Advanced Authentication (2 Factor) Keeps you Compliant

Section 5.6.2.2 of the CJIS Security Policy requires that agencies use Advanced Authentication when accessing CJI from a non-secured location.  Hosted 2 Factor Authentication from CJIS Solutions addresses the entire section and meets the Out-Of-Band requirement as well.

Simplistic

With a cop-simple solution that requires no servers to own, CJIS Solutions is the easy answer to 2 Factor Authentication. A simple, easy to use management portal keeps you in control without overwhelming you.

Save Money

No crazy fees here.  There’s a one time token purchase and since they never expire, there’s no recurring purchases to make.  Low per user annual fees and unlimited free device agents keeps your costs WAY down.

How it works

Your tech installs a small, free agent onto the device that you want to secure.  Once complete, users will need to gain access with our 2 Factor Solution from that point forward.  A user will approach the device, enter their user name, PIN Number, and one time passcode from either the USB Key or phone app.  Once they hit enter, the agent challenges the One Time Passcode against our server and either authenticates or denies access.   Its that simple.

MEET EVERY CJIS POLICY 2 FACTOR REQUIREMENT Everything you need - One Location - Low Rates

No Server to Own

We're hosting the authentication servers so there's nothing for you to purchase or manage.

Access from Anywhere

Users can authenticate against our hosted servers from anywhere. This keeps your devices secure no matter where they are.

Use Without Internet

Users are able to authenticate prior to 4G/Internet access.

LOW Rates

Tokens never expire and low annual per-user rates keep your costs WAY down.

Cop Simple

Easy to use, easy to understand. Our solution will stop headaches before they happen with non-tech-savvy officers.

Hard or Soft Tokens

Choose from a phone app or USB key, both never go bad, and never expire. No expiration dates mean no need to purchase twice.

You're in Control

Secure management portal puts you in complete control. Manage users, tokens, access groups, all from an easy to use portal.

Active Directory Integration

Our solution works with or without active directory. Secure sync agent keeps your users up to date instantly.

FACT CHECK AGAINST THE POLICY

Section 5.6.2.1.1 requires a password and section 5.6.2.1.2 requires a pin. CJIS Solution’s 2 Factor Authentication solution requires the user to create their own PIN number at time of token enrollment.  For tokens that are programmed prior to shipment, a PIN that meets the strict sequence requirements is generated for the user.

Users can still use a password for local access however a PIN with One Time Passcode will always be required when accessing with our solution.

Section 5.6.2.2.1 of the CJIS Security Policy describes the “something you have” “something you know” requirement.  CJIS Solutions 2 Factor Authentication combines both of these requirements.  The something you “have” would be your USB or Phone tokens and the something you “know” would be your PIN number issued at enrollment.

The following AA Decision Tree, coupled with figures 9 and 10 in the CJIS Policy, assists decision makers in determining whether or not AA is required.

1. Can request’s physical originating location be determined? If either (a) or (b) below are true the answer to the above question is “yes”. Proceed to question 2.
a. The IP address is attributed to a physical structure; or
b. The mnemonic is attributed to a specific device assigned to a specific location that is a physical structure.

If neither (a) or (b) above are true then the answer is “no”. Skip to question number 4.

2. Does request originate from within a physically secure location as described in Section
5.9.1?

If either (a) or (b) below are true the answer to the above question is “yes”. Proceed to question 3.

a. The IP address is attributed to a physically secure location; or
b. If a mnemonic is used it is attributed to a specific device assigned to a specific physically secure location.

If neither (a) or (b) above are true then the answer is “no”. Decision tree completed. AA required.

3. Are all required technical controls implemented at this location or at the controlling agency?

If either (a) or (b) below are true the answer to the above question is “yes”. Decision tree completed. AA requirement waived.

a. Appropriate technical controls listed in Sections 5.5 and 5.10 are implemented; or
b. The controlling agency (i.e. parent agency or agency leveraged as conduit to CJI) extends its wide area network controls down to the requesting agency and the extended controls provide assurance equal or greater to the controls listed in Sections 5.5 and 5.10.

If neither (a) or (b) above are true then the answer is “no”. Decision tree completed.
AA required.

4. Does request originate from an agency-controlled user device?

If either (a) or (b) below are true the answer to the above question is “yes”. Proceed to question 5.

a. The static IP address or MAC address can be traced to registered device; or
b. Certificates are issued to agency managed devices only and certificate exchange is allowed only between authentication server and agency issued devices.

If neither (a) or (b) above are true then the answer is “no”. Decision tree completed. AA required.

5. Is the agency managed user device associated with and located within a criminal justice conveyance?

If any of the (a), (b), or (c) statements below is true the answer to the above question is “yes”. Proceed to Figure 9 Step 3.

a. The static IP address or MAC address is associated with a device associated with a criminal justice conveyance; or
b. The certificate presented is associated with a device associated with a criminal justice conveyance; or
c. The mnemonic presented is associated with a specific device assigned and that device is attributed to a criminal justice conveyance.

If none of the (a), (b), or (c) statements above are true then the answer is “no”. Skip to question number 7.

6. Is the user device an agency-issued and controlled smartphone or tablet?

If both (a) and (b) below are true, the answer to the above question is “yes.” Proceed to question number 7.

a. The law enforcement agency issued the device to an individual; and
b. The device is subject to administrative management control of the issuing agency.

If either (a) or (b) above is false, then the answer is “no.” Decision tree completed.
AA required.

7. Does the agency-issued smartphone or tablet have CSO-approved AA compensating controls implemented?

If (a) and (b) below are true, the answer to the above question is “yes.” Decision tree completed. AA requirement is waived.

a. An agency cannot meet a requirement due to legitimate technical or business constraints; and
b. The CSO has given written approval permitting AA compensating controls to be implemented in lieu of the required AA control measures.

If either (a) or (b) above is false then the answer is “no.” Decision tree completed. AA required.

Section 5.6.3.1 of the CJIS Security Policy delineates that agencies shall individually secure the device but authenticate the user.  Although you’re able to “group” users to a device, the CJIS Solutions 2 Factor Authentication system authenticates each user individually to prevent “shared access”.

Section 5.6.3.2 of the CJIS Security Policy requires that there be strict controls over lost access devices (ie: tokens). CJIS Solutions meets this requirement by using a process that renders any lost/stolen token completely useless in any system. In addition, new users can be reassigned the same physical USB token (without the need to purchase one).  The original issue One Time Passcode functionality is completely wiped and reset.  This meets the policy’s needs while saving you money.

The Advanced Authentication section of the CJIS Security Policy requires that any solution that is used must be Out of Band.  This means that the authentication method cannot be delivered to the same device being secured.  By using a USB key, that would make it impossible to violate this section.  By using a phone app, the same holds true as it’s not possible to generate and view a key on the same phone you would try to access.  Therefore, both methods delivered by CJIS Solutions meet this requirement.

LOW – SIMPLE PRICING

1-100 users

$48.00/year/user

One Time Purchase

100+ Users

$36.00/year/user

One Time Purchase

USB Key

$80.00

One Time Cost

Phone App

$70.00

One Time Cost

Setup

$3.00

One Time Cost

Device/Server
Agents

Free
&
Unlimited

NEED MORE INFORMATION OR READY TO ORDER? CONTACT US NOW!

Your Name (required)

Your Email (required)

Your Phone

Agency

Requesting Information On:

Tell Us a Little About Your Inquiry: