Authentication considerations for state and local governments

guoya/Getty Images

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Kimberly Biddings,
Vice President of Product, BIO-key International
 

Connecting state and local government leaders

By Kimberly Biddings

|

Multifactor authentication adds a layer of security to accessing accounts but agencies should know the differences between methods.

Digital transformation in state and local governments—well underway pre-pandemic—was turned up a notch during the past two years as agencies suddenly found themselves required to interact remotely with constituents, organizations and other government entities. In the 2021 survey of state CIOs by the National Association of State Chief Information Officers, one respondent was quoted saying the pandemic sparked “10 years’ worth of deployments in eight months.” 

It’s no surprise then that the NASCIO survey reports 83% of CIOs ranked adopting enterprise identity and access solutions (IAM) as their highest priority area for the next two years. With dozens of agencies handling highly sensitive information in settings that require collaboration and speed, state and local governments must work together to establish a baseline for securing and accessing data in a way that fosters trust.

Pitfalls and challenges

Fraud and cyberattacks are on the rise as threat actors attempt to infiltrate all levels of government and the nation’s critical infrastructure. Adversaries are accessing systems for many illicit purposes, including filing fraudulent claims, stealing citizen and employee data and executing ransomware attacks. The NASCIO survey reports 20% of states have seen an increase in cyber incidents since their workforce went remote. 

Closing the gaps and reducing cyber risk isn’t easy. There are roughly 145 million state and local government employees working across hundreds of different agencies—traditionally siloed from one another—now needing to connect efficiently and remotely. However, the NASCIO survey revealed that only 13% of states reported having adopted a full enterprisewide IAM solution, rendering many agencies still in need of implementing critical security controls, with multifactor authentication (MFA) as the top priority. 

How to identify a person

MFA solutions are based on multiple authentication methods, but not all of them are created equal. Passwords or security questions have been used by agencies since before the proliferation of the commercial internet; they are one of the least secure methods for authenticating a user as phishing exercises, keystroke tracking and plain old guesswork can crack a password and lead to a breach.

Other common methods rely upon one-time passwords (OTP) or physical devices. Mobile phones, USB security devices and hardware tokens can all be stolen, lost or handed over to another person. Given the volume of sensitive data handled by government agencies, it is critical that they implement the most secure MFA methods possible.

And this brings us to biometrics.

When used correctly, biometrics can’t be faked, lost or phished and are highly convenient for the user. Modern biometrics have measurements that confirm a living being, using liveness detection so that a face scan can’t be fooled with a picture, for example. There are different approaches to how biometric systems are established, namely device-based and identity-bound biometrics (IBB).

Device-based biometrics is the more popular of the two but not the most secure. A good example is Apple’s Touch ID, which allows users to authenticate on their device with their fingerprint rather than a passcode. In this method, the biometric data is stored on the phone, and any agency safeguarding information merely sees an authenticated device, not an authenticated user. But what if another person is able to enroll their fingerprint on that device? Because the biometric is stored locally, the agency leaves itself open to additional people enrolling themselves on the device and gaining access.

Beyond the security concerns present with device-based methods, there is a lack of convenience as well. With governments looking to streamline and modernize systems, adding another step to employees’ abilities to access important data adds friction. With a device-based method, employees must enroll their biometric measurements on each device they use for work. But with state employees traveling to multiple offices and accessing multiple devices, along with a focus on increased collaboration across agencies, device-based authentication doesn’t give agencies the flexibility and agility they need to grant and revoke access across devices and locations. 

The identity-bound biometrics approach

Identity-bound biometrics or IBB takes a dramatically different approach. By enrolling and storing the encrypted biometric data centrally, organizations have a biometric template that allows them to confirm the person rather than just the device. This option maintains the convenience of other biometric methods while allowing for greater security and flexibility on the organizational side. Once stored centrally, a biometric template can be compared across locations and devices. If an agency needs to authenticate a user in a new or remote office or on a new device, it can do so without putting the user through another enrollment process.

Citizen-facing applications must be considered as well. With an increase in fraudulent claims, government agencies must build trust with their constituents. Being able to access the right health care benefits or file taxes is vital for citizens. State and local governments must pay attention to the citizen experience as much as private industry emphasizes the customer journey. To do this right requires a secure and simple way for citizens to prove their identity. By simplifying the citizen experience in a secure way, the government has the opportunity to build trust in its citizen-facing applications and strengthen its relationship with its constituents.

Like many private industries, state and local governments have seen digital transformation accelerate in the last few years but those changes have come with growing pains. As governments look to establish cybersecurity programs and find the best MFA solutions, it is critical that they understand what exactly it is that they are authenticating and how to build citizen trust.

Kimberly Biddings is vice president of BIO-key International, Inc.

NEXT STORY: Software bill of materials is about more than compliance, expert says

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.