Why 3 government agencies are relying on hardware-based MFA with YubiKeys

January 12, 2021 4 minute read

America’s government is under attack. To put it more accurately, its governments are under attack, all the time, at every level — federal, state, and local — from opportunistic scammers, sophisticated cybercriminals, and even state actors.

We’ve all seen the stories about intelligence services stealing political emailssnooping into election systems, and even penetrating the US power grid. But those are just the government cyber security breaches that make the front page. For every cyber attack the public hears about, there are undoubtedly thousands that go unnoticed — even by their victims. According to one recent study, attacks on state, local, territorial, and tribal governments rose 50% between 2017 and 2020. The authors suspect that those numbers actually understate the problem. 

The reality is, government agencies are in a bind. On the one hand, they want to increase access to public information and make their operations faster and more efficient (especially during the pandemic when citizen services are rapidly moving online). On the other, they need to secure remote workers, protect sensitive PII (personally identifiable information), and keep America’s critical infrastructure — including elections and democratic integrity — safe. And they have to do it all on tight budgets.

The cyber security measures government agencies have taken so far fall short. Passwords offer little protection and are easily forgotten. Simple multi-factor authentication (MFA) methods like SMS verification codes or secure mobile authentication apps can still be subject to phishing attacks. These options are better than nothing, but they’re not enough. Alternatively, smart cards offer strong authentication but are expensive and cumbersome to deploy (especially in the middle of a global pandemic!). 

With the stakes as high as they are, and funding what it is, it’s becoming clear that government agencies need to move to a more scalable and economical form of strong authentication, like the YubiKey. In fact, there are several 2021 state and local tech priorities where hardware MFA plays an important role: 

  • Infrastructure and process modernization 
  • Supporting and enabling hybrid workforce and work 
  • Enabling connectivity and access 
  • Securing the new edge

To help federal, state, and local agencies navigate many of these priority areas in 2021, we’ve partnered with Government Technology to publish a new paper that outlines the critical use cases for hardware security key-based MFA and real-world examples of three government agencies — City of Mission Viejo, Sacramento, and Washington State — who have successfully deployed YubiKeys to protect their critical systems. Topics include: 

Building a more secure remote work infrastructure

The shift to remote work has introduced a new distributed perimeter and exponentially more security vulnerabilities. Many IT leaders are having a difficult time re-establishing trust with the individuals accessing their systems. Hardware security key-based MFA can reduce the danger of man-in-the middle attacks and provide greater flexibility for remote government workers, eliminating costs associated with mobile device-based authentication.

Enhancing security for digital services  

More governments are providing digital services to constituents, a crucial part of ensuring business continuity during times of crisis. Government IT chiefs can streamline operations and strengthen security for both internal services, as well as external citizen-facing digital services, with hardware security key-based MFA that can be conveniently integrated into existing Identity and Access Management solutions. For example, modern FIDO2 and WebAuthn standards are the best-suited authentication methods for external customer-facing services.

Protecting critical election infrastructure

Top of mind currently, but essential for every election or referendum: how municipalities can adopt hardware-based MFA to secure voter registration databases, election management systems, e-poll books, and other election infrastructure using the strongest authentication possible to stop 100% of account takeovers. This is even more important when a large percentage of the users are temporary volunteers.

Government agencies have a special charge to protect the public, and many authentication methods aren’t up to the task. Around the world, government organizations including the British NCSC (National Cyber Security Centre) and European Union Agency For Cybersecurity (ENISA) are recommending the move to MFA solutions, of which hardware security key-based MFA is the strongest version.

The tools are available. The technology is here. And it’s easy enough for anyone to use.

To learn more, download the full Yubico white paper, “How State and Local Governments Are Combatting Account Takeovers.” 

Share this article:

Recommended content

New-Era Authentication: For Federal Zero Trust Initiative

Read the SNG Fedscoop Report on new era authentication and how it aligns with the new White House Executive Order on protecting the nation's cybersecurity.

Entrust to add support for YubiKeys with PIV alternative and PIV derived credentials, advancing secure mobile and desktop authentication

Today marks an important day for expanding Yubico’s reach to support the growing requirement for Government agencies to issue government credentials beyond Personal Identity Verification (PIV) cards. We are celebrating that our partner Entrust will soon launch support for derived PIV credentials for YubiKeys. Customers will be able to take advantage of YubiKeys with derived ...

Yubico and ID.me provide remote identity proofing, YubiKey delivery, and strong authentication for NY Air National Guard (and see our joint presentation at Identiverse)

The pandemic has forced a digital transformation of how and where employees work at an accelerated rate, driving remote work scenarios for tens of thousands of state and federal personnel. These accelerated work scenarios require users to be strongly verified and authenticated. A strong binding between the remote identity proofing process and the authenticator is ...

State of Alert: Multi-factor authentication and the future of data

Read this report to learn why multi-factor authentication is critical for state and local government agencies, the consequences of not strengthening authentication, and how to bridge to a passwordless future