Cost of two factors adds up

SPECIAL REPORT: Case study no. 2 | Authentication steps could be difficult for existing equipment.

Federal IT officials agree that the adoption of two-factor authentication technology will be speeded by the rollout of new smart-card credentials for federal employees, but some warn that retrofitting mobile devices for the function is a costly unfunded mandate.

“I think it is going to be expensive,” one senior federal IT manager said of equipping mobile gear with the required biometric or public-key encryption readers. “Most equipment does not have anything that would support these biometrics.”

He pointed to the need to equip notebook PCs, and theoretically even mobile media devices, with PKI readers, platens to capture fingerprints or units that could register iris scans of authenticated users to achieve two- factor authentication.
That cost won’t be a problem for mobile gear certified for use of secret information, which already includes biometric peripherals, the official said. But OMB has mandated two-factor authentication for all mobile systems and media, a much more challenging task, and it has done so without providing funds for the job.

The senior federal IT manager estimated that the cost of adding the needed biometric equipment to existing notebooks would reach $15 to $20 per unit at the cheapest level, which would involve providing a contact PKI reader.

“Those costs can mount up quickly across an agency,” the official said.
He added that agencies lacking PKI credential programs would face the additional cost of launching them to support two-factor authentication.

Homeland Security Presidential Directive-12 and its technical standards laid the groundwork for secure biometric identification via PKI credentials.

The HSPD-12 process created the back end for two-factor authentication, by enrolling users, matching their identities to the tokens they carry and providing the additional factors such as passwords and biometric records to close the circle of identity, experts said.

Mark Day, former Environmental Protection Agency chief technology officer and now CTO of McDonald Bradley Inc. of Herndon, Va., said, “The two-factor authentication requirement is inextricably linked to HSPD-12. Most agencies are moving fairly rapidly on that. We [at EPA] had it for remote access two years ago.”

In a similar vein, Shannon Kellogg, director of government and industry affairs for RSA Security Inc., said OMB’s guidance “has made a significant difference in terms of agencies paying attention to multiple-factor authentication.”

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Government Innovation Awards
    Government Innovation Awards -

    Congratulations to the 2021 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Acquisition
    Shutterstock ID 169474442 By Maxx-Studio

    The growing importance of GWACs

    One of the government's most popular methods for buying emerging technologies and critical IT services faces significant challenges in an ever-changing marketplace

Stay Connected