Authentication considerations for state and local governments
Multifactor authentication adds a layer of security to accessing accounts but agencies should know the differences between methods.
Digital transformation in state and local governments—well underway pre-pandemic—was turned up a notch during the past two years as agencies suddenly found themselves required to interact remotely with constituents, organizations and other government entities. In the 2021 survey of state CIOs by the National Association of State Chief Information Officers, one respondent was quoted saying the pandemic sparked “10 years’ worth of deployments in eight months.”
It’s no surprise then that the NASCIO survey reports 83% of CIOs ranked adopting enterprise identity and access solutions (IAM) as their highest priority area for the next two years. With dozens of agencies handling highly sensitive information in settings that require collaboration and speed, state and local governments must work together to establish a baseline for securing and accessing data in a way that fosters trust.
Pitfalls and challenges
Fraud and cyberattacks are on the rise as threat actors attempt to infiltrate all levels of government and the nation’s critical infrastructure. Adversaries are accessing systems for many illicit purposes, including filing fraudulent claims, stealing citizen and employee data and executing ransomware attacks. The NASCIO survey reports 20% of states have seen an increase in cyber incidents since their workforce went remote.
Closing the gaps and reducing cyber risk isn’t easy. There are roughly 145 million state and local government employees working across hundreds of different agencies—traditionally siloed from one another—now needing to connect efficiently and remotely. However, the NASCIO survey revealed that only 13% of states reported having adopted a full enterprisewide IAM solution, rendering many agencies still in need of implementing critical security controls, with multifactor authentication (MFA) as the top priority.
How to identify a person
MFA solutions are based on multiple authentication methods, but not all of them are created equal. Passwords or security questions have been used by agencies since before the proliferation of the commercial internet; they are one of the least secure methods for authenticating a user as phishing exercises, keystroke tracking and plain old guesswork can crack a password and lead to a breach.
Other common methods rely upon one-time passwords (OTP) or physical devices. Mobile phones, USB security devices and hardware tokens can all be stolen, lost or handed over to another person. Given the volume of sensitive data handled by government agencies, it is critical that they implement the most secure MFA methods possible.
And this brings us to biometrics.
When used correctly, biometrics can’t be faked, lost or phished and are highly convenient for the user. Modern biometrics have measurements that confirm a living being, using liveness detection so that a face scan can’t be fooled with a picture, for example. There are different approaches to how biometric systems are established, namely device-based and identity-bound biometrics (IBB).
Device-based biometrics is the more popular of the two but not the most secure. A good example is Apple’s Touch ID, which allows users to authenticate on their device with their fingerprint rather than a passcode. In this method, the biometric data is stored on the phone, and any agency safeguarding information merely sees an authenticated device, not an authenticated user. But what if another person is able to enroll their fingerprint on that device? Because the biometric is stored locally, the agency leaves itself open to additional people enrolling themselves on the device and gaining access.
Beyond the security concerns present with device-based methods, there is a lack of convenience as well. With governments looking to streamline and modernize systems, adding another step to employees’ abilities to access important data adds friction. With a device-based method, employees must enroll their biometric measurements on each device they use for work. But with state employees traveling to multiple offices and accessing multiple devices, along with a focus on increased collaboration across agencies, device-based authentication doesn’t give agencies the flexibility and agility they need to grant and revoke access across devices and locations.
The identity-bound biometrics approach
Identity-bound biometrics or IBB takes a dramatically different approach. By enrolling and storing the encrypted biometric data centrally, organizations have a biometric template that allows them to confirm the person rather than just the device. This option maintains the convenience of other biometric methods while allowing for greater security and flexibility on the organizational side. Once stored centrally, a biometric template can be compared across locations and devices. If an agency needs to authenticate a user in a new or remote office or on a new device, it can do so without putting the user through another enrollment process.
Citizen-facing applications must be considered as well. With an increase in fraudulent claims, government agencies must build trust with their constituents. Being able to access the right health care benefits or file taxes is vital for citizens. State and local governments must pay attention to the citizen experience as much as private industry emphasizes the customer journey. To do this right requires a secure and simple way for citizens to prove their identity. By simplifying the citizen experience in a secure way, the government has the opportunity to build trust in its citizen-facing applications and strengthen its relationship with its constituents.
Like many private industries, state and local governments have seen digital transformation accelerate in the last few years but those changes have come with growing pains. As governments look to establish cybersecurity programs and find the best MFA solutions, it is critical that they understand what exactly it is that they are authenticating and how to build citizen trust.
Kimberly Biddings is vice president of BIO-key International, Inc.