This article originally appeared in SearchSecurity on October 9, 2018.
The U.S. government began rolling out two-factor authentication for officials managing government domains, but the full rollout won’t be done until February 2019.
DotGov — the government domain registrar for all .gov domains — began rolling out 2FA on Oct. 1 and is intended to prevent threat actors from being able to hijack an official’s account to redirect traffic from a government domain to a malicious website.
“There are many reliable apps that can generate one-time codes. However, there are several reasons why, in general, apps have more potential vulnerabilities than physical devices that generate such codes. Most apps are supported by third-party code suppliers who tend to be less secure than their clients, often have their own contractors, and have trusted connections to their various clients. For these reasons, they, too, are popular targets for bad actors.”
So far, government domain officials managing websites for the U.S. General Services Administration, federal agencies and Native Sovereign Nations have been prompted to install Google Authenticator on their mobile devices and add the verification to logins. Over the next month, the rollout will expand to county, state and local government domain officials. Last will be city officials, for whom the rollout will run alphabetically by city name, beginning in mid-November and ending in January 2019.
Each group will have 30 days from the beginning of the rollout for their domains to ensure that all officials managing .gov sites have set up 2FA with Google Authenticator. The final deadline for the last group is Feb. 13, 2019. If an official has not set up 2FA by the deadline for their group, they will not be able to log in and manage their government domain.
While experts agreed that 2FA was a good step, there was debate over whether Google Authenticator was the best option for government domain officials.
Colin Bastable, chief revenue officer at Lucy Security, said DotGov would have done better to avoid using Google Authenticator.
“2FA is good, but locking in Google is unnecessary and inefficient. Google is a tainted brand as far as security goes,” Bastable wrote via email. “There are plenty of ways to deploy 2FA, and there are plenty of solutions that do not result in a monopoly supplier.”
John Callahan, CTO of Veridium, said Google Authenticator “could prove problematic for management.
“Assuming multiple administrators can use their own [time-based one-time password (TOTP)] per account, the loss or theft of the device means re-seeding or reliance on other admins,” Callahan wrote via email. “While it is possible to seed multiple devices for a single user (i.e., a backup phone), synchronization can be problematic. Transfer or revocation of DNS admin privileges must be managed centrally since the app cannot be purged selectively of entries even with EEM tools. In the end, TOTP really just provides proof of possession as the 2FA but could be strengthened using biometric protection of the 2FA itself.”
Mike Bittner, digital security and operations manager at The Media Trust, said 2FA for government domains was important because they “are frequent targets of malicious actors because of the sensitive information that are often entered into the sites,” but agreed that Google Authenticator might not be the best option.
“There are many reliable apps that can generate one-time codes. However, there are several reasons why, in general, apps have more potential vulnerabilities than physical devices that generate such codes. Most apps are supported by third-party code suppliers who tend to be less secure than their clients, often have their own contractors, and have trusted connections to their various clients. For these reasons, they, too, are popular targets for bad actors,” Bittner wrote via email. “If domain operators forego the use of physical code-generating devices for the use of mobile apps, they should ensure their app providers have carefully vetted their own third-party code suppliers.”
Bastable also noted the timeline for the 2FA rollout appeared to be slow.
“This is hardly rocket science. 2FA can be deployed quicker than that, and decision-making is always best devolved to the plethora of security teams that own the problem and are paid to solve it down at department, state and local level,” Bastable said. “Let’s hope we don’t end up paying for consultants to roll this out — it will probably turn into a payday all down the line.”
Tod Beardsley, director of research at Rapid7, disagreed with other experts and said he “loved everything about this plan.”
“The choice to use Google Authenticator means that the 2FA they’re setting up isn’t going to be susceptible to SMS interception, which is what was responsible for the recent Reddit breach and other breaches. I think the four-month timeline to get this done is pretty aggressive for a huge organization like the U.S. federal government, but if they nail it, they are basically proving that anyone who manages a lot of domains can do this just as quickly (or quicker),” Beardsley wrote via email. “These days, it’s irresponsibly dangerous to manage DNS registrations without some kind of second authentication factor, so I’m overjoyed that the dot-gov registrar is enforcing this critical, fundamental security control.”