Section 5.6.2.2 of the CJIS Security Policy requires agencies to use Advanced Authentication when accessing CJI from a non-secure location. Keeping with CJIS compliance, CPI has implemented OpenFox® Soft Tokens v1.0 for Oklahoma Law Enforcement Telecommunications System (OLETS). CPI enhanced the existing OpenFox advanced authentication method to work with CPI-generated Google Authenticator soft tokens.
CPI modified the OpenFox Message Switching System to enable soft token functionality. CPI generated the initial quantity of soft token credentials as specified and imported them into the token database on the OLETS OpenFox Message Switch.
The soft token credentials are now available for the OLETS Administrator to configure and verify during the login process. CPI provided to OLETS Soft Token ID numbers, a Google Authenticator QR-code URL, production documentation, and training.
More about OpenFox Soft Tokens:
OpenFox Soft tokens replicate the security advantages of multifactor authentication while simplifying distribution and lowering costs. A smartphone soft token app performs the same task as a hardware-based security token. Like a hardware token, a smartphone provides an easy-to-protect and easy-to-remember location for secure login information with a one-time password (OTP) functionality using Google Authenticator.
Problem Worth Solving
As technology and threats become more dynamic every day, law enforcement agencies continue to demand more access to more vital information while striving to become more secure. CJIS Security Policy 5.9, section 5.6.2.2 requires agencies to use Advanced Authentication (AA) when accessing CJI from a non-secure location. To assist agencies in meeting this requirement CPI has enhanced the OpenFox Advanced Authentication solution to include support for soft token authentication in the most secure and cost-effective manner. Software tokens can offer security, ease of management, financial savings, and assist in higher sales of new products and with current customers.
Our solution
The OpenFox Soft Token Authenticator is a software advanced authentication solution that is integrated with the current OpenFox Message Switch user repository. While logging in, a one-time passcode is distributed to the user on a mobile application so that the user can simply access the system by entering their username, their secret PIN + a one-time passcode (OTP) using google authenticator.
Ease of Management
Soft Tokens are easy to manage because most are driven by mobile apps. Users can easily download and install Google Authenticator onto their devices themselves—without IT assistance or having to wait for shipping and delivery of a hard token. This is especially convenient for agencies with officers & employees in geographically dispersed locations.
Cost-Effective
OpenFox Soft Tokens are a low-cost authentication option because this method can leverage users’ existing mobile devices. This offers significant cost savings versus using hard tokens that must be purchased & shipped for each individual user. Additionally, the Google Authenticator app is available as a free download in mobile app stores.
Added Security
OpenFox one-time passcode (OTP) using Google authenticator benefits from the added security of the devices upon which the mobile authenticator apps reside. The PIN codes, FaceID, and TouchID integrated into smartphones protect the OTP password generator from unauthorized access if a user’s device falls into the wrong hands.
Furthermore, soft OTPs are more reliable than SMS or email-based OTPs because the information is not being transmitted over the internet or visible on locked screens if the user has notifications turned on.
What’s Next?
CPI now offers both soft token support as well as the existing hard token support to our customers. Over the next few months, CPI will be implementing the soft token support into our existing customer systems. Both soft tokens and hard tokens can be purchased en masse by the state agency or CPI can directly invoice the local agency using the soft tokens for system access.
Installation times may vary, please contact sales for more information and get on the list.