The Army is working on additional authentication measures to provide more options to access Army online resources while maintaining the security of information-technology systems.
Army CIO/G-6 officials are working with Program Executive Office Enterprise Information Systems (PEO EIS) to consider alternatives to the Army’s current multi-factor authentication process, or MFA.
MFA requires users to prove their identity by presenting at least two points of verification across three major categories: something you know, something you have, and something you are, officials said.
“The commercial industry has seen that there’s a greater need for protection, making sure the right people are accessing the right accounts,” said Thaddeus Underwood, Identity Management and Communications Security division chief. “It makes sense that the Army is moving in the same direction. We are better protecting access to our IT networks to improve our cybersecurity posture by replacing username and password logins across the Army with MFA-secured options.”
Current MFA measures force Soldiers to use their Common Access Card and personal identification number to log into a government computer system, Underwood said. However, with a percentage of the Army currently serving in the Reserve or National Guard, some Soldiers don’t have consistent access to government computer systems.
“You’ve got Reserve and National Guard members who only come to a government facility on the weekend for their drill training,” Underwood said.
“If there is online training that they need to do … they could potentially do that from home if they have a CAC and CAC reader,” he said. “How do we provide them that level of access without having to use a CAC?”
The Army is considering two MFA alternatives: an authentication-type application that Soldiers can download to their mobile device, Underwood said, and a pre-registered USB-type device, known as a Yubikey.
The Army is looking into an authentication-type app to provide Soldiers access to official sites, without having to use a CAC and reader.
In theory, Soldiers will download the app to their smartphone and register their device online, linking it to their Army identity, Underwood said.
Once the app is registered, Soldiers will then log into official Army websites with their username and password. The site will trigger an MFA process and send a one-time-use passcode to the app on their device.
After entering the passcode into the website, the Soldier will be authenticated to the site. The MFA process will provide access to personnel records, online training, and other applications without the need of a CAC-enabled computer.
“We are at the final stages of developing the requirements. Next, we are going to ask commercial vendors to provide solution options,” Underwood said. “We expect to have an initial-app prototype by this fall.”
In addition to developing an app, PEO EIS is providing Yubikeys as an alternative option for MFA.
A Yubikey is a registered USB-type device that can be inserted into a computer’s USB port, like a self-contained CAC and CAC reader. The device serves as a second form of authentication after the user logs into an official website using username and password, Underwood said.
“The Yubikey solves the problem of not having a CAC and reader, but it doesn’t solve needing a physical piece of equipment,” Underwood said.
“This device will probably be a better solution for some of our mission partners such as the American Red Cross, and first responders that act when an incident happens … and don’t have a CAC to get access to our resources,” he added.
Yubikeys are currently going through integration testing by PEO EIS, Underwood said.
“Anytime you have new technology, you want to introduce it to existing technology and make sure that it will work,” he said. “We expect user testing and field testing to begin in May.”