US government rolls out 2-step verification for .gov domain owners
Security
The US government is rolling out new security protections for .gov domains with measures meant to prevent DNS domain takeover attacks.
Starting last week, with October 1, DotGov, the official registrar that manages official .gov domains for the US government has begun rolling out a 2-step verification (2SV) system to protect .gov registrar accounts.
These are the accounts that sysadmins in federal, state, and local administration have used to register and manage official .gov government domains.
Also: Google tested this security app with activists in Venezuela. Now you can use it too CNET
If an attacker phishes or brute-forces their way into one of these domains, they can change DNS entries for the domain and redirect users to fake or malicious sites. As such, securing .gov registrar accounts is a crucial step in ensuring .gov domain security.
To address this issue, between October 1, 2018, and February 13, 2019, DotGov, which is part of the US General Services Administration, will prompt all .gov domain owners to set up 2-step verification for their accounts.
The 2SV mechanism that DotGov chose to implement is Google Authenticator.
Government domain owners will be asked to install the Google Authenticator app on their mobile devices, and after logging in on domains.dotgov.gov with their credentials, they'll have to scan a barcode with the app, and the app will generate a one-time code they can use for the second phase of the login process.
Enabling 2SV for tens of thousands of .gov domains will take a while. To ensure everything goes without a hitch, DotGov has split the rollout process in multiple phases across the next five months.
Also: North Korea is likely underwriting cyberattacks by mining Monero TechRepublic
The full rollout schedule is below. The first date is when .gov domain owners can enable 2SV for their accounts, while the second date is when 2SV becomes mandatory and domain owners won't be able to log in without 2SV.
- GSA-owned domains: October 1 - 31
- Federal Agency: October 8 - November 7
- Native Sovereign Nation: October 8 - November 7
- County: October 22 - November 21
- State/Local Govt: November 5 - December 5
- City: Done in phases, based on the first letter of your username:
- A - D: November 19 - December 19
- E - J: December 5 - January 9, 2019
- K - P: December 17 - January 23, 2019
- Q - Z: January 14, 2019 - February 13
"This extra layer of security makes it harder for someone to log in as you, which protects the services you make available to the public via a .gov domain," DotGov said in FAQ page with details about the 2SV rollout.
Previous and related coverage:
West Virginia to pioneer mobile phone voting in midterm elections (CNET)
The Voatz app is designed for troops serving abroad and uses blockchain tech.
No more interference: Facebook is a building a war room ahead of US midterms
Facebook is planning to establish a physical "war room" designed to bring staff together to find and destroy attempts to meddle with upcoming elections.
Microsoft: We've just messed up Russian plans to attack US 2018 midterm elections
Claiming a win over Russian plans to hack US politicians, Microsoft unveils a new security service to detect attacks expected in the lead-up to the midterms.
These are the House members who voted to extend NSA spying and reject privacy reforms
And nearly all of them are up for re-election later this year.
Related stories:
- DHS and GCHQ join Amazon and Apple in denying Bloomberg chip hack story
- DOJ explains recent wave of cyber-espionage-related indictments
- Google forcibly enables G Suite alerts for government-backed attacks
- DHS aware of ongoing APT attacks on cloud service providers
- Twitter bans distribution of hacked materials ahead of US midterm elections
- Microsoft's efforts for a Digital Geneva Convention get underway
- UK Conservative Party conference app leaks MPs' personal details