passwords (image by

Pennsylvania rolls out risk-based authentication to agencies

To bring enterprisewide security to all its agencies, leaders in Pennsylvania's Office of Administration deployed a risk-based multifactor authentication (RBFMA) system for identity management.

To access cloud-based email or Office 365, commonwealth employees working remotely may be required to provide additional information in the form of a PIN sent via text or email.  The decision to require multifactor authentication is based on various factors including the sensitivity of the data or application, the geographical location of the request, the nature of the device being used and the number of times that user has sought access in a given time period.

Adding RBMFA to agency systems began with a pilot at Pennsylvania's Department of Human Services in 2015. Once the technology proved itself at the large agency, the state began rolling out to other agencies starting in June 2016. The project won both agencies a 2017 State IT Recognition Award from the National Association of State CIOs.

“When we started moving our services into the cloud, it became more important to reduce the risk of third parties getting access to our data or information,” Chief Information Security Officer Erik Avakian told GCN.  “RBMFA provides safeguards to our data because our employees have to go through a second process to get access even if they have credentials.”

The RBMFA service is designed to protect sensitive information by addressing a variety of agency data security needs such as compliance with the Criminal Justice Information Services rules for law enforcement and IRS policies related to tax data. Avakian said it was a struggle to meet the different business requirements of the agencies.

“We went in the direction of taking a risk-based approach because of all the different scenarios that need to be met,” Avakian said.  “Most of the regulations to move to the cloud require MFA, so it made sense to work together to reach a common solution that could meet everyone’s needs.”

The RBMFA service has gradually been deployed at most state agencies for email and basic office functions over the past two years; the measured rollout gave the Office of Administration time to respond to users' issues and problems. Additionally, help desk employees at each agency have been trained to guide users through the login process.

The state worked with Deloitte to implement the RBMFA service from CA Technologies. For Deloitte’s Srini Subramanian, principal at Deloitte’s Cyber Risk Services practice, one of the pain points in the deployment process was identifying an MFA implementation that users would not find cumbersome.

To access RBMFA-protected systems, users preregister from a work-issued device located on the commonwealth's network. During this process, workers are authenticated against the enterprise Active Directory and prompted to set-up their challenge/response questions and PIN.

“Users have the ability to choose a preferred MFA method in their risk evaluation, which helped with the user experience aspect of implementation,” Subramanian told GCN. 

Besides improving security of agency applications and increasing efficiency, the solution has raised service levels and cut costs.  There are plans in the works to adapt the solution to citizen-facing applications so Pennsylvanians can access tax information or state health records through a single sign-on.

“We want to have the tools and services available to meet the customer needs in relation to transactions where you need an extra layer of protection and security,” Avakian said.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at [email protected] or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected