Local governments adopting two-factor authentication, but at what cost?

Posted by:

admin 11 years, 2 months ago

I found this article on local governments deploying two-factor authentication to be sadly typical. First, it's great that local governments are deploying two-factor authentication, even if it is forced by FBI CJIS security policies that require the use of two-factor ­authentication for remote access to the national criminal justice database. However, the article states:

The county spent roughly $175,000 on the authentication system, which provides options and scalability that will make it useful well into the future, Semple notes. Austin adds, "Risk mitigation is an important intangible when you calculate the return on this kind of investment."

Granted it's hard to do an apples-to-apples comparison based on that information, but I have to believe that a combination of WiKID and one of our SSO partners would be cheaper than that! For example, as our posted pricing shows, we charge $14/user per year for two-factor authentication for 2,000 users. Gluu, our most recent SSO integration partner, charges just $1200 per month for unlimited users on the private hosted identity service. That's $42,400 per year. If the county is paying the typical 18% support costs, then they are paying $31,500 per year plus the $175,000 up front!

There's an impact beyond the poor tax payers of Williamson County though.

Because Goshen County, Wyo., lacked the funding for a new authentication solution, staff took a creative approach to satisfy CJIS requirements, says Gary Meerkreebs, director of information technology for the county. Law enforcement officers and other remote public safety workers connect wirelessly to the county's WatchGuard Secure Sockets Layer VPN. The first level of authentication is based on the Media Access ­Control address of the endpoint. Only designated MAC addresses are allowed over the VPN and into specific ports through a firewall.

Security professional know how trivial it is to spoof MAC addresses. Again, we don't know what numbers Goshen County used or what they can afford, but there must be readers thinking "yeah, $175k, ain't gonna happen". That's too bad, because there are low-cost two-factor options.

The final sadness:

For PTI's Shark, data security tops the list of issues confronting local governments. "Of course, two-factor authentication is a good idea, but the bad guys are so far ahead of us," he says. "At the very least, we need to leapfrog to biometrics.

If you're saying 'we need three-factor authentication' that's one thing. If you're saying biometrics are more secure than authentication factors, then you're mistaken and once again making other systems administrators think they need to spend more money for security. Biometrics are bad because you can't change the secret. PERIOD. Secondly, biometrics will not  be a miracle security elixir. You're much better off investing in a SIEM or DLP or something that will provide defense-in-depth.

• ← The boy who cried "PWNAGE"!
• Big Data vs Easy Data: The WiKID OSSIM plugin →