Government Rolls Out Two-Factor Authentication for Federal Agency .gov Domains

WASHINGTON (The Washington Post) -

Federal and state employees responsible for running government websites will soon have to use two-factor authentication to access their administrator accounts, adding a layer of security to prevent intruders from taking over .gov domains.

Officials at federal agencies such as the Departments of Justice, State and Defense can begin adding two-step verification to their accounts on Monday, according to the General Services Administration, the agency that manages official .gov domains for the U.S. government. In the coming months, state and local officials will be prompted to add the security feature.

Two-factor verification works by requiring a user to input both a password and a special code generated by a device in the possession of an authorized user. This means that even if a password is compromised, a hacker would still need to steal a government worker’s physical device. The multistep process helps to secure accounts by adding a layer of protection in addition to a password.

The tightening of .gov security controls is the latest move by the federal government to boost the security of its websites and databases, which continue to face cyber threats. According to a July Government Accountability Office report, nation state actors and unidentified hackers have recently attacked a variety of U.S. government computer systems. And cyberattacks targeting government infrastructure are expected to become more sophisticated and creative.

Earlier this year, the Office of Personnel Management, the government agency that operates a central job-applications website for prospective federal employees, installed two-factor authentication for all users. In 2014, OPM suffered a humiliating breach in which hackers accessed the personal information of 22 million people. Two-factor authentication is considered by U.S. officials and security experts to be a fundamental and proven practice to improve cybersecurity.

“A password is all that protects your account right now, and passwords can be easier to obtain than you might think,” said the GSA in an FAQ explaining the move. “This raises the stakes for someone who wants to get into your account because now they have to get your password and your phone.”

According to the GSA, authorized account holders may not need to make changes to their information or to their .gov domain very often, but if a hacker takes control of an account, he or she could at any time alter what the public sees and interacts with when they navigate to a government website.

“This extra layer of security makes it harder for someone to log in as you, which protects the services you make available to the public via a .gov domain,” the GSA said.

Government officials will use the Google Authenticator app on their mobile devices to use two-factor verification. Once the account holders log in to the .gov domain with their password, they will be prompted to input a one-time code generated by the app to complete the sign-in process.