6 steps to secure mobile access
Connecting state and local government leaders
The IdentityX platform leverages the federal cloud and up to six ID factors to authenticate users, even those using devices not managed by the enterprise.
The growing use of mobile devices creates new challenges in authenticating the identity of government workers accessing online resources. A new cloud-based offering is intended to provide multi-factor mobile authentication as a service (MAaaS) for agencies.
The heart of the solution is the IdentityX authentication platform from Daon Solutions, hosted on the cloud provided by CGI Federal Inc., which earlier this year received FedRAMP approval.
Because the remote device is an untrusted platform it is used only for collection and delivery of data, and authentication takes place on the IdentityX server. Exchange of data between devices and the cloud is accelerated and secured by Akamai Technologies Inc.’s content delivery services. Agencies can customize access control policies to require up to six factors of user authentication, depending on the sensitivity of the resources being accessed.
The system also supports X.509 digital certificates derived from Common Access Cards or Personal Identity Verification cards to authenticate the mobile device. These secondary CAC or PIV certificates are bound to the device when it is enrolled in the service.
When accessing a government system, the user navigates to the system’s portal on the browser of the mobile device, which can be a smart phone, tablet or laptop. The steps to authentication:
1. The user begins the log-in process on the government site with a user name and password. At this point the hardware device can be authenticated using the X.509 certificate.
2. The request is passed to the IdentityX server in the CGI cloud, which contains agency access policies for the application. Based on these policies, the server sends a request to the device for the appropriate additional authentication factors. These factors can include:
- PIN
- Signature
- GPS location
- Fingerprint
- Palm print
- Facial image
- Speech recognition
3. Using the camera, microphone or other features of the device, the user sends the factors to the IdentityX server.
4. To reduce latency, the Akamai content delivery service encrypts and transmits data and responses between its edge servers and the CGI cloud.
5. IdentityX authenticates the response against data stored in the system. If it matches, the device is redirected to the system portal to complete log-in.
6. Once identity is verified, authorization to access resources is granted by the agency based on local access policies.
Mobile authentication as a service, or MAaaS, is available now and CGI is in discussion with several agencies.