When it comes to security, you simply cannot leave anything to chance, especially in the business of Mike Coppola, president of CJIS Solutions. Accessing something as privileged as Criminal Justice Information from a computer or portable device like a laptop, smartphone, or tablet merits a more stringent set of security features. Mike leads the way in shedding light on this very important matter by way of a series of blogs covering a wide range of online security topics.
Advanced Authentication deciphered
As technology and cybersecurity evolve through time, so do online threats. Gone are the days when it was quiet enough to have a simple username and password to have a competent security level. What makes Advanced Authentication (AA) work superbly today is the use of “Something You Know” and “Something You Have,” together with other factors.
Complex password requirement
Passwords can be hacked easily if you don’t take them seriously. Simply put, if you have a password as predictable as “abc123” or “qwerty,” and you get hacked, you can’t complain. By today’s standards, that is, quite frankly, your own fault and accountability. The CJIS Security Policy sets several conditions on password creation that ensures that your password has the lowest chance of being compromised.
The know vs have comparison
Because of “Something You Know” and “Something You Have” combination, you increase your security exponentially. “Something You Know” is your password, the one that you can recite from memory, but don’t make the mistake of thinking that it’s bullet proof because there are countless creative ways by which hackers can get your password. The addition of “Something You Have” requires that you are in proximity to an external device as you attempt to access.
2 Factor Authentication vs Advanced Authentication
2 Factor Authentication (2FA) requires that you log in to a device using a user name, password, or PIN and a secondary One Time use only Passcode (OTP) delivered through a secondary method. By CJIS Security Policy standards, you need to additionally employ a process in which multiple factors are collectively calculated to pass or fail a user’s access. Collectively, this is Advanced Authentication, clarifies Mike Coppola.
Understanding the decision tree
The CJIS crafted an AA Decision Tree, which aims to help decision makers determine whether AA is required. CJIS Security Policy Section 220.127.116.11.2 is actually a methodical set of questions whose answers will ultimately decide whether your system requires Advanced Authentication or not.
Where does Advanced Authentication work best?
To arrive at the solution that works best for you, you need to decide at what point AA is required. For sure, AA is required when accessing CJI. However, you must make sure whether CJI resides on the device or the software used in the device. Different conditions and set-ups will change things drastically.
Is your 2FA really compliant?
2FA as a process is already quite stringent for most regular internet users. However, in the business of the CJI, security is taken to a whole new level. You must consider where your transaction takes place and where the code is made. These have to be CJIS compliant, without exception.