Why 3 government agencies are relying on hardware-based MFA with YubiKeys

January 12, 2021 4 minute read

America’s government is under attack. To put it more accurately, its governments are under attack, all the time, at every level — federal, state, and local — from opportunistic scammers, sophisticated cybercriminals, and even state actors.

We’ve all seen the stories about intelligence services stealing political emailssnooping into election systems, and even penetrating the US power grid. But those are just the government cyber security breaches that make the front page. For every cyber attack the public hears about, there are undoubtedly thousands that go unnoticed — even by their victims. According to one recent study, attacks on state, local, territorial, and tribal governments rose 50% between 2017 and 2020. The authors suspect that those numbers actually understate the problem. 

The reality is, government agencies are in a bind. On the one hand, they want to increase access to public information and make their operations faster and more efficient (especially during the pandemic when citizen services are rapidly moving online). On the other, they need to secure remote workers, protect sensitive PII (personally identifiable information), and keep America’s critical infrastructure — including elections and democratic integrity — safe. And they have to do it all on tight budgets.

The cyber security measures government agencies have taken so far fall short. Passwords offer little protection and are easily forgotten. Simple multi-factor authentication (MFA) methods like SMS verification codes or secure mobile authentication apps can still be subject to phishing attacks. These options are better than nothing, but they’re not enough. Alternatively, smart cards offer strong authentication but are expensive and cumbersome to deploy (especially in the middle of a global pandemic!). 

With the stakes as high as they are, and funding what it is, it’s becoming clear that government agencies need to move to a more scalable and economical form of strong authentication, like the YubiKey. In fact, there are several 2021 state and local tech priorities where hardware MFA plays an important role: 

  • Infrastructure and process modernization 
  • Supporting and enabling hybrid workforce and work 
  • Enabling connectivity and access 
  • Securing the new edge

To help federal, state, and local agencies navigate many of these priority areas in 2021, we’ve partnered with Government Technology to publish a new paper that outlines the critical use cases for hardware security key-based MFA and real-world examples of three government agencies — City of Mission Viejo, Sacramento, and Washington State — who have successfully deployed YubiKeys to protect their critical systems. Topics include: 

Building a more secure remote work infrastructure

The shift to remote work has introduced a new distributed perimeter and exponentially more security vulnerabilities. Many IT leaders are having a difficult time re-establishing trust with the individuals accessing their systems. Hardware security key-based MFA can reduce the danger of man-in-the middle attacks and provide greater flexibility for remote government workers, eliminating costs associated with mobile device-based authentication.

Enhancing security for digital services  

More governments are providing digital services to constituents, a crucial part of ensuring business continuity during times of crisis. Government IT chiefs can streamline operations and strengthen security for both internal services, as well as external citizen-facing digital services, with hardware security key-based MFA that can be conveniently integrated into existing Identity and Access Management solutions. For example, modern FIDO2 and WebAuthn standards are the best-suited authentication methods for external customer-facing services.

Protecting critical election infrastructure

Top of mind currently, but essential for every election or referendum: how municipalities can adopt hardware-based MFA to secure voter registration databases, election management systems, e-poll books, and other election infrastructure using the strongest authentication possible to stop 100% of account takeovers. This is even more important when a large percentage of the users are temporary volunteers.

Government agencies have a special charge to protect the public, and many authentication methods aren’t up to the task. Around the world, government organizations including the British NCSC (National Cyber Security Centre) and European Union Agency For Cybersecurity (ENISA) are recommending the move to MFA solutions, of which hardware security key-based MFA is the strongest version.

The tools are available. The technology is here. And it’s easy enough for anyone to use.

To learn more, download the full Yubico white paper, “How State and Local Governments Are Combatting Account Takeovers.” 

Share this article:

Recommended content


Zero Trust is the new regulatory minimum for Federal agencies: what does that mean for authentication?

The deadline is looming for federal agencies to implement impersonation-resistant multi-factor authentication (MFA), just one of the new stronger security requirements under President Biden’s new cybersecurity executive order (EO 14028). The EO puts security front and center to address some of the worst cyber attacks against the federal government, setting up new federal compliance expectations ...


Modern MFA for the Federal Government: How the YubiKey Meets U.S. Federal Government Requirements

Learn how the YubiKey, a DOD approved alternate authenticator meets federal PIV/CAC requirements and government compliance regulations.


Everything you need to know about the revised eIDAS regulation

In June 2021, the EU Commission announced its plans for a revised eIDAS regulation. eIDAS (electronic IDentification, Authentication and trust Services) is the EU regulation 910/2014 on electronic identification and trust services in the EU. It came into force in 2014, so the revision is a major update to eIDAS. The past two years the ...


Modern Authentication for the Federal Government: Enabling Mobile, Secure Authentication in Zero Trust Environments

Learn how DOD approved hardware security keys such as the YubiKey are ideal to fill PIV and CAC related authentication gaps across the federal government, and meet the MFA mandate in the Biden Executive Order 14028.