. While there is an extra step for users to gain access, this extra step is now becoming a standard practice across many secure government and non-government online systems.  Additionally, 2FA provides the user with an added sense of security for their account access.

Depending on system size and complexity, Dovel’s 2FA solution can be implemented to provide a system with a comprehensive 2FA solution in as little as two weeks.

Once implemented at GrantSolutions, the entire package was provided by ACF to three additional government partners, two of which are already in production. This same package is available for use at other government partners and Dovel is available to support your implementation.


[1] http://www.governmentcyberplaybook.com/presentations.php