State agencies urged to move beyond login credentials to counter cyber risks

State and local government IT officials wanting to better secure government resources, including their election systems, need to look beyond user IDs and passwords and begin embracing multi-factor authentication, say security experts in a new report.

Two-factor authentication (2FA) or multi-factor authentication (MFA) provide greater safeguards against ransomware and the risk of security breaches — and can lower IT operations costs, according to the report from StateScoop.

Read the full report.

An enterprisewide security solution, for instance, can help agencies readily integrate identity and access management services with existing applications, without a heavy investment in setup and configuration.

“A lot of agencies are not using 2FA [or MFA], and that is the lowest-hanging fruit that they can [use] in terms of their cybersecurity,” says Sean Frazier, advisory CISO, public sector at Duo Security, which underwrote the report.

An MFA solution ultimately gives state and local agencies better assurance that only trusted users and trusted devices can access protected applications.

While poor user experience has been a barrier to adopting 2FA and MFA in the past, the increased adoption of smartphones has helped break this barrier down by allowing enterprises to execute push notifications for identity verification via applications, according to the report.

However, state and local agencies serve a diverse population of users who may not have access to smartphones and therefore may not be able to authenticate in the same way.

Duo Security’s platform helps address these challenges by providing multiple options on how users can authenticate, such as using hardware tokens, SMS passcodes, bypass codes or biometrics, says Bart Green, vice president for Duo Security’s state, local and education markets.

There are a variety of MFA solutions in the market, he says in the report, but suggests state and local IT leaders look for a single solution that is able to authenticate identity with the same user experience independent of what application users are trying to access.

“Duo is not only solving the issue of providing a single MFA solution, but we are solving it consistently across the entire organization, with multiple easy ways to authenticate so you can get high adoption rates,” Green explains.

Additionally, a solution like Duo MFA gives IT leaders the ability to fully manage user and device access controls.

Dean Scontras, vice president, U.S. public sector for Duo Security, adds that a Duo’s user-centered design makes it easy for anyone in IT to roll it out. He says that by “democratizing security,” agencies will reduce IT costs by lowering the volume of help desk tickets due to password resets and by requiring minimal administrative resources for IT management.

“State and local governments, which are still largely using username and password security measures, are most at risk to attack,” stresses Scontras.

The report recommends that agency CIOs and CISOs continue to lay the foundations of security modernization by:

• Investing where there are knowledge gaps about who, or what, is on their network and/or where potential vulnerabilities exist.
• Prioritizing strategies and investments to reduce, if not eliminate, those gaps.
• Identify which systems and processes require continuous monitoring and access controls and the means to establish more stringent access controls.

Read more about solutions that strengthen identity and access management controls.

This article was produced by StateScoop and sponsored by Duo Security.