US government rolls out 2-step verification for .gov domain owners

DotGov program rolls out support for Google Authenticator app for the management of .gov domains.
Written by Catalin Cimpanu, Contributor

The US government is rolling out new security protections for .gov domains with measures meant to prevent DNS domain takeover attacks.

Starting last week, with October 1, DotGov, the official registrar that manages official .gov domains for the US government has begun rolling out a 2-step verification (2SV) system to protect .gov registrar accounts.

These are the accounts that sysadmins in federal, state, and local administration have used to register and manage official .gov government domains.

Also: Google tested this security app with activists in Venezuela. Now you can use it too CNET

If an attacker phishes or brute-forces their way into one of these domains, they can change DNS entries for the domain and redirect users to fake or malicious sites. As such, securing .gov registrar accounts is a crucial step in ensuring .gov domain security.

To address this issue, between October 1, 2018, and February 13, 2019, DotGov, which is part of the US General Services Administration, will prompt all .gov domain owners to set up 2-step verification for their accounts.

The 2SV mechanism that DotGov chose to implement is Google Authenticator.

Government domain owners will be asked to install the Google Authenticator app on their mobile devices, and after logging in on domains.dotgov.gov with their credentials, they'll have to scan a barcode with the app, and the app will generate a one-time code they can use for the second phase of the login process.

Enabling 2SV for tens of thousands of .gov domains will take a while. To ensure everything goes without a hitch, DotGov has split the rollout process in multiple phases across the next five months.

Also: North Korea is likely underwriting cyberattacks by mining Monero TechRepublic

The full rollout schedule is below. The first date is when .gov domain owners can enable 2SV for their accounts, while the second date is when 2SV becomes mandatory and domain owners won't be able to log in without 2SV.

  • GSA-owned domains: October 1 - 31
  • Federal Agency: October 8 - November 7
  • Native Sovereign Nation: October 8 - November 7
  • County: October 22 - November 21
  • State/Local Govt: November 5 - December 5
  • City: Done in phases, based on the first letter of your username:
    • A - D: November 19 - December 19
    • E - J: December 5 - January 9, 2019
    • K - P: December 17 - January 23, 2019
    • Q - Z: January 14, 2019 - February 13

"This extra layer of security makes it harder for someone to log in as you, which protects the services you make available to the public via a .gov domain," DotGov said in FAQ page with details about the 2SV rollout.

Previous and related coverage:

West Virginia to pioneer mobile phone voting in midterm elections (CNET)

The Voatz app is designed for troops serving abroad and uses blockchain tech.

No more interference: Facebook is a building a war room ahead of US midterms

Facebook is planning to establish a physical "war room" designed to bring staff together to find and destroy attempts to meddle with upcoming elections.

Microsoft: We've just messed up Russian plans to attack US 2018 midterm elections

Claiming a win over Russian plans to hack US politicians, Microsoft unveils a new security service to detect attacks expected in the lead-up to the midterms.

These are the House members who voted to extend NSA spying and reject privacy reforms

And nearly all of them are up for re-election later this year.

Related stories:

Editorial standards