The Washington PostDemocracy Dies in Darkness

The government is rolling out 2-factor authentication for federal agency dot-gov domains

(Xaume Olleros/Bloomberg)

Federal and state employees responsible for running government websites will soon have to use two-factor authentication to access their administrator accounts, adding a layer of security to prevent intruders from taking over dot-gov domains.

Officials at federal agencies such as the departments of Justice, State and Defense can begin adding two-step verification to their accounts on Monday, according to the General Services Administration, the agency that manages dot-gov domains for the U.S. government. In the coming months, state and local officials will be prompted to add the security feature.

Two-factor verification works by requiring a user to input both a password and a special code generated by a device in the possession of an authorized user. This means even if a password is compromised, a hacker would still need to steal a government worker’s physical device.

The tightening of dot-gov security controls is the latest move by the federal government to boost the security of its websites and databases, which continue to face cyberthreats. According to a July Government Accountability Office report, nation-state actors and unidentified hackers have recently attacked a variety of U.S. government computer systems. Cyberattacks targeting government infrastructure are expected to become more sophisticated and creative.

ZDNet previously reported on the rollout.

The GSA did not immediately respond to a request for comment.

Earlier this year, the Office of Personnel Management, the government agency that operates a central job-applications website for prospective federal employees, installed two-factor authentication for all users. In 2014, OPM suffered a massive breach in which hackers accessed the personal information of 22 million people. Two-factor authentication is considered by U.S. officials and security experts to be a fundamental and proven practice to improve cybersecurity.

“A password is all that protects your account right now, and passwords can be easier to obtain than you might think,” said the GSA in an FAQ explaining the move. “This raises the stakes for someone who wants to get into your account because now they have to get your password and your phone.”

According to the GSA, authorized account holders may not need to make changes to their information or to their dot-gov domain very often, but if a hacker takes control of an account, he or she could at any time alter what the public sees and interacts with when they navigate to a government website.

Government officials will use the Google Authenticator app on their mobile devices to use two-factor verification. Once the account holders log in to the dot-gov domain with their password, they will be prompted to input a one-time code generated by the app to complete the sign-in process.