Security
Authentication & MFA
AAL2 multi-factor authentication for all users, enforced via FIPS-validated identity providers.
Requirements — IA-2(1)
CJIS Security Policy v6.0 IA-2(1) requires multi-factor authentication at AAL2 (Authenticator Assurance Level 2) for all individuals accessing CJI. This applies to every officer and judge using EasyWarrant — with no exceptions.
Identity Provider
EasyWarrant uses a FIPS-validated identity provider for all authentication:
- Auth0 Government — FedRAMP Moderate / FIPS-validated; AAL2 capable
- Okta FedRAMP High — FedRAMP High authorized; AAL2 capable
Custom MFA implementations are explicitly prohibited. Only FIPS-validated IdPs with CJIS-compatible configurations are used.
AAL2 Requirements
Authenticator Assurance Level 2 (NIST SP 800-63B) requires:
- Proof of possession of a physical authenticator or cryptographic device
- Authentication through a secure channel (TLS 1.3)
- Approved cryptography for all authenticator operations (FIPS-validated)
- Phishing-resistant authenticators recommended (FIDO2/WebAuthn or PIV)
Accepted MFA Methods
| Method | AAL2 | Notes |
|---|---|---|
| FIDO2 / WebAuthn hardware key | ✓ | Recommended — phishing-resistant |
| PIV / CAC smart card | ✓ | Preferred for federal/state agencies |
| TOTP authenticator app | ✓ | Acceptable — not phishing-resistant |
| Push notification (Okta/Auth0) | ✓ | Acceptable with FIPS-validated IdP |
| SMS one-time code | ✗ | Not acceptable under CJIS AAL2 |
| Email one-time code | ✗ | Not acceptable under CJIS AAL2 |
Session Timeout Controls
| Control | Value | CJIS Reference |
|---|---|---|
| Inactivity timeout | 60 minutes | SC-10 — enforced server-side |
| Maximum session duration | 12 hours | CJIS policy — reauth required after |
| Session termination | Immediate on logout or timeout | All session keys destroyed |
| Concurrent sessions | Configurable per agency | Admin dashboard setting |
Server-side enforcement
Session timeouts are enforced server-side — not solely by the client. A client that remains open past the inactivity limit will have its server session invalidated regardless of client state.
Background Check Requirement
All users of EasyWarrant — officers, judges, and agency administrators — must have completed a fingerprint-based background check before receiving system access. This is a CJIS requirement that agencies are responsible for verifying and certifying before provisioning user accounts.