Michael Coppola shares more on Advanced Authentication and 2 Factor Authentication compliance considerations

Michael Coppola continues with a series of blogs that explains some very useful information on security as it relates to accessing criminal justice information online. For this blog, his focus is on additional knowledge on Advanced Authentication and 2FA compliance considerations.

Knowing when Advanced Authentication is needed

In your effort to figure things out in the decision-making process, the most important question that you could ask is, “At what point is Advanced Authentication required?”

Simply put, Advanced Authentication is required when accessing Criminal Justice information. Some clarifications have to be made in this regard.

  1. If you do not have criminal justice information residing on your mobile device or laptop, but the software or application actually accesses criminal justice information, this is a situation wherein the software needs Advanced Authentication, and the machine does not.
  2. If the criminal justice information resides in the mobile device or laptop, the device needs Advanced Authentication, full disk encryption, and mobile device management. As it is a device, this would include idle fragments of the information left behind by email programs or other software that may run on the device.

Some considerations in 2 Factor compliance

If you are having a challenging time answering this question, this is perhaps due to the various possibilities and combinations of elements included in your current practice and how your system is set up.

As far as 2 Factor Authentication is concerned, you have several options to choose from. The most popular one is the practice of having a One Time Passcode sent as a text message or via email. Then there’s also an option wherein an external USB device can generate a code for you. Some devices generate numbers and codes constantly for each time that you use them.

Among all of these methods, try to find out and check the conditions or consequences that come with the methods you have in front of you. For instance, the external USB device may need to run on batteries that expire in the long run, which might put you in a bind in terms of replacement. Some email reporting tools might need a service subscription. In many cases, the method that promises to do the work you need may be quite expensive to maintain. In this case, you may find value in having 2 Factor Authentication in-house instead of cloud-based.

You need to figure out all these things first because no matter what you end up choosing, you can expect that a transaction will take place and a code will be made. If this is done in your station, then you’re compliant.