Kootenai County accelerates multifactor authentication rollout; tokens offered as alternative
Loading...
Summary
County IT presented an accelerated plan to require multifactor authentication for remote access, offering $30 hardware tokens for staff who do not want to use personal phones and promising an after-action report on a recent systems outage.
Kootenai County elected officials heard April 15 that county IT has accelerated a rollout of multifactor authentication (MFA) to better secure remote access to county systems.
Grant Kinsey of Network Apt told the elected officials the county condensed several months of rollout work into a short period to "get continuity of government up and running as quickly as possible" after recent events. Kinsey said the county will use Duo for authentication and that the system requires a secondary physical object—most commonly a smartphone—to complete login verification.
Kinsey said the county will offer hardware tokens as an alternative for staff who do not want to use personal phones. "These tokens cost about $30 a piece," he said, adding that tokens can be issued from the Board of County Commissioners' budget and that departments can later decide whether replacement costs for lost or broken tokens would be covered by the department.
Kinsey emphasized that Duo's backend logs, not employees' personal phones, will be the authoritative record in any subpoena or investigation: "That entity would not be going to that person's phone to figure that out. That entity would be coming to me and looking at the logs of the main Duo system where it's guaranteed that the log is accurate." He offered to meet with staff to explain how the system works.
Officials raised practical questions about attorney use of authentication. Stan Mortensen said his office shares two on-call phones among 24–25 users and asked whether those phones could be used instead of issuing tokens. Kinsey said multiple phones can be registered to one user in Duo and offered to follow up on whether one phone can serve multiple users in the county's configuration.
Kinsey also described recommended security settings: the county will use Duo's "push" method with a three-digit code rather than text messages, which he called less secure, to avoid automated approvals by attackers who repeatedly prompt a device. He noted the Idaho Supreme Court had chosen a simpler push button approach but said that configuration could enable a bad actor to approve repeated prompts.
On the Sheriff's Office, Kinsey said patrol connections have long been secured with a product called Deep Net and that the county plans to migrate that access into Duo to standardize authentication and reduce "MFA fatigue."
Kinsey acknowledged a recent systems outage and said the incident remains under investigation; he recommended an executive-session briefing or an offline debrief and said an after-action report will be prepared with the Office of Emergency Management.
The moderator and Kinsey committed to follow up with departments on details including alternatives for employees who decline phone-based authentication, token distribution and replacement policy, and whether existing on-call phones can meet attorneys' needs. The county did not take a formal vote on policy changes during the meeting.
