There’s been a lot of buzz lately around agencies becoming CJIS compliant. Before explaining how companies can achieve this, let me give a brief background of what the CJIS division does and why they are requiring this policy.
In 1992 the FBI established the Criminal Justice Information Services (CJIS) division. It is the largest division of the FBI and provides state, local, and federal law enforcement and criminal justice agencies with access to centralized information such as fingerprint identification records, criminal histories, and sex offender registrations.
For the public sector, protecting access to sensitive data is imperative, and also a requirement under the CJIS Advanced Authentication compliance. Two-factor authentication is a key element in a layered approach commonly deployed to mitigate risk. There are a variety of two-factor authentication solutions, including knowledge-based authentication (KBA), tokens, biometrics, and phone authentication used to achieve CJIS compliance.
Knowledge-based authentication comes in two varieties – lexical knowledge, such as a passwords or answers to a challenge question or graphical knowledge, such as picture or pattern recognition. Although these solutions are very low cost to deploy, they are avery low assurance and weak methods of authentication.
Tokens come in a variety of forms that range from high assurance to medium assurance and the cost can vary just as dramatically. Tokens have long been the poster child for out-of-band authentication, but they come with the inherent problem of provisioning an additional piece of hardware and managing support for lost tokens. Standard tokens offer medium to high assurance. High-assurance tokens such as X.509 tokens are available but they may require a middleware reader. High-assurance tokens can be the right solution if the user base adopts them and if the highest assurance is more important than the cost of provisioning, installation, and maintenance.
Biometric two-factor authentication takes two forms. True biometrics include fingerprints, vein structure, or retinal scan and Behavioral biometrics can include voice and typing rhythm recognition. True biometric authentication can be high assurance but comes with a price tag to match. Behavioral biometrics are promising, but industry analyst warn that they are not yet proven.
Phone-based authentication is an emerging technology that is fast becoming a favorite option for banks, enterprises, and globally distributed online services. They are medium to high assurance and are very low cost because users are already provisioned with a phone. Instead of carrying a token, users receive one-time PIN codes to their phone via SMS or Voice call. Many users are already comfortable with the process and prefer to use their phone instead of carrying an additional piece of hardware. Typically the only cost associated with phone-based authentication is a per transaction fee or a per user fee to cover the cost of placing the call.
Choosing the Right Solution
In general for an effective solution the market needs five things:
- A good authentication solution
- Risk appropriate strength
- Low total cost of ownership
- Good user experience
- End-point independence
It is very important to consider the following when choosing the type of authentication:
- Don’t assume all solutions are created equal. Some two-factor authentication solutions are not strong enough alone. Are KBAs enough for your workforce?
- Consider how it will be used in the field. What are the different implementations?
- Evaluate the delivery options and architecture in light of current and future needs. Make sure your solution scales in practice and in terms of the financial commitment.
Balancing Security and Ease of Use
Frequent employee interaction with CJIS data increases the importance of choosing an efficient authentication solution. Phone authentication leverages a technology that is already part of every user’s life: the telephone. With no extra devices to carry, phone authentication is quick and seamless. Another important factor to consider when choosing a CJIS compliant advanced authentication solution is price. Adding an additional layer of security can be costly, so it’s important to choose a cost-effective solution. There’s a high cost associated with provisioning users with hardware or software and results in increased operational costs. In addition, hardware tokens are often lost, and soft tokens may be difficult to install or maintain, which creates user friction and increases support staff costs. With phone authentication, organizations can keep costs low because it’s easy to deploy and there’s no tokens to maintain.
If you would like more information on how to become CJIS Compliant, please email or call me at 310-740-9689310-740-9689