Rollout of two-factor authentication begins for .gov registrars
Editor’s note: The story originally stated that all government users would be required to download the two-factor authentication app. Admins of .gov sites are required to download the app.
Admins of .gov domains will soon be required to log on with not only a password, but also a code from Google Authenticator.
The rollout, which began this month, affects those who hold .gov registrar accounts, including those who have administrative, billing and tech reasons for accessing that information.
The General Services Administration posted on its DotGov site that it would be adding Google Authenticator capabilities to all accounts between now and February 2019.
The Google app — one of the more prominent methods of two-factor authentication (2FA) — comes into play when a user logs in with a normal username and password combination. The app sends a separate, one-time code to an authorized mobile device, and the user is then required to enter it on the website. There is no cost to download the app.
Two-factor authentication is now a key feature of many email and online services, and it has become more of an imperative for government websites in the wake of highly publicized breaches, including one last month at the State Department. The lack of multi-factor authentication on federal networks has recently been a bone of contention for congressional leaders.
GSA said registrars should download and begin using Google Authenticator based on the following schedule:
- GSA-owned domains: Oct. 1-31.
- Federal agencies: Oct. 8-Nov. 7.
- Native sovereign nations: Oct. 8-Nov. 7.
- County government: Oct. 22-Nov. 21.
- State/local government: Nov. 5-Dec. 5.
- City government: Done in phases, based on the first letter of a username, from Nov. 19 through Feb. 13, 2019.
Government officials currently using an authentication method other than Google Authenticator can continue to use their app, but DotGov will only provide support to the Google application.
Older government-issued mobile devices will also need to be updated in their settings mode to accommodate two-factor authentication, GSA said.
GSA officials were not immediately available for comment on the offering. ZDnet first reported the news of the two-factor offering.