Simpler sign-on for police officers
- By Matt Leonard
- Oct 27, 2016
Police officers on patrol access a variety of computer systems from their in-vehicle laptops – from local ticketing systems to state Department of Motor Vehicles databases to the FBI National Crime Information Center – all of which require unique, secure authentication.
Juggling the security requirements of those myriad systems creates a logistical headache when combined with the often fast-paced demands of police work, said Don Tobin, the transportation lead at the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence.
And when officers leave their car -- whether to pursue a suspect or take a lunch break -- they must decide either to leave their computers unlocked or sign out and then re-login when they return.
“If they have to respond to a call while they’re on lunch, then they need to get in the car and get on that laptop right away because most of the information to respond to the call is coming from that laptop,” Tobin said.
The police vehicle environment presents a unique challenge. Laptops in patrol cars are vulnerable to being physically compromised so they should be tightly secured, but complex security controls might delay response or compromise safe vehicle operation.
That’s why NIST wants to come up with a sign-on solution for vehicle-based law enforcement computer systems. A project description published earlier this year says the solutions should be more than a simple screen lock controlled by either proximity, biometric or a combination of sensors. The more user-friendly approach NIST is looking for would combine a sensor-based approach with reduced-sign-on tools to increase user satisfaction and reduce risk to sensitive databases by avoiding questionable password management issues – such as passwords recorded on spreadsheets or sticky notes.
A simple screen lock is not sufficient, especially on a Windows system, Tobin said, because it can be easily bypassed. Instead, NIST wants to consider application-level locks, which would add a layer of security while making the applications more user friendly, Tobin said. The NIST solution would act as a single sign-on for as many applications as technology allows, although some older applications and systems might not be able be included, he said.
A scenario in the project description describes how the two systems might work together: “When the officer exits the vehicle, a proximity token with a reader, door switch, or similar system automatically locks the laptop screen and possibly suspends access to remote applications. When the officer returns, a simplified authentication, such as a biometric or proximity token with a reader, could automatically unlock the laptop and restore access to remote applications. If the officer has been gone for a longer period of time, a stronger form of authentication could be required.”
NIST also plans to study the security of data that is entering and leaving a police vehicle, Tobin said. But the agency is still working to identify issues for a project description later this year or early next. “We’re still looking at defining the exact problem,” he said.
The authentication project is currently in a comment phase that has been extended to Nov. 10. After the comment period, NIST will evaluate the proposed solutions in a lab and then publish its findings for other organizations to follow.
Matt Leonard is a former reporter for GCN.