The Fort Worth Police Department had two reasons to deploy two-factor authentication: to comply with the FBI’s security mandate and to make the Texas city’s police officers more efficient.
David Tiwater, assistant public safety support manager for the agency, says the Fort Worth PD went live with two-factor authentication last August, about a month before the mandate went into effect requiring secure access to the Criminal Justice Information Services database. “The FBI relaxed the date a bit, but we made sure we came in ahead of the deadline because it was the right thing to do,” Tiwater says.
The city of Fort Worth opted for authentication software from 2FA because it could integrate the platform with the HID Global smart cards the officers already carried. “There’s no question that the ability to use the HID badges was huge for us,” says Nanette Monte, the IT solutions project manager who led the citywide rollout and worked closely with the police department.
Before the department learned that 2FA could support the smart cards, officials considered tokens, but were concerned that they could be left in the police cars. “There can often be more than one person assigned to a car on any one day, so we didn’t want the tokens to get lost,” Tiwater says. “The HID card is something with the officer’s photo that he carries with him at all times.”
The city runs 2FA One Client software on computers and 2FA One Server on the back end. Officers swipe their HID Global smart cards on a USB-connected HID Omnikey contactless card reader. The officers then authenticate by entering a 2FA PIN associated with their domain credentials. On the road, officers use Getac B300 computers mounted in police cars, connecting to the AT&T network using cellular modems.
“All of the IT divisions worked closely with the officers in the field to test the two-factor authentication and to make sure all the notebooks were configured properly,” says Monte.
Fort Worth law enforcement relies on a large array of web applications. “The two-factor authentication is a terrific timesaver,” says Tiwater. Officers previously had to sign on every time they wanted to access an application, whereas now they can sign on once at the beginning of their shift and access any city database.
Jon Oltsik, a senior principal analyst for the Enterprise Strategy Group, says the drivers for two-factor authentication are well understood: strong authentication, digital signatures and nonrepudiation. “I believe that biometrics is the future, driven by various technologies such as fingerprint readers, facial recognition using cameras and voice recognition using microphones,” he says.
Nanette Monte of the city of Fort Worth and David Tiwater of the Fort Worth Police Department say two-factor authentication enables officers to get to the data they need more quickly.
For Nabil Fares, deputy director and CIO for the California Department of Public Health, two-factor authentication satisfies state requirements for remote access and contributes to the agency’s defense-in-depth security approach, especially for more sensitive health information.
“For remote access over Citrix, two-factor authentication adds more security because the employee must provide more than one password or pass-phrase to authenticate,” Fares says.
Agency employees first use their personal password, which may rarely change and must be memorized, and a one-time temporary password displayed on a physical token that expires almost immediately. The department uses SafeNet physical tokens, but Fares says the agency plans to migrate to software-based tokens in the months ahead.
While some agencies may struggle to afford two-factor authentication, expect public health and tax departments to follow suit beyond law enforcement.
The Florida Highway Patrol chose biometrics authentication because officers can easily use them in more than 90 percent of situations and the technology presents fewer potential problems.
“Tokens can break or be lost,” says Lee Caswell, law enforcement IT support manager for the Florida Highway Patrol. “An officer has a fingerprint with him at all times.”
The FHP deployed the Imprivata OneSign single sign-on and authentication management system last July as part of a two-factor authentication system that helped them comply with the FBI security mandate for secure access to the Criminal Justice Information Services database. Officers authenticate by placing their finger on a fingerprint reader built into a computer in the patrol car, then Imprivata OneSign prompts them to enter a password to access the agency’s system.
“OneSign has made the officers more efficient,” Caswell says. “In the past they had to log in to every database or application. Now, they can run their finger across the computer and then sign on with OneSign to access all the applications they need to do their jobs.”
As part of the Imprivata rollout, the FHP absorbed 250 officers from the Florida Department of Transportation who inspect trucks. Caswell says the transition was fairly easy because both agencies had been considering the OneSign technology, and most of Florida’s agencies run on the same IT infrastructure.