1. Home
  2. Advanced Authentication

Advanced Authentication

What is Advanced Authentication?

Advanced or Multi-Factor Authentication (MFA) is required for all remote access to Criminal Justice Information (CJI) systems. The purpose is to ensure that users are verified using more than one unique factor of authentication before gaining access to secure systems.

CJIS Policy Requirements

(CJIS Security Policy Section 5.6.2.2) — Required for authentication outside of a “Physically Secure Area.”

“The intent of Advanced Authentication is to meet the standards of two-factor authentication. Two-factor authentication employs the use of two of the following three factors of authentication: something you know (e.g., password), something you have (e.g., hard token), something you are (e.g., biometric). The two authentication factors shall be unique (i.e., password/token or biometric/password but not password/password or token/token).”
CJIS Security Policy 5.6.2.2.1

Modern Authentication Methods

In prior years, agencies relied on paper-based inert tokens (e.g., printed BINGO cards or paper tokens). These are no longer sufficient under modern CJIS standards due to the risk of loss, duplication, and lack of phishing resistance. JusticeConnect Version 3 introduces modern authentication options that meet current CJIS and NIST SP 800-63B / NIST IR 8523 requirements.

1. Passkeys / FIDO2 Authentication

JusticeConnect now supports FIDO2 (passwordless) authentication — the new industry standard for secure, phishing-resistant login.

  • Users log in using only a username and passkey.
  • Credentials are securely stored on a hardware token such as YubiKey 5 or YubiKey Bio.
  • FIDO2 encryption ensures compliance with CJIS and NIST AAL2/AAL3 assurance levels.
  • Biometric verification (fingerprint or facial recognition) is supported on compatible devices.
  • No smartphone or external app is required.
  • Users can self-enroll via the JusticeConnect Admin Portal from within a secure facility.

2. Time-Based One-Time Password (TOTP) Authentication

As an alternative to hardware tokens, JusticeConnect continues to support TOTP-based MFA for agencies that issue secure mobile devices.

  • TOTP codes are generated every 30–60 seconds via an agency-approved authenticator app.
  • Each code is unique, time-limited, and cannot be reused.
  • When combined with a strong password, TOTP satisfies CJIS 5.6.2.2 for two-factor authentication.
  • TOTP must be configured on an agency-owned smartphone only.

3. Biometric Authentication

Agencies should enable biometric authentication for convenience and additional security, including: Windows Hello, Touch ID, or Face ID.

These options may be used in combination with TOTP or Passkeys for a faster, compliant login experience. Users currently using BINGO cards should migrate to FIDO2 or TOTP with biometrics enabled via the app’s My Settings screen.

Note: The TOTP feature is now generally available in the Windows version of JusticeConnect 3. The iOS version is scheduled for release in the first quarter of 2026.

JusticeConnect also enforces CJIS Password Policy Requirements for all authentication methods.

JusticeConnect Authentication Process:

Authentication Step 1

User views initial notification screen.

Authentication Step 2

User enters credentials.

Authentication Step 3

Legacy paper token entry (deprecated).

Authentication Step 4

Modern TOTP or FIDO2 token authentication.

Like what you see?

Get in touch with us today to learn more about CMI and how our SaaS products can help your agency manage CAD/RMS users and public safety operations more efficiently.

Get in Touch