This is the time to be thankful, and let me please start by saying how thankful I am to be clear of the RAZR and Treo I was carying around. I have nothing but love for my new phone. But…
Like most or many federal employees I have an ID card, technically known as an HSPD 12 badge. It looks just like this, only with a much more attractive picture. Just kidding. See that little gold thing towards the bottom? When I insert that into my laptop it sends a signal to initiate the authentication process. When I type in my pin or password it completes that process and allows me access to the LAN, network resources, the Intranet, email etc.
It is good because it is easy and secure. It is more secure than a really hard password simply because it has 2- factors, something you have and something you know. The thing you have is the card. The thing you know is the pin or password. Either of these without the other is not good enough to authenticate a user. I might lose my card, and we wouldn’t want someone else going around pretending to be me. So, I have a pin, which, for me, is easy to remember, but is not likey to be guessed. The problem with this is, that the laptop I use, while really nice, is like 22″ by 17″ by 2″ and weighs, 5 pounds. It’s cool for taking on a plane when I have to go on a trip, or for working at home. But when I go to a meeting and want to be able to check my email between meetings, it’s kind of a pain there. It doesn’t easily fit into my pocket.
But, what I do have is my new Droid. I could check email and my calendar and do lots of stuff that I would normally do on my laptop on this smartphone, and, bonus, it does easily fit into my pocket. The issue that I have is in authentication. Thus, while I have a really hard password, that is like honestly 18 characters, upper, lower, alpha, numeric and special, it is a real pain to try to type that super hard password into my new phone.
As such, I propose a marriage. Build a smartphone that includes the capability for me to insert my HSPD-12 badge into it (Factor 1) and allow me to type in my PIN (Factor 2). This would allow me to access all of the same resources I use when I’m logged into my laptop without going through GOOD. No offense to GOOD, I just don’t like your software. My opinion is that Good is unproductivity software because it makes things more difficult.
So let’s try to create a hardware solution to authentication. Try to focus on 2-factor and make use of stuff that most of us have anyway. Put a card reader on a smartphone and I guarantee you will command this segment of users. If you want to take it to the next level you will create an ap-store by agency that will allow USDA to identify the applications that can be installed on USDA smartphones and HHS to identify the applications that can be installed on their phones. Then, as an authenticated employee, I can cruise through that store to install the applications that I want, and we get to avoid applications that hold risk.
Good point but the user must cary extra hardware for this solution to work on the go. The solution I’m looking for would have this bluetooth device embedded within the smartphone so I don’t have to carry around extra stuff, nor enable the bluetooth service on the phone. Each additional service activated on my phone is a potential drain on my battery. As for the risk, it should be the same as with a laptop, if it is inactive for the prescribed length of time it goes inactive and must re-authenticate. But generally we should try hard to not leave it in a taxi.
I looked at the solution deployed by Apriva, and it looks good, but I think an integrated solution can be developed.