Shamalee Deshpande|

Why 3 government agencies are relying on hardware-based MFA with YubiKeys

America’s government is under attack. To put it more accurately, its governments are under attack, all the time, at every level — federal, state, and local — from opportunistic scammers, sophisticated cybercriminals, and even state actors.

We’ve all seen the stories about intelligence services stealing political emails, snooping into election systems, and even penetrating the US power grid. But those are just the government cyber security breaches that make the front page. For every cyber attack the public hears about, there are undoubtedly thousands that go unnoticed — even by their victims. According to one recent study, attacks on state, local, territorial, and tribal governments rose 50% between 2017 and 2020. The authors suspect that those numbers actually understate the problem. 

The reality is, government agencies are in a bind. On the one hand, they want to increase access to public information and make their operations faster and more efficient (especially during the pandemic when citizen services are rapidly moving online). On the other, they need to secure remote workers, protect sensitive PII (personally identifiable information), and keep America’s critical infrastructure — including elections and democratic integrity — safe. And they have to do it all on tight budgets.

The cyber security measures government agencies have taken so far fall short. Passwords offer little protection and are easily forgotten. Simple multi-factor authentication (MFA) methods like SMS verification codes or secure mobile authentication apps can still be subject to phishing attacks. These options are better than nothing, but they’re not enough. Alternatively, smart cards offer strong authentication but are expensive and cumbersome to deploy (especially in the middle of a global pandemic!). 

With the stakes as high as they are, and funding what it is, it’s becoming clear that government agencies need to move to a more scalable and economical form of strong authentication, like the YubiKey. In fact, there are several 2021 state and local tech priorities where hardware MFA plays an important role: 

  • Infrastructure and process modernization 
  • Supporting and enabling hybrid workforce and work 
  • Enabling connectivity and access 
  • Securing the new edge

To help federal, state, and local agencies navigate many of these priority areas in 2021, we’ve partnered with Government Technology to publish a new paper that outlines the critical use cases for hardware security key-based MFA and real-world examples of three government agencies — City of Mission Viejo, Sacramento, and Washington State — who have successfully deployed YubiKeys to protect their critical systems. Topics include: 

Building a more secure remote work infrastructure

The shift to remote work has introduced a new distributed perimeter and exponentially more security vulnerabilities. Many IT leaders are having a difficult time re-establishing trust with the individuals accessing their systems. Hardware security key-based MFA can reduce the danger of man-in-the middle attacks and provide greater flexibility for remote government workers, eliminating costs associated with mobile device-based authentication.

Enhancing security for digital services  

More governments are providing digital services to constituents, a crucial part of ensuring business continuity during times of crisis. Government IT chiefs can streamline operations and strengthen security for both internal services, as well as external citizen-facing digital services, with hardware security key-based MFA that can be conveniently integrated into existing Identity and Access Management solutions. For example, modern FIDO2 and WebAuthn standards are the best-suited authentication methods for external customer-facing services.

Protecting critical election infrastructure

Top of mind currently, but essential for every election or referendum: how municipalities can adopt hardware-based MFA to secure voter registration databases, election management systems, e-poll books, and other election infrastructure using the strongest authentication possible to stop 100% of account takeovers. This is even more important when a large percentage of the users are temporary volunteers.

Government agencies have a special charge to protect the public, and many authentication methods aren’t up to the task. Around the world, government organizations including the British NCSC (National Cyber Security Centre) and European Union Agency For Cybersecurity (ENISA) are recommending the move to MFA solutions, of which hardware security key-based MFA is the strongest version.

The tools are available. The technology is here. And it’s easy enough for anyone to use.

To learn more, download the full Yubico white paper, “How State and Local Governments Are Combatting Account Takeovers.”