"The White House made a big push to make sure that OPM and every other agency is using strong authentication for everwhere," says Jeremy Grant, managing director for technology, business and strategy at Washington, D.C.-based Venable LLP. Grant headed the national strategy for trusted identity in cyberspace for the Obama administration.
One approach is the FIDO Alliance, which is a platform that allows websites and applications to authenticate users using scanners that store the biometric information on user devices, instead of in a central database. "The upcoming guidance from NIST recognizes FIDO as the highest level of assurance for authentication," Grant says.
First, the system protects fingerprints, retina scans and other biometric information from being stolen in the first place, by storing it in a hardened, secure area on a smartphone or other device. Second, if the fingerprint image is stolen anyway, say, during the OPM breach, and someone creates a dummy finger with it, the attacker would also have to steal the user's authentication device in order to make use of it, says Grant.
"They'd have to steal my phone, and incapacitate me so that I couldn't use my Find my iPhone function and brick it," he says. "And if someone has stolen my phone and has me incapacitated, I have much bigger problems."
Some agencies do have to keep biometric data on file, he agrees. Police departments, for example, have to collect fingerprints at crime scenes. And, of course, the federal government has to collect fingerprints when it does its security checks.
"When you have to store highly sensitive information, it should be absolutely table stakes to use multi-factor authentication," says Brett McDowell, executive director at the FIDO Alliance.
In addition, access should be limited to just those people who need it, says Gus Coldebella, attorney at Boston-based Fish & Richardson P.C. and former acting general counsel of the U.S. Department of Homeland Security under George Bush. "You have to determine if an employee is entitled to see some segment of information, and should be restricted to just that," he says. "That employee might not actually be that employee. It might be a nation-state sponsored actor who successfully spear-phished the credentials."
Finally, the information itself should be stored in encrypted form. OPM finally began a big encryption push in 2016, and will completed by the end of this year, OPM CISO Cord Chase told the House Oversight Committee in February.
One of the problems uncovered after the initial breach was that many of its systems were being used without a Security Assessment and Authorization. By the end of 2016, according to an audit report, 18 major systems still had no valid authorization in place.
Sign up for Computerworld eNewsletters.