Cost of two factors adds up

SPECIAL REPORT: Case study no. 2 | Authentication steps could be difficult for existing equipment.

Federal IT officials agree that the adoption of two-factor authentication technology will be speeded by the rollout of new smart-card credentials for federal employees, but some warn that retrofitting mobile devices for the function is a costly unfunded mandate.


“I think it is going to be expensive,” one senior federal IT manager said of equipping mobile gear with the required biometric or public-key encryption readers. “Most equipment does not have anything that would support these biometrics.”


He pointed to the need to equip notebook PCs, and theoretically even mobile media devices, with PKI readers, platens to capture fingerprints or units that could register iris scans of authenticated users to achieve two- factor authentication.
That cost won’t be a problem for mobile gear certified for use of secret information, which already includes biometric peripherals, the official said. But OMB has mandated two-factor authentication for all mobile systems and media, a much more challenging task, and it has done so without providing funds for the job.


The senior federal IT manager estimated that the cost of adding the needed biometric equipment to existing notebooks would reach $15 to $20 per unit at the cheapest level, which would involve providing a contact PKI reader.


“Those costs can mount up quickly across an agency,” the official said.
He added that agencies lacking PKI credential programs would face the additional cost of launching them to support two-factor authentication.


Homeland Security Presidential Directive-12 and its technical standards laid the groundwork for secure biometric identification via PKI credentials.


The HSPD-12 process created the back end for two-factor authentication, by enrolling users, matching their identities to the tokens they carry and providing the additional factors such as passwords and biometric records to close the circle of identity, experts said.


Mark Day, former Environmental Protection Agency chief technology officer and now CTO of McDonald Bradley Inc. of Herndon, Va., said, “The two-factor authentication requirement is inextricably linked to HSPD-12. Most agencies are moving fairly rapidly on that. We [at EPA] had it for remote access two years ago.”


In a similar vein, Shannon Kellogg, director of government and industry affairs for RSA Security Inc., said OMB’s guidance “has made a significant difference in terms of agencies paying attention to multiple-factor authentication.”

NEXT STORY: Waxman to probe Doan's dealings