Passwords are hard to remember and even harder to change periodically, and it’s getting harder and harder to design strong credentials. Instead of rising to the challenge, many users rely on weak passwords and reuse them for multiple accounts. This makes it easy for cybercriminals to guess credentials or obtain them through phishing attacks.
Once collected, credentials can be sold on the dark web. Then the original criminal and hordes of other attackers can gain access to personal and business systems and data.
Two-factor authentication (2FA) and multi-factor authentication (MFA) are accepted ways to make credentials much less vulnerable. 2FA relies on a combination of something you know (e.g. username/password) and something you have (e.g. your cell phone or computer, key card or USB stick) or something you are (for example, a scan of your iris or fingerprint) to ensure that only authorized people can access sensitive systems and information.
MFA can involve all three factors. With MFA, even if the username/password combination is stolen, accessing an account is extremely difficult because criminals will not be able to complete the additional authentication steps.
Click on the banner below to access personalized content by becoming an Insider.
When MFA and mobile devices don’t mix
Common methods of implementing MFA often rely on the use of mobile devices. When an SMS message, one-time password or push notification is sent, it is usually sent to the user’s smartphone. However, many state and local government employees and contractors cannot use mobile devices for MFA, due to insufficient cell phone coverage in their areas, union restrictions, or compliance obligations. . Others are hesitant to use their personal mobile devices for work functions or allow administrators access to their devices.
Additionally, there are certain risks associated with sending SMS, one-time passwords, or push notifications for multi-factor authentication. When implemented incorrectly or as the only method of security, messages can be hacked and codes intercepted. In fact, the US government has recommended that no MFA solution rely solely on SMS verification tools.
EXPLORE: How Security Authentication Tokens Can Help Prevent Cyber Threats.
Provide protection outside the mobile MFA
To close these gaps and ensure 100% MFA coverage, state and local agencies can consider hardware security keys. The key is usually a physical device, often a USB key that only grants access to accounts when connected to a computer. It offers a high level of protection against phishing and hacking as no one can access an account without the login credentials and key. And it doesn’t rely on a phone.
Another solution may be Login.gov, the General Services Administration’s cloud-based remote identity verification platform. When the program launched in 2017, it was only available to federal agencies, but is now open to a variety of federally funded state and local government programs. Login.gov provides strong authentication to allow public access to participating programs, using MFA from desktop computers as well as mobile devices. The user only needs to create a Login.gov account, create a strong password, and then select one or more additional authentication methods. These include security keys, authentication apps, biometric methods, and personal identity verification or common access cards.
How Login.gov Handles Authentication
Some Login.gov authentication options do not require a mobile device:
Security keys: These physical devices offer the highest level of protection against phishing and hacking in the event of loss or theft. To be used with Login.gov, security keys must meet Fast Identity Online standards. Examples include YubiKeys, which support many protocols and are compatible with a wide range of online services.
Authenticator apps: These apps, when downloaded to a computer, generate secure six-digit codes used to log into accounts. The app is more secure than phone calls or text messages, which are susceptible to phishing, hacking, or interception by cybercriminals who can redirect the messages. Examples of authenticator apps are 1Password and OTP Manager for Windows and Mac devices and the Authenticator extension for Chrome.
EXAM: How a new app is transforming the way Texans interact with state government.
Biometric authentication: Facial recognition and fingerprint login to Login.gov accounts are phishing-resistant methods, but they have some limitations. They can only be used on devices that support them, and they are both device and browser specific. In most cases, users will need to purchase and install hardware for fingerprint recognition or a biometric camera.
PIV or CAC: Personal Identity Verification or Common Access Cards are secure options for federal government employees and military personnel. They are phishing resistant and difficult to hack if stolen. However, these cards are not available to everyone.
Backup Codes: If all else fails, Login.gov can generate a list of backup codes, each of which can only be used once during login. This is the least secure option for MFA; codes must be printed or written down, making them just as vulnerable as passwords written on sticky notes left on a desk. Users who choose backup codes as their preferred MFA method should tightly safeguard the codes.
MFA methods that rely on mobile devices can be convenient, but there is a need for equally powerful alternatives. Login.gov provides several MFA authentication options, extending the reach of strong authentication to those who cannot or do not want to use mobile devices.